License-based Access Control in EPCglobal Networks
2 likes1,005 views
This document discusses license-based access control for event data in RFID networks used by the European pharmaceutical industry. It proposes encrypting event data and storing it in EPCIS repositories. Unique licenses would be created for each client, containing decryption keys for authorized attribute access. An access control component would decrypt licenses and enforce fine-grained access rights. A Python prototype demonstrates encrypting/decrypting data and licenses. The goal is to ensure confidentiality, integrity and availability of event data.
![European Pharmaceutical IndustryMotivationIncreasing counterfeit rates in pharmaceutical industry34 million fake drugs in only two months in Europe [1] Pharmaceuticals: 3rd place / 10% of all intercepted articles [2]Current literature proposes Radio Frequency Identification (RFID)technology or data matrix for anti-counterfeiting [6]Problem: Low-cost tags do not provide security mechanismsBut: RFID enables fine-grained tracking and tracing of each item“Minimize the used of personal data” [5]“Privacy by design” [3]Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20113](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-3-320.jpg)
![European Pharmaceutical IndustryRolesApprox. 30 billion pharmaceuticalsper year [13]Main Roles [21]Manufacturers: ≈2.2kWholesalers: ≈50kRetailers: ≈140kOther RolesLogistics ProvidersEnd ConsumersReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20117](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-7-320.jpg)
![License-based Access ControlSecuritySecurity := {confidentiality, integrity, availability} [4]Confidentiality := prevent unauthorized reading of event dataIntegrity := protect event data from being manipulatedAvailability := provide access only to authorized partiesExtension of current EPCglobal networks to guaranteeConfidentiality of event data, since it can be abused to derive business secrets, Integrity of business data, i.e. a foundation for automatic anti-counterfeiting, andFine-grained access for certain business partners.Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20118](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-8-320.jpg)
![Related Publications[1] European Commission: Customs: Millions of illegal Medicines stopped by "MEDI-FAKE" action. IP/08/1980, 2008[2] European Commission Taxation and Customs Union: Statistics of Customs Detentions Recorded at the External Borders of the EU, EU-wide statistics for 2009, 2010[3] European Commission: Commission Recommendation on the Implementation of Privacy and Data Protection Principles in Applications supported by Radio-Frequency Identification, Brussel, 2009[4] Federal Office for Information Security: Standard 100-1 Information Security Management Systems (ISMS) V. 1.5, 2008[5] Federal Data Protection Act §3a: “Datenvermeidung und Datensparsamkeit”, 2009[6] European Commission: Public Consultation in Preparation of a Legal Proposal to Combat Counterfeit Medicines for Human Use -- Key Ideas for better Protection of Patients against the Risk of Counterfeit Medicines, Brussel, 2008[7] Matthieu-P. Schapranow, Alexander Zeier, Felix Leupold, Tobias Schubotz: Securing EPCglobal Object Name Service -- Privacy Enhancements for Anti-counterfeiting, 2nd International Conference on Intelligent Systems, Modeling and Simulation, 2011[8] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Formal Model for Enabling RFID in Pharmaceutical Supply Chains, 44th Hawaii International Conference on System Sciences, 2011[9] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Dynamic Mutual RFID Authentication Model Preventing Unauthorized Third Party Access, The 4th International Conference on Network and System Security, 2010[10] Matthieu-P. Schapranow, Mike Nagora, Alexander Zeier: CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply Chains, 18th International Conference on Software, Telecommunication and Computer Networks, 2010Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201113](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-13-320.jpg)
![Related Publications[11] Jürgen Müller, Martin Lorenz, Felix Geller, Matthieu-P. Schapranow, Thomas Kowark, Alexander Zeier: Assessment of Communication Protocols in the EPC Network: Replacing Textual SOAP and XML with Binary Google Protocol Buffers Encoding, 17th IEEE International Conference on Industrial Engineering and Engineering Management, Xiamen, China, 2010[12] Matthieu-P. Schapranow, Jens Krüger, Vadym Borovskiy, Alexander Zeier, Hasso Plattner: Data Loading & Caching Strategies in Service-Oriented Enterprise Applications, Proceedings of IEEE Congress on Services (SERVICES 2009), Los Angeles, CA, USA, 2009[13] Jürgen Müller, Matthieu-P. Schapranow, Marco Helmich, Sebastian Enderlein, Alexander Zeier: RFID Middleware as a Service - Enabling Small and Medium-sized Enterprises to Participate in the EPC Network, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009[14] Jürgen Müller, Matthias Uflacker, Jens Krüger, Matthieu-P. Schapranow, Alexander Zeier: noFilisCrossTalk 2.0 as Device Management Solution, Experiences while Integrating RFID Hardware into SAP Auto-ID Infrastructure, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009[15] Matthieu-P. Schapranow, Jürgen Müller, Sebastian Enderlein, Marco Helmich, Alexander Zeier: Low-Cost Mutual RFID Authentication Model Using Predefined Password Lists, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009[16] Matthieu-P. Schapranow, Martin Grund, Jens Krüger, Jan Schaffner, Anja Bog: Combining Advantages - Unified Data Stores in Global Enterprises, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008[17] Jürgen Müller, Matthieu-P. Schapranow, Conrad Pöpke, Michaela Urbat, Alexander Zeier, Hasso Plattner: Best Practices for Rigorous Evaluation of RFID Software Components, Proceedings of the 6th European Workshop on RFID Systems and Technologies, Ciudad Real, Spain, 2010Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201114](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-14-320.jpg)
![Related Publications[18] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Sustainable Use of RFID Tags in the Pharmaceutical Industry, European Workshop on Smart Objects: Systems, Technologies and Applications, Ciudad Real, Spain, 2010[19] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: RFID Event Data Processing -- An Architecture for Storing and Searching, Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications, Challenges, Funchal, Madeira, Portugal, 2010[20] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Security Aspects in Vulnerable RFID-Aided Supply Chains, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, 2009[21] Jürgen Müller, Martin Faust, David Schwalb, Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Software as a Service RFID Middleware for Small and Medium-sized Enterprises, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, Germany, 2009Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201115](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-15-320.jpg)
![European Pharmaceutical IndustryData Sizing Assumptions≈15 billion pharmaceuticals on prescription per year [21]≥11 relevant events per unique item1 x manufacturer (create + ship)2 x wholesaler (receive + 2 x observe + ship) 1 x retailer (receive + sell)1 x end consumer (check)Assuming 360 days production results in ≈5,300 events/s within the European pharmaceutical supply chainIndividual events are very small, i.e. avg. 182 Byte[19]Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201118](https://image.slidesharecdn.com/110517license-basedaccesscontrolinepcglobalnetworks-110519150650-phpapp01/85/License-based-Access-Control-in-EPCglobal-Networks-18-320.jpg)
License-based Access Control in EPCglobal Networks
- 1. License-based Access Control in EPCglobal NetworksRFID Systech 2011May 17-18, 2011 – Dresden, GermanyMatthieu-P. SchapranowHasso Plattner Institute
- 2. AgendaEuropean Pharmaceutical IndustryLicense-based Access ControlRelated PublicationsReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20112
- 3. European Pharmaceutical IndustryMotivationIncreasing counterfeit rates in pharmaceutical industry34 million fake drugs in only two months in Europe [1] Pharmaceuticals: 3rd place / 10% of all intercepted articles [2]Current literature proposes Radio Frequency Identification (RFID)technology or data matrix for anti-counterfeiting [6]Problem: Low-cost tags do not provide security mechanismsBut: RFID enables fine-grained tracking and tracing of each item“Minimize the used of personal data” [5]“Privacy by design” [3]Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20113
- 4. European Pharmaceutical IndustryManufacturingReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20114
- 5. European Pharmaceutical IndustryCounterfeitsReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20115
- 6. European Pharmaceutical IndustryComponents for Anti-counterfeitingReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20116Anti-counterfeiting service provider validates authenticity of concrete item for customers, e.g. in a pharmacyDiscovery Service supports to identify appropriate Electronic Product Code Information Services (EPCIS) repositoryEPCIS repository contains all event data for handled products of a certain supply chain partner
- 7. European Pharmaceutical IndustryRolesApprox. 30 billion pharmaceuticalsper year [13]Main Roles [21]Manufacturers: ≈2.2kWholesalers: ≈50kRetailers: ≈140kOther RolesLogistics ProvidersEnd ConsumersReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20117
- 8. License-based Access ControlSecuritySecurity := {confidentiality, integrity, availability} [4]Confidentiality := prevent unauthorized reading of event dataIntegrity := protect event data from being manipulatedAvailability := provide access only to authorized partiesExtension of current EPCglobal networks to guaranteeConfidentiality of event data, since it can be abused to derive business secrets, Integrity of business data, i.e. a foundation for automatic anti-counterfeiting, andFine-grained access for certain business partners.Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20118
- 9. License-based Access ControlActorsReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 20119A := queries details for a certain EPCACC := checks licenses, decrypts content, and applies access rightsEPCIS := stores encrypted event data to serve it to querying partiesB := captures EPC event data and stores it in the local EPCIS
- 10. License-based Access ControlBusiness ProcessEvent ownerEncrypts all event data, with individual master key per attribute (encrypter.py)Stores data in local EPCIS event repositoryCreates unique license per client and encrypt it with owners private key (license-encrypter.py)License contains a unique ID and decryption keys for granted attributes ACC is responsible forDecryption of the license with the help of its public key, i.e. it can decrypted any license(decrypter.py)Enforcing access rights on per-attribute level and EPC listsReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201110
- 11. License-based Access ControlPython PrototypeReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201111
- 12. License-based Access ControlSecurity EvaluationReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201112
- 13. Related Publications[1] European Commission: Customs: Millions of illegal Medicines stopped by "MEDI-FAKE" action. IP/08/1980, 2008[2] European Commission Taxation and Customs Union: Statistics of Customs Detentions Recorded at the External Borders of the EU, EU-wide statistics for 2009, 2010[3] European Commission: Commission Recommendation on the Implementation of Privacy and Data Protection Principles in Applications supported by Radio-Frequency Identification, Brussel, 2009[4] Federal Office for Information Security: Standard 100-1 Information Security Management Systems (ISMS) V. 1.5, 2008[5] Federal Data Protection Act §3a: “Datenvermeidung und Datensparsamkeit”, 2009[6] European Commission: Public Consultation in Preparation of a Legal Proposal to Combat Counterfeit Medicines for Human Use -- Key Ideas for better Protection of Patients against the Risk of Counterfeit Medicines, Brussel, 2008[7] Matthieu-P. Schapranow, Alexander Zeier, Felix Leupold, Tobias Schubotz: Securing EPCglobal Object Name Service -- Privacy Enhancements for Anti-counterfeiting, 2nd International Conference on Intelligent Systems, Modeling and Simulation, 2011[8] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Formal Model for Enabling RFID in Pharmaceutical Supply Chains, 44th Hawaii International Conference on System Sciences, 2011[9] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Dynamic Mutual RFID Authentication Model Preventing Unauthorized Third Party Access, The 4th International Conference on Network and System Security, 2010[10] Matthieu-P. Schapranow, Mike Nagora, Alexander Zeier: CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply Chains, 18th International Conference on Software, Telecommunication and Computer Networks, 2010Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201113
- 14. Related Publications[11] Jürgen Müller, Martin Lorenz, Felix Geller, Matthieu-P. Schapranow, Thomas Kowark, Alexander Zeier: Assessment of Communication Protocols in the EPC Network: Replacing Textual SOAP and XML with Binary Google Protocol Buffers Encoding, 17th IEEE International Conference on Industrial Engineering and Engineering Management, Xiamen, China, 2010[12] Matthieu-P. Schapranow, Jens Krüger, Vadym Borovskiy, Alexander Zeier, Hasso Plattner: Data Loading & Caching Strategies in Service-Oriented Enterprise Applications, Proceedings of IEEE Congress on Services (SERVICES 2009), Los Angeles, CA, USA, 2009[13] Jürgen Müller, Matthieu-P. Schapranow, Marco Helmich, Sebastian Enderlein, Alexander Zeier: RFID Middleware as a Service - Enabling Small and Medium-sized Enterprises to Participate in the EPC Network, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009[14] Jürgen Müller, Matthias Uflacker, Jens Krüger, Matthieu-P. Schapranow, Alexander Zeier: noFilisCrossTalk 2.0 as Device Management Solution, Experiences while Integrating RFID Hardware into SAP Auto-ID Infrastructure, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009[15] Matthieu-P. Schapranow, Jürgen Müller, Sebastian Enderlein, Marco Helmich, Alexander Zeier: Low-Cost Mutual RFID Authentication Model Using Predefined Password Lists, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009[16] Matthieu-P. Schapranow, Martin Grund, Jens Krüger, Jan Schaffner, Anja Bog: Combining Advantages - Unified Data Stores in Global Enterprises, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008[17] Jürgen Müller, Matthieu-P. Schapranow, Conrad Pöpke, Michaela Urbat, Alexander Zeier, Hasso Plattner: Best Practices for Rigorous Evaluation of RFID Software Components, Proceedings of the 6th European Workshop on RFID Systems and Technologies, Ciudad Real, Spain, 2010Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201114
- 15. Related Publications[18] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Sustainable Use of RFID Tags in the Pharmaceutical Industry, European Workshop on Smart Objects: Systems, Technologies and Applications, Ciudad Real, Spain, 2010[19] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: RFID Event Data Processing -- An Architecture for Storing and Searching, Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications, Challenges, Funchal, Madeira, Portugal, 2010[20] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Security Aspects in Vulnerable RFID-Aided Supply Chains, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, 2009[21] Jürgen Müller, Martin Faust, David Schwalb, Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Software as a Service RFID Middleware for Small and Medium-sized Enterprises, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, Germany, 2009Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201115
- 16. Thank you for your interest!Keep in contact with us.Responsible: Deputy Prof. of Prof. Hasso PlattnerDr. Alexander Zeierzeier@hpi.uni-potsdam.deMatthieu-P. Schapranow, M.Sc.matthieu.schapranow@hpi.uni-potsdam.deHasso Plattner InstituteEnterprise Platform & Integration ConceptsMatthieu-P. SchapranowAugust-Bebel-Str. 8814482 Potsdam, GermanyRFIDSystech10, Sustainable Use of RFID Tags in the Pharma Industry, Schapranow, June 15-16, 201016
- 17. BACKUPReal-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201117
- 18. European Pharmaceutical IndustryData Sizing Assumptions≈15 billion pharmaceuticals on prescription per year [21]≥11 relevant events per unique item1 x manufacturer (create + ship)2 x wholesaler (receive + 2 x observe + ship) 1 x retailer (receive + sell)1 x end consumer (check)Assuming 360 days production results in ≈5,300 events/s within the European pharmaceutical supply chainIndividual events are very small, i.e. avg. 182 Byte[19]Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 201118
Editor's Notes
- #4: BSI = Federal Office for Information SecurityBDSG = Federal Data Protection ActPrivacy, data security, etc. are not defined for RFID technology so far!
- #5: This is how, it should look like
- #6: Pictures taken in india, pharmaceutical counterfeits produced in dirt places (right viagra pills)
- #8: 192k parties => much data to keep and observeAufbau der pharma supply chain in europe
- #9: Unsere motivation für den license-based access control prototypen
- #10: EPCglobaldiefiniert das bildohne ACC und event owner. Hierkommtunsere contribution1: Anfrage an EPCIS nachbestimmten events2: antwortalsverschlüsselterückgabemenge R*3: einmalignötig: client license anfordern, begrenztgültig4. Verschlüsselte client license L*5. L* an lokalinstallierte ACC übergeben6. ACC entschlüsselt L* und erhält L, überprüft L7. Prüfenob A zur license passt (bezug auf Public Key Infrastructure nehmen)8. Resultset R* wirdmitHilfe den in L enthaltenenSchlüsselnentschlüsselt.9. ACC filtertspalten und zeilenausdemresultset, die nichtvom client eingesehenwerdendürfen10: rückgabe der entschlüsselten und gefilterternergebnisemenge.
- #11: EPCIS= Electronic Product Code Information System (stores events)ACC=Access Control ClientEPC list: blacklist to block certain EPC entries completely (rows)
- #12: Bild von obennachuntenerläutern, die tabellenenthalten die Attributwertpaare der Resultssets / EPCIS respositories
- #13: Verweis auf papier