License-based Access Control in EPCglobal Networks

919 views
850 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
919
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • BSI = Federal Office for Information SecurityBDSG = Federal Data Protection ActPrivacy, data security, etc. are not defined for RFID technology so far!
  • This is how, it should look like
  • Pictures taken in india, pharmaceutical counterfeits produced in dirt places (right viagra pills)
  • 192k parties => much data to keep and observeAufbau der pharma supply chain in europe
  • Unsere motivation für den license-based access control prototypen
  • EPCglobaldiefiniert das bildohne ACC und event owner. Hierkommtunsere contribution1: Anfrage an EPCIS nachbestimmten events2: antwortalsverschlüsselterückgabemenge R*3: einmalignötig: client license anfordern, begrenztgültig4. Verschlüsselte client license L*5. L* an lokalinstallierte ACC übergeben6. ACC entschlüsselt L* und erhält L, überprüft L7. Prüfenob A zur license passt (bezug auf Public Key Infrastructure nehmen)8. Resultset R* wirdmitHilfe den in L enthaltenenSchlüsselnentschlüsselt.9. ACC filtertspalten und zeilenausdemresultset, die nichtvom client eingesehenwerdendürfen10: rückgabe der entschlüsselten und gefilterternergebnisemenge.
  • EPCIS= Electronic Product Code Information System (stores events)ACC=Access Control ClientEPC list: blacklist to block certain EPC entries completely (rows)
  • Bild von obennachuntenerläutern, die tabellenenthalten die Attributwertpaare der Resultssets / EPCIS respositories
  • Verweis auf papier
  • License-based Access Control in EPCglobal Networks

    1. 1. License-based Access Control in EPCglobal Networks<br />RFID Systech 2011<br />May 17-18, 2011 – Dresden, Germany<br />Matthieu-P. SchapranowHasso Plattner Institute<br />
    2. 2. Agenda<br />European Pharmaceutical Industry<br />License-based Access Control<br />Related Publications<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />2<br />
    3. 3. European Pharmaceutical IndustryMotivation<br />Increasing counterfeit rates in pharmaceutical industry<br />34 million fake drugs in only two months in Europe [1] Pharmaceuticals: 3rd place / 10% of all intercepted articles [2]<br />Current literature proposes Radio Frequency Identification (RFID)technology or data matrix for anti-counterfeiting [6]<br />Problem: Low-cost tags do not provide security mechanisms<br />But: RFID enables fine-grained tracking and tracing of each item<br />“Minimize the used of personal data” [5]<br />“Privacy by design” [3]<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />3<br />
    4. 4. European Pharmaceutical IndustryManufacturing<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />4<br />
    5. 5. European Pharmaceutical IndustryCounterfeits<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />5<br />
    6. 6. European Pharmaceutical IndustryComponents for Anti-counterfeiting<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />6<br />Anti-counterfeiting service provider validates authenticity of concrete item for customers, e.g. in a pharmacy<br />Discovery Service supports to identify appropriate Electronic Product Code Information Services (EPCIS) repository<br />EPCIS repository contains all event data for handled products of a certain supply chain partner<br />
    7. 7. European Pharmaceutical IndustryRoles<br />Approx. 30 billion pharmaceuticalsper year [13]<br />Main Roles [21]<br />Manufacturers: ≈2.2k<br />Wholesalers: ≈50k<br />Retailers: ≈140k<br />Other Roles<br />Logistics Providers<br />End Consumers<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />7<br />
    8. 8. License-based Access ControlSecurity<br />Security := {confidentiality, integrity, availability} [4]<br />Confidentiality := prevent unauthorized reading of event data<br />Integrity := protect event data from being manipulated<br />Availability := provide access only to authorized parties<br />Extension of current EPCglobal networks to guarantee<br />Confidentiality of event data, since it can be abused to derive business secrets, <br />Integrity of business data, i.e. a foundation for automatic anti-counterfeiting, and<br />Fine-grained access for certain business partners.<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />8<br />
    9. 9. License-based Access ControlActors<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />9<br />A := queries details for a certain EPC<br />ACC := checks licenses, decrypts content, and applies access rights<br />EPCIS := stores encrypted event data to serve it to querying parties<br />B := captures EPC event data and stores it in the local EPCIS<br />
    10. 10. License-based Access ControlBusiness Process<br />Event owner<br />Encrypts all event data, with individual master key per attribute (encrypter.py)<br />Stores data in local EPCIS event repository<br />Creates unique license per client and encrypt it with owners private key (license-encrypter.py)<br />License contains a unique ID and decryption keys for granted attributes <br />ACC is responsible for<br />Decryption of the license with the help of its public key, i.e. it can decrypted any license(decrypter.py)<br />Enforcing access rights on per-attribute level and EPC lists<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />10<br />
    11. 11. License-based Access ControlPython Prototype<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />11<br />
    12. 12. License-based Access ControlSecurity Evaluation<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />12<br />
    13. 13. Related Publications<br />[1] European Commission: Customs: Millions of illegal Medicines stopped by "MEDI-FAKE" action. IP/08/1980, 2008<br />[2] European Commission Taxation and Customs Union: Statistics of Customs Detentions Recorded at the External Borders of the EU, EU-wide statistics for 2009, 2010<br />[3] European Commission: Commission Recommendation on the Implementation of Privacy and Data Protection Principles in Applications supported by Radio-Frequency Identification, Brussel, 2009<br />[4] Federal Office for Information Security: Standard 100-1 Information Security Management Systems (ISMS) V. 1.5, 2008<br />[5] Federal Data Protection Act §3a: “Datenvermeidung und Datensparsamkeit”, 2009<br />[6] European Commission: Public Consultation in Preparation of a Legal Proposal to Combat Counterfeit Medicines for Human Use -- Key Ideas for better Protection of Patients against the Risk of Counterfeit Medicines, Brussel, 2008<br />[7] Matthieu-P. Schapranow, Alexander Zeier, Felix Leupold, Tobias Schubotz: Securing EPCglobal Object Name Service -- Privacy Enhancements for Anti-counterfeiting, 2nd International Conference on Intelligent Systems, Modeling and Simulation, 2011<br />[8] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Formal Model for Enabling RFID in Pharmaceutical Supply Chains, 44th Hawaii International Conference on System Sciences, 2011<br />[9] Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Dynamic Mutual RFID Authentication Model Preventing Unauthorized Third Party Access, The 4th International Conference on Network and System Security, 2010<br />[10] Matthieu-P. Schapranow, Mike Nagora, Alexander Zeier: CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply Chains, 18th International Conference on Software, Telecommunication and Computer Networks, 2010<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />13<br />
    14. 14. Related Publications<br />[11] Jürgen Müller, Martin Lorenz, Felix Geller, Matthieu-P. Schapranow, Thomas Kowark, Alexander Zeier: Assessment of Communication Protocols in the EPC Network: Replacing Textual SOAP and XML with Binary Google Protocol Buffers Encoding, 17th IEEE International Conference on Industrial Engineering and Engineering Management, Xiamen, China, 2010<br />[12] Matthieu-P. Schapranow, Jens Krüger, Vadym Borovskiy, Alexander Zeier, Hasso Plattner: Data Loading & Caching Strategies in Service-Oriented Enterprise Applications, Proceedings of IEEE Congress on Services (SERVICES 2009), Los Angeles, CA, USA, 2009<br />[13] Jürgen Müller, Matthieu-P. Schapranow, Marco Helmich, Sebastian Enderlein, Alexander Zeier: RFID Middleware as a Service - Enabling Small and Medium-sized Enterprises to Participate in the EPC Network, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009<br />[14] Jürgen Müller, Matthias Uflacker, Jens Krüger, Matthieu-P. Schapranow, Alexander Zeier: noFilisCrossTalk 2.0 as Device Management Solution, Experiences while Integrating RFID Hardware into SAP Auto-ID Infrastructure, 16th International Conference on Industrial Engineering and Engineering Management (IE&EM), Beijing, China, 2009<br />[15] Matthieu-P. Schapranow, Jürgen Müller, Sebastian Enderlein, Marco Helmich, Alexander Zeier: Low-Cost Mutual RFID Authentication Model Using Predefined Password Lists, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009<br />[16] Matthieu-P. Schapranow, Martin Grund, Jens Krüger, Jan Schaffner, Anja Bog: Combining Advantages - Unified Data Stores in Global Enterprises, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008<br />[17] Jürgen Müller, Matthieu-P. Schapranow, Conrad Pöpke, Michaela Urbat, Alexander Zeier, Hasso Plattner: Best Practices for Rigorous Evaluation of RFID Software Components, Proceedings of the 6th European Workshop on RFID Systems and Technologies, Ciudad Real, Spain, 2010<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />14<br />
    15. 15. Related Publications<br />[18] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Sustainable Use of RFID Tags in the Pharmaceutical Industry, European Workshop on Smart Objects: Systems, Technologies and Applications, Ciudad Real, Spain, 2010<br />[19] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: RFID Event Data Processing -- An Architecture for Storing and Searching, Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications, Challenges, Funchal, Madeira, Portugal, 2010<br />[20] Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Security Aspects in Vulnerable RFID-Aided Supply Chains, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, 2009<br />[21] Jürgen Müller, Martin Faust, David Schwalb, Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Software as a Service RFID Middleware for Small and Medium-sized Enterprises, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, Germany, 2009<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />15<br />
    16. 16. Thank you for your interest!Keep in contact with us.<br />Responsible: Deputy Prof. of Prof. Hasso PlattnerDr. Alexander Zeierzeier@hpi.uni-potsdam.de<br />Matthieu-P. Schapranow, M.Sc.<br />matthieu.schapranow@hpi.uni-potsdam.de<br />Hasso Plattner InstituteEnterprise Platform & Integration ConceptsMatthieu-P. SchapranowAugust-Bebel-Str. 8814482 Potsdam, Germany<br />RFIDSystech10, Sustainable Use of RFID Tags in the Pharma Industry, Schapranow, June 15-16, 2010<br />16<br />
    17. 17. BACKUP<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />17<br />
    18. 18. European Pharmaceutical IndustryData Sizing Assumptions<br />≈15 billion pharmaceuticals on prescription per year [21]<br />≥11 relevant events per unique item<br />1 x manufacturer (create + ship)<br />2 x wholesaler (receive + 2 x observe + ship) <br />1 x retailer (receive + sell)<br />1 x end consumer (check)<br />Assuming 360 days production results in ≈5,300 events/s within the European pharmaceutical supply chain<br />Individual events are very small, i.e. avg. 182 Byte[19]<br />Real-time Security Extensions for RFID-aided Supply Chains, Schapranow, Feb 23, 2011<br />18<br />

    ×