Your SlideShare is downloading. ×
Real-time Security Extensions for EPCglobal Networks (Disputation)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Real-time Security Extensions for EPCglobal Networks (Disputation)

946
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
946
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Real-time Security Extensions for EPCglobal Networks Disputation Hasso Plattner Institute Sep 19, 2012 Matthieu-P. Schapranow, M.Sc. Hasso Plattner InstituteEnterprise Platform and Integration Concepts
  • 2. Agenda2 ■  Motivation: Pharmaceutical Counterfeits ■  Scientific Problem: Access Control in EPCglobal Networks ■  Scientific Approach ■  Analysis of Related Work ■  Scientific Contributions □  Device-level Security Extensions □  Business-level Security Extensions ■  Related Publications Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 3. Motivation Pharmaceutical Supply Chain3 Counterfeits ■  34 million fake drugs in 2 months in the EU [34] ■  3rd place / 10% of all intercepted articles [35] Pharma- ceutical Anti-counterfeiting Industry Requirements ■  Radio Frequency Identification ■  EU: “Privacy by design” [36] (RFID) / data matrix [39] ■  BSI: “Minimize the use of ■  Enables fine-grained tracking personal data” [38] and tracing of products ■  No security mechanisms on low-cost passive RFID tags Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 4. Motivation Influvac of Season 2012/2013 stolen4 Image adapted from http://www.drugswell.com/wow/index.php?act=viewProd&productId=2571 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 5. Scientific Problem Current Challenges of EPCglobal Networks5 ■  Definition: Digital representation of all physical goods are stored in distributed event repositories. Interchangeable Open Supply Products Chain EPCglobal Networks Unknown Business Partners ■  How to protect sensitive business secrets while enabling automatic exchange of relevant information? Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 6. Scientific Problem Components for Anti-counterfeiting [6]6 ■  Anti-counterfeiting service provider: Supply Chain Participant authenticity checks for customers R Anti- R Discovery Counterfeiting ■  Discovery service: identification of Service Provider Service appropriate Electronic Product Code R Information Services (EPCIS) repository EPCIS EPCIS Repository ■  EPCIS repository: stores event data for all handled products of a certain party R Middleware ■  Access control? Undefined by EPCglobal! Reader tag Reader Tag RFID-enabled Company Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 7. Scientific Problem Attack Locations7 Inside the Supply Chain Transition Zone Competitor Customer Supplier Supplier Manufacturer Wholesaler Retailer Outside the Supply Chain Counterfeiter Attacker ■  Inside the supply chain: controllable by supply chain participants ■  Outside the supply chain: vulnerable environment ■  Transition zone: customer’s risk Model introduced by [42] Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 8. Scientific Problem Access Control8 ■  Challenges: □  Which level of granularity is appropriate for data protection, e.g. event- vs. attribute-level? □  How to maintain individual access rights per business partner? Hypothesis: Validation and adaption of access rights based on the I analysis of the complete query history can be performed in real-time during query processing, i.e. in less than two seconds. Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 9. Scientific Problem Authenticity of Supply Chain Parties9 ■  Challenge: How to prevent attacks for obtaining sensitive business secrets in open supply chains? Hypothesis: Public Key Infrastructure (PKI) certificates can be used II for identification of supply chain parties to establish specific access control and to trace counterfeiters/attackers once they are detected. Hypothesis: Management of individual encryption keys per supply chain participant can reduce impact of key exposure. Using an in- III memory database supports multiple key renewals per day and individual key lookups in an interactive manner. Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 10. Scientific Approach10 Access Control Software Design Engineering [41] Research Topics Science [40] •  Analysis •  Relevance My •  Definition •  Rigor Work •  Design and •  Search Implementation Process •  Measurement EPCglobal Networks Scientific Approaches Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 11. Analysis of Related Work Categorization of EPCglobal Work11 ■  A) Before 2007: tag-reader communication ■  B) From 2007: software components, such as EPCIS, ONS, etc. Comparison of Related Research Activities 8 EPCIS EPCDS ONS 7 Middleware Tag/Reader Others 6 Relevant Publications 5 4 3 2 1 0 20 20 20 20 20 0 0 0 0 0 5 6 7 8 9 Disputation, Matthieu-P. Schapranow, Sep 19, 2012 Publication Year of
  • 12. Analysis of Related Work Outcome: The Security Matrix12 Security Requirements for EPCglobal Networks Device Level Business Level Technical Tags, Readers, Sensitive Business Data Perspective Hardware, etc. Business Counterfeits Business Secrets Perspective Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 13. Device-level Security Extensions Comparison of Research Contributions13 Attack / Aspect St. Quo Static [21] Dynamic [13] Middleware extension ✗ ✓ ✓ Signal interferences ✗ ✗ ✗ Reader impersonation ✗ ✓/✗ ✓/✗ Replay ✗ ✓/✗ ✓/✗ Infinite reuse ✗ ✓ ✓ R/W tags required ✗ ✓ ✓ Implicit identification ✗ ✓ ✓ Illegal access ✗ ✓ ✓ Eavesdropping/Sniffing ✗ ✓ ✓ Tag spoofing ✗ ✓ ✓ Tag impersonation ✗ ✓ ✓ Man-in-the-middle ✗ ✓ ✓ Hash functions ✗ ✓ ✓ Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 14. Business-level Security Extensions Architecture Comparison In terne t14 R E P C IS of E ve nt S u pply C h ain R ep osito ry P arty B Inquirer A EPCglobal Security Component Networks Extensions ✓ Inquirer ✓ ✓ Event Repository ✓ ✗ Access Control Client (ACC) ✓ ✗ Access Control Server (ACS) ✓ ✗ Trust Relationship Server (TRS) ✓ Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 15. Business-level Security Extensions Architecture Comparison In terne t15 R R R E P C IS of E ve nt ACC ACS S u pply C h ain R ep osito ry P arty B Inquirer A R TRS EPCglobal Security Component Networks Extensions ✓ Inquirer ✓ ✓ Event Repository ✓ ✗ Access Control Client (ACC) ✓ ✗ Access Control Server (ACS) ✓ ✗ Trust Relationship Server (TRS) ✓ Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 16. Business-level Security Extensions Architecture Comparison In terne t16 R R R E P C IS of E ve nt ACC ACS S u pply C h ain R ep osito ry P arty B Inquirer A R TRS EPCglobal Security Component Networks Extensions ✓ Inquirer ✓ ✓ Event Repository ✓ ✗ Access Control Client (ACC) ✓ ✗ Access Control Server (ACS) ✓ ✗ Trust Relationship Server (TRS) ✓ Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 17. Business-level Security Extensions Architecture Comparison In terne t17 R R R E P C IS of E ve nt ACC ACS S u pply C h ain R ep osito ry P arty B Inquirer A R TRS EPCglobal Security Component Networks Extensions ✓ Inquirer ✓ ✓ Event Repository ✓ ✗ Access Control Client (ACC) ✓ ✗ Access Control Server (ACS) ✓ ✗ Trust Relationship Server (TRS) ✓ Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 18. Business-level Security Extensions History-based Access Control18 Role-based Access Control (RBAC) Management of Real-time analysis individual History-based Access of the complete Control (HBAC) encryption keys query history Rule-based Access Control (RuBAC) Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 19. Business-level Security Extensions Extended Communication Protocol I19 Inquirer A ACC ACS Manufacturer B 1: Query Q 2: {Q}PrivKey A, Cert A 3: Generate SymKey R for A 4: Select result set from EPCIS repository 5: Rsp R 7: {{Rsp R}SymKey R}PubKey A 6: {Rsp R}SymKey R Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 20. Business-level Security Extensions Extended Communication Protocol II20 Inquirer A ACC ACS TRS 8: {getLic(Q)}PrivKey A, Cert A 9: Verify trust of A 10: Trust score for A 11: Derive access rights for A 12: {SymKey R, ODRL for A}PubKey A 13: Decrypt {Rsp R} with SymKey R 15: Filtered, decrypted event set 14: Enforce access rights for A Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 21. Business-level Security Extensions Benchmark Setup21 ■  Benchmarking script, query client and ACC executed on one server ■  FOSSTRAK EPCIS and ACS executed dedicated server ■  ACS partitioned across multiple separate server ■  Event database of FOSSTRAK on separate server ■  Amdahl’s law: ■  Execution time: ■  Response time: R ACS DB Server, ACC History, Access ACC ACS In-memory Rights and Rules B2,B7: B3: or MySQL SOAP (SSL), TCP B1,B11: B8,B9: Blade Servers 1..4 R B4,B5: SOAP ODRL (SSL) R SOAP via TCP via TCP Benchmark Benchmark Set FOSSTRAK In-memory Event Script acting as of Event Data EPCIS DB Server Repository Query Client R TCP A1,A2: Benchmark Server SOAP EPCIS Server Blade Server 5 via TCP Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 22. Business-level Security Extensions Benchmark Results Response Time Deltas of Enabled and Disabled Security Extensions22 Response Time Deltas of Enabled and Disabled Security Extensions ■  Real-time analysis possible 1 1 Round Robin Round Robin Range ■  Length of query history Mean Response Latency of Security Extensions in [s] Range None Mean Response Latency of Security Extensions in [s] None correlates to response time 0.488 0.456 ■  Data partitioning supports 0.488 0.374 0.456 0.338 scalability of ACS 0.322 0.321 0.374 0.338 ■  Range partitioning is 0.322 0.321 more applicable for multi-user systems 0.152 0.152 0.1 0.1 1 4 10 100 1 4 10 100 Number of Partitions Number of Partitions Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 23. Summary23 ■  In-memory technology supports □  Real-time analysis of query history □  Interactive management of encryption keys ■  HBAC enables transparent spectrum of controlling access ■  PKI and HBAC are applicable for pharmaceutical supply chain ■  Further applicability □  Retail industry □  Healthcare industry □  Next generation identification Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 24. Related Publications24 Journals 1  Hasso Plattner, Christoph Meinel, Matthieu-P. Schapranow: Blitzschnelle Datenanalysen für die personalisierte Medizin der Zukunft – Interdisziplinäre Impulse aus Potsdam und Berlin, Themenbroschüre 2012 Gesundheitsstandort Berlin- Brandenburg, 2012 2  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Costs of Authentic Pharmaceuticals: Research on Qualitative and Quantitative Aspects of Enabling Anti-counterfeiting in RFID-aided Supply Chains, Personal and Ubiquitous Computing, Springer, 10.1007/s00779-011-0390-4, 2011 3  Alexander Zeier, Paul Hofmann, Jens Krüger, Jürgen Müller, Matthieu-P. Schapranow: Integration of RFID Technology is a Key Enabler for Demand-Driven Supply Network, ICFAI University Journal of Supply Chain Management, 2009 4  Matthieu-P. Schapranow, Jens Krüger, Jürgen Müller: Smart Enterprise Widgets: Little Helpers with a Big Impact, SAP INFO (online), 2008 5  Matthieu-P. Schapranow, Jens Krüger: HPI Students Learn with SAP Enterprise Services, SAP INFO (online), 2008 Book Chapters 6  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Secure RFID-Enablement in Modern Companies: A Case Study of the Pharmaceutical Industry, Handbook of Research on Industrial Informatics and Manufacturing Intelligence: Innovations and Solutions, IGI Global, 2012 7  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: What are Authentic Pharmaceuticals Worth?, RFID / Book 2, INTECH Press, ISBN: 978-953-307-265-4, 2011 8  Martin Lorenz, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Discovery Services in the EPC Network, RFID, INTECH Press, ISBN: 978-953-307-473-3, 2011 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 25. Related Publications25 In Conference Proceedings 9  Matthieu-P. Schapranow, Alexander Zeier, Felix Leupold, Tobias Schubotz: Securing EPCglobal Object Name Service: Privacy Enhancements for Anti-counterfeiting, 2nd International Conference on Intelligent Systems, Modeling and Simulation, 2011 10  Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Formal Model for Enabling RFID in Pharmaceutical Supply Chains, 44th Hawaii International Conference on System Sciences, 2011 11  Matthieu-P. Schapranow, Cindy Fähnrich, Alexander Zeier, Hasso Plattner: Simulation of RFID-aided Supply Chains: Case Study of the Pharmaceutical Supply Chain, Third International Conference on Computational Intelligence, Modelling and Simulation, 2011 12  Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: Security Extensions for Improving Data Security of Event Repositories in EPCglobal Networks, The 9th International Conference on Embedded and Ubiquitous Computing, 2011 13  Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Dynamic Mutual RFID Authentication Model Preventing Unauthorized Third Party Access, The 4th International Conference on Network and System Security, 2010 14  Matthieu-P. Schapranow, Mike Nagora, Alexander Zeier: CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply Chains, 18th International Conference on Software, Telecommunication and Computer Networks, 2010 15  Jürgen Müller, Martin Lorenz, Felix Geller, Matthieu-P. Schapranow, Thomas Kowark, Alexander Zeier: Assessment of Communication Protocols in the EPC Network: Replacing Textual SOAP and XML with Binary Google Protocol Buffers Encoding, 17th IEEE International Conference on Industrial Engineering and Engineering Management, Xiamen, China, 2010 16  Matthieu-P. Schapranow, Ralph Kühne, Alexander Zeier: Real-Time Billing in Smart Grid Infrastructures, Power and Energy Student Summit 2010 - Integration of Renewable Energies into the Grid, 2010 17  Matthieu-P. Schapranow, Jens Krüger, Vadym Borovskiy, Alexander Zeier, Hasso Plattner: Data Loading & Caching Strategies in Service-Oriented Enterprise Applications , Proceedings of Congress on Services, Los Angeles, CA, USA, 2009 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 26. Related Publications26 18  Jürgen Müller, Matthieu-P. Schapranow, Marco Helmich, Sebastian Enderlein, Alexander Zeier: RFID Middleware as a Service - Enabling Small and Medium-sized Enterprises to Participate in the EPC Network, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009 19  Jürgen Müller, Matthias Uflacker, Jens Krüger, Matthieu-P. Schapranow, Alexander Zeier: noFilis CrossTalk 2.0 as Device Management Solution, Experiences while Integrating RFID Hardware into SAP Auto-ID Infrastructure, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009 20  Vadym Borovskiy, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Binary Search Tree Visualization Algorithm, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009 21  Matthieu-P. Schapranow, Jürgen Müller, Sebastian Enderlein, Marco Helmich, Alexander Zeier: Low-Cost Mutual RFID Authentication Model Using Predefined Password Lists, 16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009 22  Martin Grund, Jan Schaffner, Matthieu-P. Schapranow, Jens Krüger, Anja Bog: Shared Table Access Pattern Analysis for Multi-Tenant Applications, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008 23  Martin Grund, Jens Krüger, Jan Schaffner, Matthieu-P. Schapranow, Anja Bog: Operational Reporting Using Navigational SQL, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008 24  Matthieu-P. Schapranow, Martin Grund, Jens Krüger, Jan Schaffner, Anja Bog: Combining Advantages - Unified Data Stores in Global Enterprises, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 27. Related Publications27 Workshops and Exhibitions 25  Martin Lorenz, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: A Distributed EPC Discovery Service based on Peer-to-peer Technology, RFID SysTech 2011, Dresden, Germany, 2011 26  Matthieu-P. Schapranow, Martin Lorenz, Alexander Zeier, Hasso Plattner: License-based Access Control in EPCglobal Networks, Proceedings of the 7th European Workshop on RFID Systems and Technologies, Dresden, 2011 27  Jürgen Müller, Matthieu-P. Schapranow, Conrad Pöpke, Michaela Urbat, Alexander Zeier, Hasso Plattner: Best Practices for Rigorous Evaluation of RFID Software Components, Proceedings of the 6th European Workshop on RFID Systems and Technologies, Ciudad Real, Spain, 2010 28  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Sustainable Use of RFID Tags in the Pharmaceutical Industry, European Workshop on Smart Objects: Systems, Technologies and Applications, Ciudad Real, Spain, 2010 29  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: RFID Event Data Processing: An Architecture for Storing and Searching, Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications, Challenges, Funchal, Madeira, Portugal, 2010 30  Matthieu-P. Schapranow, Ralph Kühne, Alexander Zeier: Enabling Real-Time Charging for Smart Grid Infrastructures using In-Memory Databases, 1st LCN Workshop on Smart Grid Networking Infrastructure, 2010 31  Vadym Borovskiy, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Ensuring Service Backwards Compatibility with Generic Web Services, PESOS Workshop, Vancouver, Canada, 2009 32  Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Security Aspects in Vulnerable RFID-Aided Supply Chains, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, 2009 33  Jürgen Müller, Martin Faust, David Schwalb, Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Software as a Service RFID Middleware for Small and Medium-sized Enterprises, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, Germany, 2009 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 28. Related Publications28 Miscellaneous 34  European Commission: Customs: Millions of illegal Medicines stopped by "MEDI-FAKE" action. IP/08/1980, 2008 35  European Commission Taxation and Customs Union: Statistics of Customs Detentions Recorded at the External Borders of the EU, EU-wide statistics for 2009, 2010 36  European Commission: Commission Recommendation on the Implementation of Privacy and Data Protection Principles in Applications supported by Radio-Frequency Identification, Brussel, 2009 37  Federal Office for Information Security: Standard 100-1 Information Security Management Systems (ISMS) V. 1.5, 2008 38  Federal Data Protection Act §3a: “Datenvermeidung und Datensparsamkeit”, 2009 39  European Commission: Public Consultation in Preparation of a Legal Proposal to Combat Counterfeit Medicines for Human Use: Key Ideas for better Protection of Patients against the Risk of Counterfeit Medicines, Brussel, 2008 40  Alan R. Hevner et al: Design-Science in Information Systems Research, MIS Quarterly, Vol. 28, No. 1, pp. 75-105, 2004 41  Ian Sommerville: Software Engineering, Addison-Wesley, 2007 42  Simson L. Garfinkel, Ari Juels, Ravi Pappu: RFID Privacy: An Overview of Problems and Proposed Solutions, IEEE Security and Privacy, Vol. 3, pp. 34-43, IEEE Computer Society, 2005 Disputation, Matthieu-P. Schapranow, Sep 19, 2012
  • 29. Thank you for your interest! Keep in contact with me.29 Matthieu-P. Schapranow, M.Sc. schapranow@hpi.uni-potsdam.de http://j.mp/schapranow Hasso Plattner Institute Enterprise Platform and Integration Concepts Matthieu-P. Schapranow August-Bebel-Str. 88 14482 Potsdam, Germany Disputation, Matthieu-P. Schapranow, Sep 19, 2012

×