Real-time Security Extensions for EPCglobal Networks (Disputation)
1. Real-time Security Extensions
for EPCglobal Networks
Disputation
Hasso Plattner Institute
Sep 19, 2012
Matthieu-P. Schapranow, M.Sc.
Hasso Plattner Institute
Enterprise Platform and Integration Concepts
2. Agenda
2
■ Motivation: Pharmaceutical Counterfeits
■ Scientific Problem: Access Control in EPCglobal Networks
■ Scientific Approach
■ Analysis of Related Work
■ Scientific Contributions
□ Device-level Security Extensions
□ Business-level Security Extensions
■ Related Publications
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
3. Motivation
Pharmaceutical Supply Chain
3 Counterfeits
■ 34 million fake drugs in 2 months in the EU [34]
■ 3rd place / 10% of all intercepted articles [35]
Pharma-
ceutical
Anti-counterfeiting Industry Requirements
■ Radio Frequency Identification ■ EU: “Privacy by design” [36]
(RFID) / data matrix [39] ■ BSI: “Minimize the use of
■ Enables fine-grained tracking personal data” [38]
and tracing of products
■ No security mechanisms on
low-cost passive RFID tags
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
4. Motivation
Influvac of Season 2012/2013 stolen
4
Image adapted from http://www.drugswell.com/wow/index.php?act=viewProd&productId=2571
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
5. Scientific Problem
Current Challenges of EPCglobal Networks
5
■ Definition: Digital representation of all physical goods are stored in
distributed event repositories.
Interchangeable Open Supply
Products Chain
EPCglobal
Networks
Unknown Business Partners
■ How to protect sensitive business secrets while enabling
automatic exchange of relevant information?
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
6. Scientific Problem
Components for Anti-counterfeiting [6]
6
■ Anti-counterfeiting service provider: Supply Chain
Participant
authenticity checks for customers R
Anti- R
Discovery
Counterfeiting
■ Discovery service: identification of Service Provider
Service
appropriate Electronic Product Code R
Information Services (EPCIS) repository
EPCIS
EPCIS Repository
■ EPCIS repository: stores event data for
all handled products of a certain party R
Middleware
■ Access control? Undefined by EPCglobal!
Reader tag
Reader Tag
RFID-enabled Company
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
7. Scientific Problem
Attack Locations
7
Inside the Supply Chain Transition
Zone
Competitor
Customer
Supplier
Supplier Manufacturer Wholesaler Retailer
Outside the Supply Chain Counterfeiter Attacker
■ Inside the supply chain: controllable by supply chain participants
■ Outside the supply chain: vulnerable environment
■ Transition zone: customer’s risk
Model introduced by [42]
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
8. Scientific Problem
Access Control
8
■ Challenges:
□ Which level of granularity is appropriate for
data protection, e.g. event- vs. attribute-level?
□ How to maintain individual access rights per business partner?
Hypothesis: Validation and adaption of access rights based on the
I analysis of the complete query history can be performed in real-time
during query processing, i.e. in less than two seconds.
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
9. Scientific Problem
Authenticity of Supply Chain Parties
9
■ Challenge: How to prevent attacks for obtaining sensitive
business secrets in open supply chains?
Hypothesis: Public Key Infrastructure (PKI) certificates can be used
II for identification of supply chain parties to establish specific access
control and to trace counterfeiters/attackers once they are detected.
Hypothesis: Management of individual encryption keys per supply
chain participant can reduce impact of key exposure. Using an in-
III
memory database supports multiple key renewals per day and
individual key lookups in an interactive manner.
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
10. Scientific Approach
10
Access
Control
Software
Design Engineering [41]
Research Topics
Science [40] • Analysis
• Relevance My • Definition
• Rigor Work • Design and
• Search Implementation
Process • Measurement
EPCglobal
Networks
Scientific Approaches
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
11. Analysis of Related Work
Categorization of EPCglobal Work
11
■ A) Before 2007: tag-reader communication
■ B) From 2007: software components, such as EPCIS, ONS, etc.
Comparison of Related Research Activities
8
EPCIS
EPCDS
ONS
7 Middleware
Tag/Reader
Others
6
Relevant Publications
5
4
3
2
1
0
20
20
20
20
20
0
0
0
0
0
5
6
7
8
9
Disputation, Matthieu-P. Schapranow, Sep 19, 2012 Publication
Year of
12. Analysis of Related Work
Outcome: The Security Matrix
12
Security
Requirements for
EPCglobal Networks
Device Level Business Level
Technical Tags, Readers,
Sensitive Business Data
Perspective Hardware, etc.
Business
Counterfeits Business Secrets
Perspective
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
14. Business-level Security Extensions
Architecture Comparison
In terne t
14
R E P C IS of
E ve nt
S u pply C h ain
R ep osito ry
P arty B
Inquirer A
EPCglobal Security
Component
Networks Extensions
✓ Inquirer ✓
✓ Event Repository ✓
✗ Access Control Client (ACC) ✓
✗ Access Control Server (ACS) ✓
✗ Trust Relationship Server (TRS) ✓
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
15. Business-level Security Extensions
Architecture Comparison
In terne t
15
R R R E P C IS of
E ve nt
ACC ACS S u pply C h ain
R ep osito ry
P arty B
Inquirer A
R
TRS
EPCglobal Security
Component
Networks Extensions
✓ Inquirer ✓
✓ Event Repository ✓
✗ Access Control Client (ACC) ✓
✗ Access Control Server (ACS) ✓
✗ Trust Relationship Server (TRS) ✓
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
16. Business-level Security Extensions
Architecture Comparison
In terne t
16
R R R E P C IS of
E ve nt
ACC ACS S u pply C h ain
R ep osito ry
P arty B
Inquirer A
R
TRS
EPCglobal Security
Component
Networks Extensions
✓ Inquirer ✓
✓ Event Repository ✓
✗ Access Control Client (ACC) ✓
✗ Access Control Server (ACS) ✓
✗ Trust Relationship Server (TRS) ✓
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
17. Business-level Security Extensions
Architecture Comparison
In terne t
17
R R R E P C IS of
E ve nt
ACC ACS S u pply C h ain
R ep osito ry
P arty B
Inquirer A
R
TRS
EPCglobal Security
Component
Networks Extensions
✓ Inquirer ✓
✓ Event Repository ✓
✗ Access Control Client (ACC) ✓
✗ Access Control Server (ACS) ✓
✗ Trust Relationship Server (TRS) ✓
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
18. Business-level Security Extensions
History-based Access Control
18
Role-based
Access Control
(RBAC)
Management of Real-time analysis
individual History-based Access
of the complete
Control (HBAC)
encryption keys query history
Rule-based
Access Control
(RuBAC)
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
19. Business-level Security Extensions
Extended Communication Protocol I
19
Inquirer A ACC ACS Manufacturer B
1: Query Q 2: {Q}PrivKey A, Cert A
3: Generate SymKey R for A
4: Select result set from EPCIS repository
5: Rsp R
7: {{Rsp R}SymKey R}PubKey A 6: {Rsp R}SymKey R
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
20. Business-level Security Extensions
Extended Communication Protocol II
20
Inquirer A ACC ACS TRS
8: {getLic(Q)}PrivKey A, Cert A 9: Verify trust of A
10: Trust score for A
11: Derive access
rights for A
12: {SymKey R, ODRL for A}PubKey A
13: Decrypt {Rsp R} with SymKey R
15: Filtered, decrypted event set 14: Enforce access rights for A
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
21. Business-level Security Extensions
Benchmark Setup
21
■ Benchmarking script, query client and ACC executed on one server
■ FOSSTRAK EPCIS and ACS executed dedicated server
■ ACS partitioned across multiple separate server
■ Event database of FOSSTRAK on separate server
■ Amdahl’s law:
■ Execution time:
■ Response time:
R
ACS DB Server,
ACC History, Access
ACC ACS In-memory
Rights and Rules
B2,B7: B3: or MySQL
SOAP (SSL), TCP
B1,B11: B8,B9: Blade Servers 1..4
R
B4,B5:
SOAP ODRL (SSL)
R SOAP
via TCP via TCP
Benchmark
Benchmark Set FOSSTRAK In-memory Event
Script acting as
of Event Data EPCIS DB Server Repository
Query Client R
TCP
A1,A2:
Benchmark Server SOAP EPCIS Server Blade Server 5
via TCP
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
22. Business-level Security Extensions
Benchmark Results
Response Time Deltas of Enabled and Disabled Security Extensions
22 Response Time Deltas of Enabled and Disabled Security Extensions
■ Real-time analysis possible 1
1
Round Robin
Round Robin Range
■ Length of query history
Mean Response Latency of Security Extensions in [s]
Range None
Mean Response Latency of Security Extensions in [s]
None
correlates to response time
0.488
0.456
■ Data partitioning supports 0.488
0.374
0.456
0.338
scalability of ACS
0.322
0.321
0.374
0.338
■ Range partitioning is 0.322 0.321
more applicable for
multi-user systems
0.152
0.152
0.1
0.1
1 4 10 100
1 4 10 100
Number of Partitions
Number of Partitions
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
23. Summary
23
■ In-memory technology supports
□ Real-time analysis of query history
□ Interactive management of encryption keys
■ HBAC enables transparent spectrum of controlling access
■ PKI and HBAC are applicable for pharmaceutical supply chain
■ Further applicability
□ Retail industry
□ Healthcare industry
□ Next generation identification
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
24. Related Publications
24 Journals
1 Hasso Plattner, Christoph Meinel, Matthieu-P. Schapranow: Blitzschnelle Datenanalysen für die personalisierte Medizin der
Zukunft – Interdisziplinäre Impulse aus Potsdam und Berlin, Themenbroschüre 2012 Gesundheitsstandort Berlin-
Brandenburg, 2012
2 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Costs of Authentic Pharmaceuticals:
Research on Qualitative and Quantitative Aspects of Enabling Anti-counterfeiting in RFID-aided Supply
Chains, Personal and Ubiquitous Computing, Springer, 10.1007/s00779-011-0390-4, 2011
3 Alexander Zeier, Paul Hofmann, Jens Krüger, Jürgen Müller, Matthieu-P. Schapranow: Integration of RFID Technology is a
Key Enabler for Demand-Driven Supply Network, ICFAI University Journal of Supply Chain Management, 2009
4 Matthieu-P. Schapranow, Jens Krüger, Jürgen Müller: Smart Enterprise Widgets: Little Helpers with a Big Impact, SAP
INFO (online), 2008
5 Matthieu-P. Schapranow, Jens Krüger: HPI Students Learn with SAP Enterprise Services, SAP INFO (online), 2008
Book Chapters
6 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Secure RFID-Enablement in Modern
Companies: A Case Study of the Pharmaceutical Industry, Handbook of Research on Industrial Informatics and
Manufacturing Intelligence: Innovations and Solutions, IGI Global, 2012
7 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: What are Authentic Pharmaceuticals Worth?,
RFID / Book 2, INTECH Press, ISBN: 978-953-307-265-4, 2011
8 Martin Lorenz, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Discovery Services in the EPC Network, RFID,
INTECH Press, ISBN: 978-953-307-473-3, 2011
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
25. Related Publications
25 In Conference Proceedings
9 Matthieu-P. Schapranow, Alexander Zeier, Felix Leupold, Tobias Schubotz: Securing EPCglobal Object Name Service:
Privacy Enhancements for Anti-counterfeiting, 2nd International Conference on Intelligent Systems, Modeling and
Simulation, 2011
10 Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Formal Model for Enabling RFID in Pharmaceutical Supply
Chains, 44th Hawaii International Conference on System Sciences, 2011
11 Matthieu-P. Schapranow, Cindy Fähnrich, Alexander Zeier, Hasso Plattner: Simulation of RFID-aided Supply Chains: Case
Study of the Pharmaceutical Supply Chain, Third International Conference on Computational Intelligence, Modelling and
Simulation, 2011
12 Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: Security Extensions for Improving Data Security of Event
Repositories in EPCglobal Networks, The 9th International Conference on Embedded and Ubiquitous Computing, 2011
13 Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Dynamic Mutual RFID Authentication Model Preventing
Unauthorized Third Party Access, The 4th International Conference on Network and System Security, 2010
14 Matthieu-P. Schapranow, Mike Nagora, Alexander Zeier: CoMoSeR: Cost Model for Security-Enhanced RFID-Aided Supply
Chains, 18th International Conference on Software, Telecommunication and Computer Networks, 2010
15 Jürgen Müller, Martin Lorenz, Felix Geller, Matthieu-P. Schapranow, Thomas Kowark, Alexander Zeier: Assessment of
Communication Protocols in the EPC Network: Replacing Textual SOAP and XML with Binary Google Protocol Buffers
Encoding, 17th IEEE International Conference on Industrial Engineering and Engineering Management, Xiamen, China,
2010
16 Matthieu-P. Schapranow, Ralph Kühne, Alexander Zeier: Real-Time Billing in Smart Grid Infrastructures, Power and Energy
Student Summit 2010 - Integration of Renewable Energies into the Grid, 2010
17 Matthieu-P. Schapranow, Jens Krüger, Vadym Borovskiy, Alexander Zeier, Hasso Plattner: Data Loading & Caching
Strategies in Service-Oriented Enterprise Applications , Proceedings of Congress on Services, Los Angeles, CA, USA, 2009
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
26. Related Publications
26 18 Jürgen Müller, Matthieu-P. Schapranow, Marco Helmich, Sebastian Enderlein, Alexander Zeier: RFID Middleware as a
Service - Enabling Small and Medium-sized Enterprises to Participate in the EPC Network, 16th International Conference on
Industrial Engineering and Engineering Management, Beijing, China, 2009
19 Jürgen Müller, Matthias Uflacker, Jens Krüger, Matthieu-P. Schapranow, Alexander Zeier: noFilis CrossTalk 2.0 as Device
Management Solution, Experiences while Integrating RFID Hardware into SAP Auto-ID Infrastructure, 16th International
Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009
20 Vadym Borovskiy, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Binary Search Tree Visualization Algorithm,
16th International Conference on Industrial Engineering and Engineering Management, Beijing, China, 2009
21 Matthieu-P. Schapranow, Jürgen Müller, Sebastian Enderlein, Marco Helmich, Alexander Zeier: Low-Cost Mutual RFID
Authentication Model Using Predefined Password Lists, 16th International Conference on Industrial Engineering and
Engineering Management, Beijing, China, 2009
22 Martin Grund, Jan Schaffner, Matthieu-P. Schapranow, Jens Krüger, Anja Bog: Shared Table Access Pattern Analysis for
Multi-Tenant Applications, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin,
China, 2008
23 Martin Grund, Jens Krüger, Jan Schaffner, Matthieu-P. Schapranow, Anja Bog: Operational Reporting Using Navigational
SQL, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China, 2008
24 Matthieu-P. Schapranow, Martin Grund, Jens Krüger, Jan Schaffner, Anja Bog: Combining Advantages - Unified Data Stores
in Global Enterprises, IEEE Symposium on Advanced Management of Information for Globalized Enterprises, Tianjin, China,
2008
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
27. Related Publications
27 Workshops and Exhibitions
25 Martin Lorenz, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: A Distributed EPC Discovery Service based on
Peer-to-peer Technology, RFID SysTech 2011, Dresden, Germany, 2011
26 Matthieu-P. Schapranow, Martin Lorenz, Alexander Zeier, Hasso Plattner: License-based Access Control in EPCglobal
Networks, Proceedings of the 7th European Workshop on RFID Systems and Technologies, Dresden, 2011
27 Jürgen Müller, Matthieu-P. Schapranow, Conrad Pöpke, Michaela Urbat, Alexander Zeier, Hasso Plattner: Best Practices for
Rigorous Evaluation of RFID Software Components, Proceedings of the 6th European Workshop on RFID Systems and
Technologies, Ciudad Real, Spain, 2010
28 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Sustainable Use of RFID Tags in the
Pharmaceutical Industry, European Workshop on Smart Objects: Systems, Technologies and Applications, Ciudad Real,
Spain, 2010
29 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: RFID Event Data Processing: An Architecture for
Storing and Searching, Proceedings of the 4th International Workshop on RFID Technology - Concepts, Applications,
Challenges, Funchal, Madeira, Portugal, 2010
30 Matthieu-P. Schapranow, Ralph Kühne, Alexander Zeier: Enabling Real-Time Charging for Smart Grid Infrastructures using
In-Memory Databases, 1st LCN Workshop on Smart Grid Networking Infrastructure, 2010
31 Vadym Borovskiy, Jürgen Müller, Matthieu-P. Schapranow, Alexander Zeier: Ensuring Service Backwards Compatibility with
Generic Web Services, PESOS Workshop, Vancouver, Canada, 2009
32 Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, Hasso Plattner: Security Aspects in Vulnerable RFID-Aided Supply
Chains, Proceedings of the 5th European Workshop on RFID Systems and Technologies, Bremen, 2009
33 Jürgen Müller, Martin Faust, David Schwalb, Matthieu-P. Schapranow, Alexander Zeier, Hasso Plattner: A Software as a
Service RFID Middleware for Small and Medium-sized Enterprises, Proceedings of the 5th European Workshop on RFID
Systems and Technologies, Bremen, Germany, 2009
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
28. Related Publications
28 Miscellaneous
34 European Commission: Customs: Millions of illegal Medicines stopped by "MEDI-FAKE" action. IP/08/1980, 2008
35 European Commission Taxation and Customs Union: Statistics of Customs Detentions Recorded at the External Borders of
the EU, EU-wide statistics for 2009, 2010
36 European Commission: Commission Recommendation on the Implementation of Privacy and Data Protection Principles in
Applications supported by Radio-Frequency Identification, Brussel, 2009
37 Federal Office for Information Security: Standard 100-1 Information Security Management Systems (ISMS) V. 1.5, 2008
38 Federal Data Protection Act §3a: “Datenvermeidung und Datensparsamkeit”, 2009
39 European Commission: Public Consultation in Preparation of a Legal Proposal to Combat Counterfeit Medicines for Human
Use: Key Ideas for better Protection of Patients against the Risk of Counterfeit Medicines, Brussel, 2008
40 Alan R. Hevner et al: Design-Science in Information Systems Research, MIS Quarterly, Vol. 28, No. 1, pp. 75-105, 2004
41 Ian Sommerville: Software Engineering, Addison-Wesley, 2007
42 Simson L. Garfinkel, Ari Juels, Ravi Pappu: RFID Privacy: An Overview of Problems and Proposed Solutions, IEEE Security
and Privacy, Vol. 3, pp. 34-43, IEEE Computer Society, 2005
Disputation, Matthieu-P. Schapranow, Sep 19, 2012
29. Thank you for your interest!
Keep in contact with me.
29
Matthieu-P. Schapranow, M.Sc.
schapranow@hpi.uni-potsdam.de
http://j.mp/schapranow
Hasso Plattner Institute
Enterprise Platform and Integration Concepts
Matthieu-P. Schapranow
August-Bebel-Str. 88
14482 Potsdam, Germany
Disputation, Matthieu-P. Schapranow, Sep 19, 2012