The invention relates to a method for granting an inquirer access to a repository, a communication protocol between an inquirer and a repository and a system for granting an inquirer access to a repository.
Different aspects of the invention shall—as an example—be explained in the context of a pharmaceutical supply chain. Alternative contexts of the different aspects of the invention shall be explained in this application, too.
The present invention addresses an organizational and a technical issue. Both are considered individually throughout this application.
From an organizational perspective, current businesses are confronted with continuously challenging factors, such as changing business partners and inter-changeable products, when dealing with new business partners. On the one hand, building on a static supply chain helps reducing these factors since supplier and customer known each other and proofed as reliable partners for years. On the other hand, static supply chains result in limiting factors, such as performing business with a limited set of partners. In a globalized market, supply chains tend to transform to increasingly dynamic and open supply networks that build on mutual exchange of products with new and even unknown business partners. As a result, more and more suppliers compete for the lowest price, i.e. consumers can easily switch between various vendors of standardized goods.
We refer to EPCglobal Networks as supply chain networks that associate a digital representation to all handled physical goods. Product meta data are stored in a distributed manner in individual event repositories of all involved supply chain parties. The existence of digital product meta data supports business processes, such as tracking and tracing of products, exchanging advice letters, goods receipt, etc. EPCglobal networks aim to involve the good's meta data in existing business processes, e.g. to verify product's authenticity automatically during good's receipt. However, exchanging meta data automatically results in certain security risks, e.g. competitors or attackers can derive business secrets.
This application addresses the problem of protecting sensitive business secrets while exposing good's meta data for certain supply chain parties and business cases in an automatic way. The invention addresses this problem disclosing a method for granting access to a repository, a system for controlling access of one or more inquirers to a repository and a communication protocol between a client and a server connected via a link to a repository, as will be explained in more detail in the following. The main contribution is the introduction of transparent security extensions for existing EPCglobal on device- and business-level to protect business secrets from being exposed to attackers or competitors.
From the technical perspective, the security extensions disclosed herein perform real-time analysis of the complete query history. Traditional access control mechanisms build on a bivalent decision taking, i.e. results of the set {“declined”, “granted”}. In contrast to them, the developed History-based Access Control (HBAC) enables a continuous spectrum of control from the interval [“declined”, “granted”]. Thus, it supports a more fine-grained way of data protection in contrast to existing access control techniques.
For example, if an inquirer is not allowed to access a certain subset of attributes of an EPC result set, the response is filtered. “Filtering” and “granting access rights” are part of the access control mechanism. Traditional access control mechanisms involve the definition and assignment of proper access rights to all involved parties before granting access to certain resources. In contrast, our developed security extensions support access rules that protect business secrets without assigning individual rights. In addition, the given contribution involves analysis of the complete query history when taking an access decision. This requires the following challenges to be addressed: a) storage requirements of the continuously increasing query history, b) real-time analysis of the history, and c) adaption of predefined access rights based on the results of the analysis of the query history. Depending on the history and access rules specific access decisions are taken.
Challenges in Pharmaceutical Supply Chains
The European pharmaceutical industry hit headlines with operation MEDI-FAKE announcing 34 million confiscated fake drugs in just two months (IP Crime Group. Crime Report 2008). The European Commission (EC) reported an increase of 118% for pharmaceutical counterfeits detected at borders in 2008 compared to 2007. The pharmaceutical product category is the third largest product category in terms of quantities of intercepted articles in addition to the categories CDs/DVDs and tobacco. Recent research results focusing on the ingredients of anti-malarial products from eleven African countries indicated these products contained either a low portion or none of the active ingredient Artemisinin (see Paul N Newton et al. Poor Quality Vital Anti-malarials in Africa—An Urgent Neglected Public Health Priority. Malaria Journal, 10(1):352, 2011). Counterfeited drugs are a risk for customers and suppliers, since their effects are neither tested nor validated and the customer may suffer from medical complications. Approx. 7,000 annual cases of medical complications in the U.S. are linked to pharmaceutical counterfeits or the use of improper ingredients.
This brief excerpt of reported cases and their impact highlights the omnipresent risks of counterfeits and the need for a reliable mechanism to protect products. This protection has to be an integer part of the entire supply chain and should involve all supply chain participants. A high level of supply chain integrity is the basis for reliable product tracking and counterfeit detection.
The European pharmaceutical supply chain consists of more than 192,000 parties (Jürgen Müller et al. A Simulation of the Pharmaceutical Supply Chain to Provide Realistic Test Data. In Proceedings of 1st International Conference on Advances in System Simulation. IEEE, 2009). The availability of generic drugs transformed the pharmaceutical market towards a more open supply chain. For example, new pharmaceuticals for the German market need to be licensed to obtain a “Pharmazentralnummer (PZN)” (central pharmaceutical number). The PZN is a relatively small restriction of admission. Once the manufacturer paid the fee for the usage of the PZN it can be used for a limited period of time without further investigations. The EC is working on a EU-wide standardization for unique identifiers and verification methods of medical products (European Commission. Delegated Act on the Detailed Rules for a Unique Identifier for Medical Products for Human Use and its Verification. hxxp://ec.europa.eu/health/files/counterf_par_trade/safety—2011-11.pdf, November 2011.). It proposes the integration of essential product details into the identifier, such as the manufacturer product code and package identifier. However, the current identification approaches lack the ability to identify pharmaceuticals on item level instead of batch level.
RFID technology enables gathering of location-based information of tagged items without establishing a direct line of sight. All supply chain parties store event data in local Electronic Product Code Information Services (EPCIS) repositories that can be queried by other supply chain parties to retrieve details associated with products. We consider EPCIS repositories as standardized software products that store and manage access to event data, e.g. open source platform FOSSTRAK (Fosstrak. Project License. www.fosstrak.org/epcis/license.html, 2009, referred to in the following as FOSSTRAK).
The adoption towards EPCglobal networks incorporates the facts: native co-operation of all supply chain parties, amortization of initial investments, and secured exchange of event data to improve existing business processes, e.g. goods receipt and anti-counterfeiting. EPCglobal networks build the basis for an integer supply chain by supervising movements of ingredients from suppliers to manufacturers and movements of products from manufacturers via intermediate supply chain parties to end consumers.
In Europe, approx. 30 billion pharmaceutical product units are manufactured annually whereas approx. 50 percent are only available on-prescription. In the following, We focus on pharmaceuticals on-prescription base. Counterfeits of on-prescription medicines are more likely due to their higher retail price and customers that want to access them without having a valid prescription. Furthermore, we expect false composition of ingredients to harm or even to kill human beings, e.g. when an expected medical reaction is prevented or adverse effects occur. Approx. 2,200 pharmaceutical manufacturers produce pharmaceutical goods that are shipped to 50 thousand wholesalers within the EU. The latter deliver products in repacked transportation units to retailers (approx. 140 thousand individuals) and finally to the consumer (see Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, and Hasso Plattner. RFID Event Data Processing: An Architecture for Storing and Searching. In Proceedings of the 4th International Workshop on RFID Technology-Concepts, Applications, Challenges, 2010, referred to in the following as Schapranow et al. I).
In terms of the pharmaceutical supply chain, we consider the consumer as the sink of product, e.g. a patient buying products in a pharmacy or a hospital. Only licensed retailers are permitted to sell on-prescription medicines in Europe, e.g. pharmacies, hospitals, etc. Between individual supply chain participants logistics provider are responsible for handling items and transferring them. During goods receipt and goods shipment individual tracking events are recorded at the site of the handling supply chain party. Tracking goods is the basis for creating the virtual product history of a certain item, i.e. the item's path through the supply chain. A dedicated service provider, who is granted access to the EPCIS repositories of all supply chain parties, is required to reconstruct the item's history. The service provider is the basis for validating the authenticity of the pharmaceuticals and to detect counterfeits based on consistency checks of data gathered from distributed EPCIS repositories.
FIG. 1 shows a combined data and product flow between supply chain party roles A . . . F of an RFID-aided pharmaceutical supply chain as known in the art. Service provider D accesses distributed EPCIS repositories of individual parties for verification of product authenticity. FIG. 1 shows the interaction of EPCIS repositories of individual supply chain parities and the service provider modeled using the Fundamental Modeling Concepts (FMC) (see Andreas Knöpfel, Bernhard Gröne, and Peter Tabeling. Fundamental Modeling Concepts. Effective Communication of IT Systems. John Wiley, 2005.
In the remainder of this application, an absence of the inference concept for EPCglobal networks. is assumed. Inference describes an approach to reduce event data by scanning boxes and pallets instead of their individual contents, i.e. the path of a concrete product needs to be reconstructed beyond boxing and unboxing operations. That means, content of packaging units, such as boxes, pallets, containers is not inferred from its containment relationship by evaluating add and delete events occurred at various stages within the supply chain. This is considered a task of the Electronic Product Code Discovery Services, which is not investigated in further detail in the context of this application.
The service provider is a trusted instance that can be queried by all supply chain participants. For example, customers can make use of an online web portal or public reader terminals in pharmacies. The implementation considerations for a dedicated service provider proposed herein, build the basis for further discussions (see Schapranow et al. I).
EPCglobal networks can provide a possible infrastructure for reliable product tracking and tracing across the entire supply chain. However, RFID technology—only one possible implementation for EPCglobal networks—was not designed for secured data exchange of confidential details. Hence, a variety of new data security threats arise when migrating towards an RFID-aided supply chain. On the one hand, the usage of EPCglobal networks is consider as a major improvement for involved business processes by providing fine-grained data about handled goods. It supports identification of ingredients from suppliers to manufacturers and products from manufacturers to customers. For example, EPCglobal networks support tracking of individual products and helps to distinguish them from mass products. Furthermore, their individual paths—from suppliers via all involved supply chain parties—is documented. On the other hand, it is stressed that data exchanged via EPCglobal networks can be misused to derive business internals, e.g. supplier relationships, product ingredients, and customer relationships. Qualified attacks against EPCglobal components and systematic combination of responses returned by EPCIS repositories build the basis for knowledge extraction by competitors. The given application aims to control access to sensitive business data while incorporating EPCglobal components for automatic data exchange.
Vulnerable Environments
Cables establish the link between two communication peers in traditional communication networks, e.g. in the plain old telephone services or in local area networks. If these wired links are secured against physical access, attackers are typically not able to gain unrecognized access. In wireless networks it is hard to secure communication because data are transmitted via the ether, which can be accessed by malicious attackers without being recognized. RFID technology makes use of both communication media. On the one hand, data are exchanged via traditional wired communication networks, e.g. EPC event is exchanged between EPCIS repositories for authenticity checks of pharmaceutical goods. On the other hand, communication between RFID tag and reader is performed via the ether. Security threats for EPCglobal networks, in particular in combination RFID technology, are defined the following section Threads of RFID-aided Supply Chains. In addition, attacks of communication networks are mapped to RFID technology and evaluated in a section Attacks Scenarios below and security requirements for EPCglobal networks are derived in a section Security Requirements. If item-level identifiers are not exchange via RFID technology, the corresponding wired security issues only exist. However, this application focusses on RFID since its use introduces additional security threats in contrast to other transmission techniques, such as barcode readers.
Threats of EPCglobal networks and attacks focusing on RFID technology as discussed are summarized in Table 1, as reproduced below.
InvolvedTh.AttacksLoc.ComponentsActorsT1A3I, O, TEPC, RFID TagA, RT2A3IEPCDS, EPCISC, RT3A1, A3O, TEPC, RFID TagAT4A3I, TEPCC, RT5A3IEPCISRT6A2, A3, A4, A5,I, O, TEPC, EPCIS,A, CA6, A7RFID Tag
Table 1 shows a classification of security threats and possible attacks in EPCglobal networks with respect to their location in the supply chain (A=Attacker, C=Counterfeiter, I=Inside the Supply Chain, Loc.=Location, O=Outside the Supply Chain, R=Competitor, T=Transition Zone of the Supply Chain, Th.=Threat) Most attacks correspond to threat T6, which involves RFID tags and EPCIS repositories.
Data protection in context of communication networks refers to multiple Data Integrity aspects. A defined set of data must remain valid during the lifetime of its associated product. Furthermore, it must be ensured that all authorized supply chain parties can access data at any time without unexpected manipulations or modifications. This kind of data protection is referred to as data integrity. It ensures that third parties are not able to modify data during its lifecycle—expectedly or unexpectedly.
Another aspect of data protection is data quality. It highlights the issue that data describing a given item is not always processed correctly. Radio technology suffers from various aspects that can influence the transmission quality. Multiple readers and tags communicating simultaneously can limit coverage of radio waves and influence the quality of read data. Data quality is important for tracking and tracing since assumptions about the path of goods within the supply chain are incorporated in verification of product authenticity. For instance, certain readers have to be passed in a defined order to ensure that a product was handled by authorized intermediates only. Reduced data quality influences available data for authenticity checks of products.
Threats of RFID-Aided Supply Chains
FIG. 2 depicts a classification of supply chain parties and possible attacks. It consists of suppliers, i.e. manufacturers that create goods, manufacturers that assembly goods, wholesalers, retailers, and customers. In addition, it depicts three categories of malicious actors: a) competitors within the supply chain, b) counterfeiter and c) attackers outside of the supply chain.
Due to the variety of involved actors in supply chains, specific security issues exist. The following classification combines security issues of supply chains with issues of EPCglobal networks.
T1 Implicit Product Identification:
The EPC references the product's manufacturer and the class of the product. For example, the SGTIN looks like urn:epc:id:sgtin:CompanyPrefix.ItemReference.SerialNumber as defined by EPCglobal (see for example Global Standards 1. Tag Data Standards 1.6. www.gs1.org/gsmp/kc/epcglobal/tds/tds—1—6-RatifiedStd-20110922.pdf, 2011, in the following referred to as EPCglobal 1, therein Sect. 6.3.1). If the EPC is stored on a RFID tag, it can be read out from distance without establishing a direct line of sight. Thus, the manufacturing company and the class of the product can be derived even when there is no direct access to the product. Furthermore, tagged products in transportations units can be derived by thefts by scanning their RFID tag with commodity readers. As a result, protection of on-tag data needs to be considered with respect to authorized parties.
T2 Supplier Relationships:
Querying the EPCDS or EPCIS repository of involved supply chain parties within the supply chain is the basis to reconstruct a product's full path through the supply chain. On the one hand, this is the basis for the anti-counterfeiting service provider. On the other hand, business relationships, e.g. intermediate wholesalers, are exposed when returning a full list of EPCIS repositories of supply chain parties that handled the queried product. Furthermore, competitors could query details about a guessed EPC of a potential product ingredient. If the EPCIS repository of the manufacturer returns any details, it exposes implicitly the business relationship with the supplier and possible product ingredients.
T3 Customer Privacy:
Due to the unique serial number stored in EPCs, customers can be tracked when they hold a product equipped with a functional tag. Manufacturer and attackers can associate customers with products they bought, e.g. during verification of the product's authenticity. This exposes the customer privacy.
T4 Customer Relationships:
The unique serial of the EPC used for item-level identification exposes relationships of supply chain parties that handled the good. For example, relationships between individual supply chain parties within the supply chain or with customers in the transition zone of the supply chain are affected from this issue. This has a major impact on the integrity of the supply chain since customer.
T5 Industrial Espionage:
Competitors can query the EPCIS to receive details about the processing time. For example, the time between product shipment and receipt can be derived. This measure can be used as indicator for selling rate, production time, or supply shortages and occurs within the supply chain. Furthermore, if event data is exchanged in clear text, its content can be eavesdropped. For example, external parties can analyze process steps involving the handled product.
T6 Counterfeit Injection:
Unique identification of products reduces the possibility of counterfeit injection. However, reusing a stolen tag on a counterfeited product, guessing a valid EPC code, or skimming of EPCs from authentic products can be misused for counterfeit injecting. Injecting faked EPCs into EPCIS repositories result can be used to make a faked product authentic from the EPCIS repository's perspective. Intercepting the communication between EPCIS and querying party can be used to return authentic details for faked products.
These brief examples highlight privacy concerns and security threats that arise in EPCglobal networks when fine-grained event data are automatically exchanged. On the one hand, controlling access to event data is the first step to prevent the aforementioned issues. On the other hand, restricting access to a subset of event data does not prevent its combination. From our perspective, the combination of event data is the basis to derive business secrets and business relationships.
Attacks Scenarios
In the following section attacks of communication networks are presented and their potential impacts on RFID-aided supply chains are derived.
A1 Malicious RFID Readers:
Data protection threats in RFID-aided supply chains are comparable to existing pendants in Wi-Fi networks. We assume that additional security mechanisms will be introduced to harden the resistance of RFID against manipulated RFID readers. Currently, it is possible to use commodity readers to access passive low-cost tags that are, for example, integrated in passports or driver's licenses.
For the pharmaceutical scenario defined in the section on Challenges in Pharmaceutical Supply Chains, above, this introduces the following issues. EPCs can be obtained without having physical access to the carrying tags. As a result, the EPC of a blister packet stored on a RFID tag can be read out after the customer has left the pharmacy. The holder of a tag does not know that a read attempt occurred. Furthermore, the knowledge that a concrete customer holds a specific tag can be misused to track customers, too. These are customer privacy threats as defined by threat T3. From the customer's point of view, the tags needs to be disabled before leaving the pharmacy to ensure personal privacy.
A2 Tampered RFID Tags:
Manipulating RFID-aided supply chains does not mandatorily involve attacking readers. Often it is sufficient to irritate the tag's function, e.g. by sending manipulated data or to shield tags from readers. With the help of a special wireless interface, an attacker can emit a recorded tag transmission to an incoming stimulus by a reader. In context of the pharmaceutical scenario, it allows exchange of an authentic product by a manipulated one while simulating the tag's behavior of the authentic product. Once the response of an authentic pallet was recorded it can be replayed many times. It may be sufficient that a single corrupted tag escorts a pallet of multiple items without the need for integrating it into the pallet itself. This threat can be misused to inject counterfeits into the supply chain as defined by threat T6.
A3 Man-In-The-Middle Attack:
The Man-In-The-Middle (MITM) attack is known in communication networks for years [60]. Data exchanged between two peers A and B is transmitted through different routes. Routes are dynamically set-up by the incorporated communication protocol. Once an attacker is controlling one node on the route or is able to influence the connection setup process through a specific route the network traffic between A and B can be filtered. MITM attacks are used to gain login information. In context of the EPCglobal networks, they can be performed in context of all mentioned threats.
The detection of unauthorized read events becomes very important, especially when using security-enhanced tags. The EPCglobal standard defines a kill command, which can be issued by sending a freely programmable 2×16-bit kill PIN. Although this is an irreversible action, it is interesting for attackers to obtain the kill PIN. Programming hundreds, thousands or hundreds of thousands tags with a dedicated kill PIN is a time-consuming operation. Every tag has to be programmed with a unique kill PIN. The kill PIN has to be stored in a company meta data repository connecting it with the corresponding EPC. Additionally, during tag programming it has to be ensured that a strong PRN generator is used for generation of the kill PIN, i.e. duplicates have to be omitted. Otherwise, gathering a single kill PIN might expose kill PINs of a certain product group or company. Attackers could disable tags of a complete delivery, which would result in blocked business processes that depend on the correct functionality of the tags.
In RFID-aided supply chains transportation routes of items are similar to routes in communication networks. Comparable to unsecured wireless connections, which can be accessed over a long distance, RFID technology suffers from very similar threats. RFID readers can be placed anywhere to acquire data of passing tags, e.g. in context of threat T4 or T2. The current owner of a product equipped with a RFID tag is not able to recognize read attempts without special equipment. Let us assume the pharmaceutical scenario given above. At the point of sale in the pharmacy, the kill command is issued to disable the RFID tag of a pharmaceutical product. The pharmacy authenticates itself to the supplier, checks whether the current product is authentic and queries for the specific kill PIN. Issuing the kill command ensures the customer's privacy by making it impossible to draw any mappings between product and customer after leaving the pharmacy, e.g. to prevent threat T3.
A4 Cloning and Spoofing:
Low-cost passive RFID tags, which are primarily used for tracking and tracing scenarios, are neither equipped with computational power nor any security equipment as will be described in below. Thus, any third party can access the tag's content with commodity reader devices. Cloning is the process of creating a complete copy of an original tag including the contained EPC. Copying an entire tag is the basis for injecting counterfeits into the supply chain as defined by threat T6. Once an existing product is replaced by a counterfeit its meta data history is valid from the point of view of any querying party. A cloned tag inherits the virtual product history of its original tag pendant.
Spoofing in terms of RFID—also known as masquerading or identity theft—exploits a trusted relationship between two peers. It is the process of influencing a RFID reader, which assumes to receive the EPC of a specific tag, while the original tag is absent. Spoofing can be achieved by cloning the original tag or by simulating a tag containing a virtual non-existing EPC. It is the basis for injection of counterfeits as defined by threat T6.
The EPCglobal tag standard defines unique product identification, but it does not define how to assign serial numbers (see EPCglobal). If serial numbers are assigned in a strictly linear order, attackers can derive faked ones by guessing. To reduce the possibility of serial number guessing a proper PRN generator needs to calculate new serial numbers for EPCs. This way, spoofed EPCs can be detected if a non-valid EPC is checked against the vendor's list of valid EPCs. This security issue is already recognized by the industry.
A5 Replay Attack:
In terms of communication networks replay attacks are prepared by MITM attacks. A third party listens to the conversation of two peers. Once a certain information is gathered, the attacker reuses it, e.g. for logging into a secured system. Computer systems can be protected against replay attacks, e.g. by using One-Time Passwords (OTPs). Their validity is limited for a one-time use only.
In RFID-aided supply chains, replay attacks can occur if products tagged with the same tag pass reader gates succeeding times, e.g. hours or days after the original tag passed in context of counterfeit injection as defined by threat T6. A manifestation in the pharmaceutical scenario is an EPC of a pharmaceutical product that is scanned during goods receipt multiple times at the site of the same vendor. Juels proposes the use of so-called pseudonyms, which are randomly changed after each read request (see An Juels. Minimalist Cryptography for Low-Cost RFID Tags. In Carlo Blundo and Stelvio Cimato, editors, Security in Communication Networks, volume 3352 of Lecture Notes in Computer Science, pages 149-164. Springer Berlin/Heidelberg, 2005). Pseudonyms work in a similar way like OTPs. In addition, they influence the uniqueness the exchanged data. As a result, without a concrete knowledge about the incorporated pseudonyms, the exchanged data cannot be derived. As a result, pseudonyms reduce replay attacks and traceability of tags by eavesdroppers while the decoded EPC remains unchanged.
A6 Controlled Signal Interferences:
Signal interferences are issues, which prevent proper tag reading. RFID technology uses different bands for wireless communication as described in the Components of EPCglobal section. Comparable to any kind of radio communication, the quality of RFID communication depends on the used band. If multiple communication attempts occur simultaneously, transmission quality degrades. Various liquids and metals, such as lead or aluminum, shield radio waves. As a result, tags cannot be read successfully or the data quality of the response degrades. It is possible to overlay radio waves by triggering controlled interferences with transmissions of higher amplitude. Attackers can hide the existence of spoofed tags by provoking controlled interferences. This technique can be used to hide counterfeits on its way as defined by threat T6.
A7 Data Encryption:
Communication via unreliable networks can be secured by using data encryption. In Wi-Fi networks encryption standards are used, e.g. TKIP or AES (Martin Beck and Erik Tews. Practical Attacks against WEP and WPA. hxxp://dl.aircrack-ng.org/breakingwepandwpa.pdf, 2008.). Data encryption prevents attackers from gathering data out of an encrypted communication stream. It is based on generating PRN out of a large domain for use as encryption keys. It is referred to as a secure encryption as long as no brute-force attack is able to obtain encrypted data in appropriate time. With increasing computational power, encryption standards become weak, such as the Data Encryption Standard (DES). Cloning an encrypted RFID tag results in a perfect copy of the original. Although the encrypting data on tag prevents attackers from reading the EPC in clear text, the perfect clone acts identically to its original pendant. As a result, encryption in context of RFID technology leaves the issues cloning and spoofing still open. As a result, encryption does not prevent threat T6 in context of EPCglobal networks.
Security Requirements
After having discussed selected threats for RFID systems, Concrete data security requirements for IT systems are defined in context of EPCglobal networks. From a system engineering's point of view, these requirements build the security blueprint during the design phase for the upcoming implementation. This application focusses on functional and non-functional system requirements.
Functional requirements describe how certain aspects of security extensions should react in response to concrete stimulus and how they should behave in certain situations whereas non-functional requirements define constraints that apply to the complete security extensions focusing on provided functions and services.
In the following, a selected list of functional requirements for security extension of EPCglobal networks is discussed. They are driven by the need for verification of goods without significant latency in business processes, e.g. when dealing with fast-moving goods. Since response time behavior as described in Hypothesis 1, as outlined further done, is relevant for the applicability of security extensions, response time is considered as a functional requirement in contrast to existing literature.
F1 Response Time:
From the business' perspective, applying security extensions must not result in significant delays of existing business processes. As a concrete example, the goods receipt process should be used as a motivation in the following. With respect to Hypothesis 1, an upper threshold of two seconds processing time must not be exceeded.
F2 Control Access:
Security extensions must control access to event data.
F3 Authenticated Users:
Security extensions need to grant access to authenticated users only.
F4 Querying Parties:
Keeping track of querying parties is important in case of data exposure. Any security extension should be aware of the querying party, date, and time when certain data were exposed to embank potential data leakages.
F5 Data Minimalism:
Querying parties should access only the data that is required to fulfill their tasks. Security extensions should follow the principle of data minimalism by granting access only to relevant data portions. As a result, the inquirer needs to be able to specify, which fraction of data should be returned.
F6 Filter Data:
Security extensions need to filter the result sets to control data access and to enforce the principle of data minimalism. The result set needs to be filtered to remove protected and sensitive data that is specified as inappropriate for the given inquirer.
The following constraints describe non-functional requirements for security extension of EPCglobal networks. These requirements are driven by the need for affecting the performance of existing business processes at a minimum.
N1 Processing Load:
From an operational perspective, security extensions result in additional processing requirements. Increased computational demands require additional hardware at the site of involved supply chain participants that handle many products, e.g. manufacturers and wholesalers. Thus, security extensions should keep requirements for additional computational power as low as possible.
N2 Maintainability:
The regular maintenance of access rights is a complex and time-consuming task in IT systems with a predefined number of users and roles. From the engineering perspective, a supply chain consists of a huge number of parties that do not known each other. We consider maintaining individual access rights for all parties as a time-consuming and complex job. Since access rights need to be granted before event data are exchanged, manually managing access rights delays business process that build on the automatic exchange of event data. Security extensions for EPCglobal networks need to automatically assign access rights for unknown supply chain parties on an individual basis.
N3 Ease of Configuration:
In terms of configuration, a policy administration point (PAP) needs to be provided for defining access rights, rules, etc. It needs to provide a configuration platform that supports the user in testing, modeling, verifying, and configuring access rights and rules.
N4 Ease of Integration:
Migrating to a new software or release is a complex and time-consuming task. For example, changing data formats involves processing of all data involved. As a result, security extensions should optimize migration efforts with respect to expected downtime and need for processing of current data in use.
Problem Statement and Hypotheses
In the following, a selected problem statement and corresponding hypotheses are introduced. The latter draw the motivation of this application, since we are going to prove or disprove their correctness with the help of the given contributions.
The integrity of existing supply chains is a fragile construct. When migrating to EPCglobal networks, new fine-grained data are shared between supply chain parties. On the one hand, this enables precise control of fast moving goods, e.g. to establish industry-wide anti-counterfeiting. On the other hand, the exposure of these data can be misused to derive sensitive business secrets or to inject counterfeit products into the market.
In the remainder of this application, events are referred to in context of EPCglobal networks as tuples, which may consist at least of the following attributes (see Global Standards 1. EPCIS Standard 1.0.1. www.gs1.org/gsmp/kc/epcglobal/epcis/epcis—1—0—1-standard-20070921.pdf, 2007, referred to in the following as EPCIS 1.0.1, Sec. 7.2.8):                Unique Product Identifiers: A list of unique identifiers of products the event is associated with, e.g. the individual Electronic Product Code (EPC),        Event Time: The timestamp when the event occurred,        Record Time: The timestamp when the event was recorded,        Action: With respect to the lifecycle of the EPC, the involved action when the event occurred, e.g. ADD, OBSERVE, or DELETE, and        Read Point: The location, where the event occurred.        
In contrast to the EPCglobal definition, the read point is considered as mandatory detail, e.g. for business processes to locate the concrete product. Events may also contain further optional details, such as involved business steps, business locations, and sensor data of active tags. EPCglobal defines the following core events types: object, aggregation, quantity, and transaction.
 1<soap:Envelope xmlns:soap=“http://schemas.xmlsoap.org/soap/envelope/”><soap:Body><ns3:QueryResults xmlns:ns2=“http://www.unece.org/cefact/namespaces/StandardBusinessDocumentHeader” xmlns:ns3=“urn:epcglobal:epcis-query:xsd:1” xmlns:ns4=“urn:epcglobal:epcis:xsd:1” xmlns:ns5=“urn:epcglobal:epcis-masterdata:xsd:1”> 2<queryName>SimpleEventQuery</queryName> 3<resultsBody> 4<EventList> 5<ObjectEvent> 6<eventTime>2010-10-04T00:11:39.000+01:00</eventTime> 7<recordTime>2010-10-04T00:12:02.930+01:00</recordTime> 8<eventTimeZoneOffset>+01:00</eventTimeZoneOffset> 9<epcList><epc>urn:epc:id:sgtin:1301757845.008.000133753170</epc></epcList>10<action>OBSERVE</action>11<bizStep>urn:epcglobal:epics:bizstep:fmcg:observe</bizStep12<readPoint><id>urn:epc:id:sgln:1301757845.66446365.2</id></readPoint>13<bizLocation><id>urn:epc:id:sgln:1301757845.66446365.2</id></bizLocation>14</ObjectEvent>15<ObjectEvent>16<eventTime>2010-10-04T16:01:53.000+01:00</eventTime>17<recordTime>2010-10-040T16:04:22.586+01:00</recordTime>18<eventTimeZoneOffset>+01:00</eventTimeZoneOffset>19<epcList><epc>urn:epc:id:sgtin:1301757845.008.000133753170</epc></epcList>20<action>OBSERVE</action>21<bizStep>urn:epcglobal:epcis:bizstep:fmcg:observe</bizStep>22<readPoint><id>urn:epc:id:sgln:549132542.340339831.2</id></readPoint>23<bizLocation><id>urn:epc:id:sgln:549132542.340339831.2</id></bizLocation>24</ObjectEvent>25</EventList>26</resultsBody></ns3:QueryResults></soap:Body></soap:Envelope>
The above listing shows event data serialized within a SOAP response body. Lines 5-14 show an event for action OBSERVE. It consists of the serialized unique product identifier urn:epc:id:sgtin:1301757845.008.000133753170, the event timestamp 00:11 a.m. at Oct. 4, 2010, and the serialized read point urn:epc:id:sgln:1301757845.66446365.2. Furthermore, it contains details about business step, business location, and record time. Event data build the foundation of EPCglobal networks. They enable fine-grained tracking and tracing of products, e.g. for anti-counterfeiting. EPCglobal networks require the automatic exchange of event data via EPCIS. However, unauthorized access to event data or their unsecured exchange result in data leakage, exposure of confidential business secrets, relationships, or product ingredients.
EPCglobal networks build the foundation of improved business processes, such as anti-counterfeiting, verification of product authenticity, and detection of counterfeit injection. We focus on the benefits of EPCglobal networks with respect to anti-counterfeiting in this application. For example, the liability for improper effects of counterfeited pharmaceuticals is widely discussed. The manufacturer of the original product is currently considered as the party that is reliable for side effects of counterfeited product unless the customer can clearly distinguish between authentic and counterfeited products. Faked pharmaceuticals may harm or even kill human beings and pharmaceutical manufacturer are considered as being reliable for any side effects.
EPCglobal networks are motivated by anti-counterfeiting techniques based on the analysis of event data and the need for supply chains integrity. Unless event data are considered as sensitive and still exchanged in clear text without any protection against manipulation or eavesdropping, it remains questionable whether they build a reliable basis for anti-counterfeiting. This application is driven by the idea that real-time security extensions throughout the supply chain can be used to restrict the injection of counterfeited goods into supply chains by automatically analyzing the product's meta data.
The title of this application points out a dedicated real-time aspect. It stresses the fact that access to event data needs to be granted or declined within milliseconds to prevent blocking of existing business processes that depend on the outcome of the access decision. We refer to real-time as the access decision of the security extensions is taken within an empiric time frame of less than two seconds as stated in hypothesis. 1. EPCglobal networks are considered as a possible basis for anti-counterfeiting, which support the reconstruction of time and location of a possible counterfeit injection. As a result, the stated liability problem can be shifted to the supply chain party that accepted an untested product after counterfeit injection.
Is it possible to establish new business relationships in open supply chain and to automatically exchange event data while protecting business secrets?
Nowadays, manufacturers control their suppliers and customers in closed supply chains, e.g. in the automotive industry. As a result, manufacturers are able to verify suppliers' products before deciding to use products of a new supplier. In addition, manufacturers define product characteristics that need to be fulfilled by the supplier, e.g. time to deliver, packaging size, and details contained in the advice letter, etc.
Open supply chains shall be construed as supply chains, wherein one or more unknown parties participating in the supply chain does not know each other. Hence manufacturers struggle to verify a supplier's product. In open supply chains there is the challenge how to initially trust unknown or new supply chain parties, e.g. new suppliers. We define the problem how to initiate a new relationship between business partners within open supply chains as initial trust problem. In the remainder of the work, we refer to trust as the absence of complete certainty. Since defining and measuring trust is not in focus of the work, we consider this brief definition as feasible to motivate the initial trust problem. Furthermore, unknown wholesalers or customers result in the risk of business infiltration, e.g. competitors that try to obtain details about suppliers, product ingredient or involved third parties. We consider business secrets as sensitive, which are protected by design in closed supply chains.
Supply chains are more and more optimized to improve Key Performance Indicators (KPIs), such as on stock availability, transportation costs, and on-time delivery. Nowadays, one of major competitive KPIs is conformance to promised delivery time. As a result, the electronic exchange of product meta data, e.g. delivery date or advice letter, is performed before its physical pendant is delivered. Combining the advantages of automatic exchange of product meta data, e.g. through EPCglobal networks, with open supply chains, results in new challenges for IT systems of involved supply chain partners.
In this application, we define alternatives to protect sensitive business secrets while enabling automatic exchange of product meta data in EPCglobal networks. Furthermore, our approach supports the use of implicit access rules that are evaluated with the help of the complete query history to control access to data that might expose business secrets when semantically combined. It further supports explicit definition of access rights for individual supply chain partners and groups and to enable a fine-grained access control. This contribution introduces access control for EPCglobal networks that are currently out of scope of EPCglobal specifications.
Granularity of Protection of Fine-Grained Event Data
Data stored in event repositories can vary in quantity and level of detail. De-pending on the business relation with the querying party, the amount of data and the degree of detail that is shared needs to be controlled to confirm with the principle of data minimalism.
Hypothesis 1 Validation and adaption of access rights based on the analysis of the complete query history can be performed in real-time during query processing, i.e. in less than two seconds.
Prevention of Anonymous Attacks Against EPCglobal Information Systems
EPCglobal networks require open interfaces that can be queried for details about handled goods. The question raises how to prevent anonymous attacks by counterfeiters or competitors against these interfaces to obtain event data or to derive sensitive business secrets.
Hypothesis 2 Applying Public Key Infrastructure (PKI) certificates for identification of supply chain parties can be used to establish specific access control and to trace counterfeiters or attackers once they were detected.
Exposure of Encryption Keys
Encryption is an establish way to securely exchange sensitive data. However, once the encryption key is exposed, the encrypted content is no longer secured.
Hypothesis 3 Management of individual encryption keys per supply chain participant can reduce impact of key exposure. Thus, in case of disaster, malicious clients can be blocked individually without affecting other supply chain participants. Using an in-memory database supports multiple key renewals per day and individual key lookups in an interactive manner.
State of the Art
The following chapter presents findings on selected related work and places our application in the corresponding context. There are two categories of related work with relevance to our work that are considered in this chapter:                Related work dealing with access control, which is a special mechanism to expose data to authorized parties only, is presented in section Access Control mechanisms, and        Related work dealing with EPCglobal networks and securing its components is presented in section Components of EPCglobal networks.        
The first is considered to outline existing techniques for protection of sensitive data, their limitations, and their applicability with respect to EPCglobal networks. The second is considered to present and evaluate standards introduced by the EPCglobal consortium, derive trends of ongoing security activities in this context, and to introduce the technical foundations of EPCglobal networks. In a section Combination and classification of Related Work the analysis results of related work are classified.
Access Control Mechanisms
Security aspects are typically researched to address a certain threat, platform, software, use case, etc. In the following, this application is placed in context of related work on access control systems. We define access control as all efforts to limit various actions a E A to sensitive resources rεR to a certain user uεU. Access control can formally be defined as a triplet as given in Eq. 1. In context of EPCglobal networks, we focus on event data as the resources that need to be protected, i.e. R={EPC events}.(a,r,u)∀aεA,rεR,uεU  (1)
Discretionary Access Control (DAC) describes a class of mechanisms that control access by leaving the access decision to the user (Vincent C. Hu, David F. Ferraiolo, and D. Rick Kuhn. Assessment of Access Control Systems. Interagency Report 7316, National Institute of Standards and Technology, 2006, referred to in the following as Hu et al.). In other words, once a certain user is granted access to a resource, she/he is able to grant access for a certain resource to further users. Even if there is only limited access defined for a certain resource, e.g. read-only, the user is able to create a copy of the resource's content and grant individual access for further users to the copied content, which results in data exposure. For example, representatives of DAC are Access Control Lists (ACLs) incorporated by the operating system Microsoft Windows and owner-group-other flags of Unix for controlling access to files. The counterpart of DAC is referred to as Non-Discretionary Access Control (NDAC), i.e. access is not directly controlled by the user, but by a dedicated administrative entity (see Hu et al.).
Role-based Access Control (RBAC) defines a superclass for access control mechanisms that enforce access rights and restrictions on working roles rather than on individuals (David F. Ferraiolo and D. Rick Kuhn. Role-Based Access Control. In Proceedings of the 15th NIST National Computer Security Conference, pages 554-563, 1992). RBAC decouples user management from access management. To do so, RBAC controls access to resources by controlling actions A performed by users U on resources R. In contrast to traditional access control, RBAC groups allowed actions A in roles Ro as depicted in FIG. 3(a). There is no direct mapping between resources R and users U due to the indirection introduced by the roles concept. Formally, RBAC can be understood as set of tuples with Aro=({aεA|permitted by ro}, Rro={rεR|ro is granted access to}) and Uro=({uεU|assigned to ro}) as defined in Eq. 2.RBAC={(Aro,Rro)×Uro},roεRo  (2)
FIG. 3 gives a comparison of access control mechanisms using entity relationship diagrams. In FIG. 3a RBAC controls allowed actions on resources via roles, while RuBAC, as depicted in FIG. 3b controls access via rules evaluating predicates (A=Actions, P=Predicates, R=Resources, Ro=Roles, Ru=Rules, U=Users, V=Additional decision data).
With the assumption that the number of users is larger than the number of active roles, RBAC results in reduced maintainability. For example, granting access to the location attribute of gathered event data to all colleagues working as packers becomes a single task. Rather than identifying all packers within the company and setting their individual access rights, all colleagues working as role Packer are assigned with the right to read EPC event location. Thus, all packers get immediate access to the required event data in a transparent way. Furthermore, also newly joined colleagues are automatically granted the access rights to read EPC event location. However, this results in the disadvantage, that people's role membership has to be supervised otherwise access rights might be expanded while certain persons are no longer allowed to get access. For instance, if there are two mutually excluding roles defined to establish a Separation of Duties (SoD) and a certain person gets assigned both roles, SoD is violated although RBAC is applied (see Hu et al.)
Nevertheless, RBAC is valued as a concept that improves handling of access for a potentially infinite number of users. In terms of the pharmaceutical supply chain as described above the number of users of a certain EPCIS repository is not known beforehand. In contrast to the number of involved goods and parties in the pharmaceutical supply chain, the amount of active roles is expected to be comparable small. Firstly, roles accordingly to the supply chain role are reasonable to distinguish between direct partners, who receive goods without involved third parties, and indirect partners, which receive goods via further intermediates. Secondly, roles can be used to group goods in categories and control access via this indirection. Thirdly, special classifications introduced by the supply chain party can be used to value certain partners, e.g. high and low priority business partners or suppliers.
This example shows two aspects of RBAC. Firstly, roles cannot be predefined due to the variety of possible classification criteria. Secondly, grouping individual inquirers into roles helps to abstract from the unknown number of inquirers and keeps access control as a limited task rather than as a regular task when an unknown inquirer is querying.
In context of EPCglobal networks and the given pharmaceutical scenario, RBAC supports abstraction of individuals. As a result, the administrative overhead for maintaining possibly hundred of thousands individual access rights vanishes. Thus, we consider RBAC as one way to reduce the complexity. In the given application, RBAC is applied to definition and enforcement of access rights as will be described in a section Extended process steps further down.
Rule-based Access Control (RuBAC) refers to all access control mechanisms defining access rights or restriction in a set of rules that need to be evaluated for each access request (Hu et al.). In other words, RuBAC is a general term for access control systems that allows some form of organization-defined rules (Adesina S. Sodiya and Adebukola S. Onashoga. Components-Based Access Control Architecture. Issues in Informing Science and Information Technology, 6:699-706, 2009). RuBAC results in the advantage of defining various kinds of complex rules based on any kind of additional attributes, such as remote host name, current time, user details, etc. As a result, RuBAC enables a more fine-grained access control than RBAC. However, a concrete definition of rules and its interpretation needs to be implemented individually. RuBAC defines a set of rules Ru consisting of predicates P that are evaluated specifically when a concrete user u is accessing a certain resource r to perform an action a. Formally, RuBAC can be represented as given in Eq. 3 and depicted in FIG. 3b. Ru={P(a,r,u,v)})∀aεA,rεR,uεU,{vεV decision data}  (3)
RuBAC results in a higher flexibility when granting access. In the given application, RuBAC is incorporated to adapt access rights accordingly to the history of granted access rights as will be described in the section Extended Process Steps, further below.
The contributed HBAC combines RBAC and RuBAC to control access to event data in a holistic way as described in the section Architecture, further down.
The eXtensible Access Control Markup Language (XACML) is an eXtensible Markup Language (XML) dialect specified by the OASIS consortium. It aims to define access control rights for subjects representing users, resources, and action based on rules and policies (OASIS Open. eXtensible Access Control Markup Language (XACML) V.2.0, February 2005, referred to as OASIS 2.0 in the following). In addition, XACML introduces a conceptual SoD for access control systems, which is also applicable for the given application. Tab. 2 presents XACML duties, its brief description and a mapping to components of this work with direct references for further reading, as reproduced below.
XACMLDescriptionHBACSectionPolicyComponent that enforces theAccess ControlACCEnforcementdecision issued by the PDP, i.e.Client (ACC)Point (PEP)interacting with the user and theresource to grant access toPolicyComponent that issues andAccess ControlACSDecision Pointrevokes valid policies, e.g. basedServer (ACS)(PDP)on external in-formation, such asthe querying user, history,context, etc.PolicyComponent responsible forConfiguration ToolConfigurationAdministrationmanaging policies, i.e. creating orToolPoint (PAP)modifying or access rightsPolicyComponent that providesTrust RelationshipTRSInformationadditional information for the PDPServer (TRS)Point (PIP)to derive decisions
Table 2 illustrates a mapping of XACML duties to sections within this application.
The use of XML for definition of access rights is a common approach as shown by the classification of related work. This standardized way of communication contributes to the interoperability between various software systems and vendors. In addition, it makes the automatic transformation of data formats possible, e.g. by using an eXtensible Stylesheet Language Transformations (XSLTs) (see James Clark. XSL Transformations (XSLT). www.w3.org/TR/xslt, November 1999). However, in addition to XACML, which is only rarely used for RFID-specific developments, various extensions or other XML dialects are used, such as aidXACML or EAL introduced by Grummt et al. (Eberhard Grummt and Martin Schöffel. Verteilte Autorisation in RFID-Ereignissystemen. In Patrick Horster, editor, D.A.CH Security—Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven, pages 337-345, Berlin, Germany, 2008).
The Open Digital Rights Language (ORDL) is a XML dialect for defining and maintaining rights of asset (ODRL Initiative. ODRL V2.0-XML Encoding. hxxp://odrl.net/2.0/WD-ODRL-XML.html, 2010). Assets in context of ODRL are mainly multimedia contents, such as audio or video contents. In the given application, we consider event data as company-specific assets comparable to purchased multimedia contents. Event data can be accessed by various inquirers but with individual access rights. Once a certain criterion expires accessing event data must not be able. We decided to make use of ODRL for definition of access rights and access control information for our contribution since it is a lightweight approach and reduces data processing overhead. However, a homomorphism can be defined that transforms ODRL to the more expressive XACML, i.e. XACML is another possible implementation for definition of access rights.
Components of EPCglobal Networks
The EPCglobal consortium—newly also known as Global Standards 1 (GS1)—defines technical components and standards for intercommunication in RFID-aided supply chains. EPCglobal standards can be grouped in the functional layers identification, capturing, and exchanging as depicted in FIG. 4 (taken from Global Standards 1. GS1 Standards Knowledge Centre. www.gs1.org/gsmp/kc/epcglobal/).
The identification layer deals with the data format stored on tags, e.g. Tag Data Standard (TDS), and its translation, e.g. Tag Data Translation (TDT).
The capturing layer defines the communication protocol between tags and readers, e.g. Tag Protocol UHF Class 1 Gen1, EPC HF, and the Low Level Reader Protocol (LLRP), which is responsible for data acquisition and event capturing. On top, the Discovery Configuration and Initialization (DCI) and the Reader Management (RM) define how to discover and control distributed reader devices. The Application Level Events (ALE) standard defines how to handle, filter, and process reader events for software applications.
EPCIS bridge the gap between the layers capture and exchange. The Core Business Vocabulary (CBV) defines language elements used for data exchange. From the enterprise's point of view, the EPCIS provides high-level access methods for processing event data in enterprise applications, such as ERP systems. Object Name Service (ONS) and EPCDS perform lookup and discovery of resources, such as supply chain participants that handled a certain good. The standards Certificate Profile (CP) and Pedigree define data formats for exchanging data within EPCglobal networks from a business perspective.
We define EPCglobal networks as communication networks that exchange event data with the help of the components as defined by EPCglobal standards of the appropriate layer. In other words, EPCglobal networks contain only relevant components for business transactions, i.e. EPCglobal actors for EPCIS, ONS, and EPCDS. In addition to existing EPCglobal definition, we assume the existence of a generic service provider that performs business tasks not addressed by aforementioned components of EPCglobal networks, such as anti-counterfeiting.
RFID Tags
RFID tags consist of the components: a) antenna, b) integrated circuits, c) data storage, and d) optional equipment, such as sensors. They are tiny radio devices that can be distinguished accordingly to a) the operating frequency band, b) the type of tag, and c) their read-write capabilities.
The available radio band for RFID communication is defined by global standardization that can be restricted on a per-country basis (International Organization for Standardization. ISO/IEC 18000: Information Technology—Radio Frequency Identification for Item Management, 2004-2010). Table 3 displays a classification of radio frequency bands used by RFID tags. UHF tags are nowadays used for tracking and tracing scenarios due to the low power required for emitting signals. Table 3 gives an overview of available radio bands and their frequency in Europe and in the United States of America (USA), as displayed below.
TABLE 3Radio BandFrequencyLow Frequency (LF)100-135 kHzHigh Frequency (HF)13.56 MHzUltra High Frequency (UHF)868 MHz (Europe), 915 MHz (USA),2.45 GHz (ISM)Super High Frequency (SHF),5.8 GHzMicrowave (MW)
In comparison, current radio broadcasting based on FM operates in the frequency band 87.5-108 MHz, whereas former radio broadcasting was based on AM that operates in the frequency band Long Wave (LW) 148.5-283.5 kHz, Medium Wave (MW) 520-1,610 kHz, and Short Wave (SW) 2.3-26.1 MHz. Furthermore, current cellular phones operate in the bands 900 MHz and 1800 MHz (Europe), 850 MHz and 1900 MHz (USA) respectively. Nowadays, UHF tags are mainly used for EPCglobal networks, i.e. their operating frequency is comparable to cellular phones or is located within the so-called Industrial, Scientific, and Medical (ISM) band.
The tag's type describes its capabilities. Keeping production costs low is a major requirement for passive RFID tags in EPCglobal networks for Near Field Communication (NFC) (see for example, Erick C. Jones and Christopher A. Chung. RFID in Logistics: A Practical Introduction. CRC Press, 2007, chapter 3]. Passive low-cost tags are powered by the physical principle of induction, i.e. they need to be placed near the reader's electromagnetic field, which is required for a) power supply of the tag's integrated circuits and b) data communication. In contrast to NFC, Far Field Communication (FFC) refers to communication when the distance between reader and tag exceeds one wavelength. FFC requires typically active RFID tags since they are able to actively modulate data via the radio band using their equipped battery.
Table 4 compares the classification of tag capabilities, as displayed below. Passive tags work only with an external stimulus. They are used due to their low manufacturing costs for nowadays tracking and tracing scenarios.
TABLE 4TypeFunctionalityDescriptionPassiveInductionNo power supply, powered by reader'selectromagnetic induction, works onlywhile in the reader's fieldSemi-activeInduction μCBattery-powered, e.g. to performregular sensor measurements, not fortransmissionActiveActiveBattery-powered to extend transmissiontransmission, μCrange and for regular sensor readings
Read-write capabilities of RFID tags can be used to further classify tags. Three classes of tags exist accordingly to their read-write capabilities: a) read-only, b) write-once, read-many, and c) write-many, read-many tags.
Table 5 gives a comparison of RFID tags based on read-write capabilities. Read-only tags are nowadays used for tracking and tracing scenarios due to the higher hardware requirements for read-write tags.
TABLE 5TypeDescriptionExampleRead-onlyProgrammed once by the tag'sToll systems, e.g. E-ZPassmanufacturerWrite-once,Programmed once by theTags with EPCsRead-manyproduct's manufacturerRead-writeContent can be changed atCash card systems, eg. any timePUCK
Read-only tags are a subset of Write-Once Read-Many (WORM) tags, but the tag's manufacturer initializes its content. The first user, e.g. the good's manufacturer, initializes write-once, read-many tags. Write-many, read-many tags are equipped with a small flash storage comparable to external flash devices for personal computers that can be read and written multiple thousand times.
RFID Reader
RFID reader devices consist of a) a set of antennas and b) a controller device. The controller device implements radio interface protocols to communicate with RFID tags via the ether. Antennas are used to send out radio signals to tags and to receipt data.
Object Name Service
The ONS is a yellow page service for RFID-aided supply chains (see Global Standards 1. EPCglobal Object Name Service 1.0.1. www.gs1.org/gsmp/kc/epcglobal/ons/ons—1—0—1-standard-20080529. pdf, 2008). It returns for a given EPC the Unified Resource Locator (URL) of the manufacturer's EPCIS. The inquirer can contact the EPCIS of the manufacturer to obtain further details about the product and subsequent participants that handled a certain good identified by the EPC.
EPC Information Services
The EPCIS provides standardized interfaces between internal event repositories and external inquirers (see EPCIS 1.0.1). In other words, it is responsible for exchanging relevant internal data with external participants of the supply chain, e.g. to perform anti-counterfeiting. The EPCIS is also involved in controlling access to event data and to ensure privacy of internal data. Thus, we consider the EPCIS as possible target of attackers to obtain event data.
EPC Discovery Services
The EPCDS acts as an intermediate for querying parties that preprocesses data from various EPCIS repositories and performs preliminary operations on them, e.g. aggregation of internal event data (see Global Standards 1. Discovery Services Standard (in development). www.gs1.org/gsmp/kc/epcglobal/discovery). When the inference concept for supply chains is applied, the EPCDS is required to reconstruct the virtual path of individual products. Up to now, there is no EPCDS implementation ratified by EPCglobal available since corresponding standards are still in development. However, Müller contributes with an EPCDS built on the in-memory building blocks as defined in section In-memory Technology Building Blocks (see Jürgen Müller. An In-Memory Discovery Service to Retrieve Track & Trace Information in a Unique Identifier Network with Hierarchical Packaging. PhD thesis, Hasso Plattner Institute, 2012).
Middleware
The RFID middleware acts as a mediator between RFID readers and the capturing interface of the EPCIS repository. It fulfills a set of common tasks within a company to integrate event data in existing business systems, such as ERP systems. Furthermore, it is responsible for filtering and collecting events and harmonization of data format between EPCglobal components (EPCIS 1.0.1).
Security in EPCglobal Networks
The Certificate Profile (CP) is defined by the EPCglobal consortium and specifies security aspects in EPCglobal networks. The first version 1.0 was released in March 2006 and contains the sections “Introduction”, “Algorithm Profile”, “Certificate Profile”, “Certificate Validation Profile”, and two appendices, which are described in a total of 11 pages. Latest released version 2.0 of this standard ratified in June 2010 consists of the identical outline in a total of 14 pages (Global Standards 1. EPCglobal Certificate Profile Specification Version 2.0.www.gs1.org/gsmp/kc/epcglobal/cert/cert—2—0-standard-20100610.pdf, June 2010, referred to in the following as EPCglobal, cert. 2.0). In the following, the content of the latest CP is summarized and evaluated.
The CP expects the use of X.509 certificates in context of EPCglobal networks, which requires a global PKI. From our perspective, this is feasible, since the use of PKIs has been proven to work for productive environments, such as device and user authentication 802.11x in communication networks and Germany's electronic identity cards (see for example Bundesamt für Sicherheit in der Informationstechnik. BSI TR-03128 EAC-PKI′n für den elektronischen Personalausweis, V. 1.1. www.bsi.bund.de/ContentBSI/Publikationen/TechnischeRichtlinien/tr03128/index_htm.html, 2010, in the following referred to as BSI TR-03128). The rest of the CP provides recommendations about how to use X.509 certificates for identification purposes.
The section Algorithm Profile contains recommendations for X.509 certificates. As of today, it is recommended to use the following settings:                Algorithm: sha2WithRSAEncryption, i.e. any of the algorithms SHA-224, SHA-256, SHA-384, SHA-512.        Key length: 2,048 bits (3,072 bits by the year 2031).        
The section “Certificate Profile” contains mainly a description on how to include an EPC's URI representation within a certificate and how to encode users, services, servers, readers and devices accordingly, e.g. by including their unique serial number and/or device specific Media Access Control (MAC) identifier.
Further details about how to ensure security aspects, such as authentication and how to use it in context of access control are not defined in the CP. Therefore, we evaluated the latest EPCIS standard version 1.0.1 ratified in September 2007 for definitions regarding security (EPCIS 1.0.1). It contains a subsection dealing with authentication and one dealing with authorization. The former contains the hint that the EPCIS Query Control Interface can be used for authentication. In addition, a non-normative explanation is given, indicating that the use of mutual authentication is expected. Concrete implementations or definitions are missing. The section about authorization specifies the following actions as valid:                Refuse a request completely by a generic SecurityException,        Hide data, e.g. the list of business transactions, but remove entire event when hiding data results in misleading data, and        Return a subset of requested data only, e.g. only the first hundred matching event when querying all known events,        Respond with coarser grained data than requested, e.g. substituting all company-internal locations, such as gate 1, assembly area 2, etc. by a common location for the company,        Limit the scope of a query to a certain client, e.g. to provide EPCIS repositories as Software-as-a-Service (SaaS).        
The business-level security extensions described in Chap. Business-level Extensions for Event Repositories incorporate the latter three aspects to restrict access of clients to event data. The CP contains further a non-normative explanation stating: “[ . . . ] the EPCIS specification does not take a position as to how authorization decisions are taken (EPCIS 1.0.1)”. We value this application as concrete contribution to show how to handle these decisions and how to protect sensitive event data.
The term security services was recently mentioned in the context of EPCglobal standards. However, a concrete definition or a draft is still missing during creation of this document. We consider the results of this work as a major step forward to make security services for EPCglobal networks come true.
Official standards give hints for incorporating security features and expect their usage. However, EPCglobal leaves detailed design decisions, implementation strategies, and concrete implementations are left open to the reader. These standards lack a comprehensive description of threats, attack scenarios, their impact on business processes and possible countermeasures. The transformation of a conventional supply chain towards an RFID-aided supply chain involves various security relevant adaptations, such as open interfaces for accessing EPCIS repositories (EPCIS 1.0.1). Existing work shows various threats, their impact, and countermeasures. The given application contributes in designing, developing, and implementing concrete security extensions for EPCglobal EPCIS repositories. The latter is considered as a possible target of attacks since it is the source of sensitive event data that can be misused by attackers to derive correlated business information (Matthieu-P. Schapranow, Martin Lorenz, Alexander Zeier, and Hasso Plattner. License-based Access Control in EPCglobal Networks. In Proceedings of 7th European Workshop on Smart Objects: Systems, Technologies and Applications. VDE, 2011, in the following referred to as Schapranow II).
In-Memory Technology Building Blocks
In the following section, we introduce selected in-memory technology building blocks that are incorporated for the developed security extensions. We refer to in-memory technology as a toolbox of technology artifacts to enable processing of enterprise data in real-time in the main memory. This includes the processing of hundreds of thousands of queries in a multi-user system in sub-second response time. In-memory technology enables decision taking in an interactive way without keeping redundant or pre-aggregated data.
To support analytical and transactional operations, two optimized types of database systems evolved. On the one hand, database systems for transactional workloads store and process data in a row-oriented format, i.e. attributes are stored side by side. On the other hand, database systems optimized for analytical purposes scan selected attributes of huge datasets in a very short time, e.g. by maintaining pre-aggregated totals. If complete data of a single row needs to be accessed, storing data in a row format is advantageous. For example, the comparison of two customers involves all of their database attributes, such as inquirer's name, time, and content need to be loaded. In contrast, columnar stores benefit from their storage format, when only a subset of attributes needs to be processed. For example, summing up the total amount of products passed a certain reader gate involves the attributes date and business location, but the attributes EPC and business step are ignored. Using a row store for this purpose would result in processing of all attributes of the entire event list, although only two of these attributes are required. Therefore, a columnar store benefits from accessing only relevant data.
Insert-only or append-only describes how new data are managed. Traditional database systems support four operations for data manipulations, i.e. insert, select, delete, and update of data. The latter two are considered as destructive operations since original data are no longer available after its execution (Matthieu-P. Schapranow. Transaction Processing 2.0: The Epochal Change in Designing Transaction Processing Systems. Master's thesis, Hasso Plattner Institute, April 2008, referred to in the following as Schapranow III, see sect. 7.1 therein). In other words, it is neither possible to detect nor to reconstruct the complete history of values for a certain attribute after its execution since only the latest value is permanently stored. Insert-only tables enable storing the complete history of value changes and the latest value for a certain attribute (Hasso Plattner and Alexander Zeier. In-Memory Data Management: An Inflection Point for Enterprise Applications. Springer, 2011, referred to in the following as Plattner et al.). For instance, this is the foundation of all bookkeeping systems to guarantee transparency. Insert-only builds the basis of storing the entire history of queries for access decisions of HBAC. In addition, insert-only enables tracing of access decisions, e.g. to perform incident analysis.
Compression in context of in-memory technology refers to an isomorphism that defines a storage representation, which consumes less space than the original representation (Plattner et al.). A columnar storage supports the use of lightweight compression techniques, such as run-length encoding, dictionary encoding, and differencing (Per Svensson. The Evolution of Vertical Database Architectures—A Historical Review. In Proceedings of the 20th International Conference on Scientific and Statistical Database Management, pages 3-5. Springer-Verlag, 2008). Due to the fixed data type per column, subsequent values are within a given interval, e.g. integer values. In addition, the given data type defines an upper threshold for individual values. Depending on the source of data, the number of concrete values is lower than all possible values from this interval, i.e. the amount of distinct values is required to store all data. This data representation requires only the amount of distinct values to store. For example, all incoming queries are stored in a log database table of the HBAC for analysis. If ten supply chain participants query details for the same product, it results in ten-times the same query. Instead of storing the query redundantly, dictionary compression stores the query once and maps it to a smaller integer representation. Within the database only the query's corresponding integer value is stored and database queries are rewritten to use the integer representation instead. The original representation is replaced just before the result set is returned to the client. As a result, the database executes all operations on compressed data without decompression. In comparison to the uncompressed format, which requires transferring ten-times the complete query string through the memory hierarchy of database server, the compressed data improves cache-hit ratio since more compressed data fits into the cache memory.
We distinguish the partitioning approaches vertical and horizontal partitioning (Sam Lightstone, Toby J. Teorey, and Tom Nadeau. Physical Database Design: The Database Professional's Guide to Exploiting Indexes, Views, Storage, and more. Morgan Kaufmann/Elsevier, 2007, referred to as Lightstone et al. in the following). Vertical partitioning refers to rearranging individual database columns. It is achieved by splitting columns of a database table in two or more sets of columns. Each of the sets can be distributed on individual databases servers. This technique can also be used to build up database columns with different ordering to achieve better search performance while guaranteeing high-availability of data (Joseph M. Hellerstein, Michael Stonebraker, and James Hamilton. Architecture of a Database System, Foundation and Trends in Databases, volume 1, 2007, Referred to as Hellerstein I in the following). Key to success of vertical partitioning is a thorough understanding of data access patterns. Attributes that are accessed in the same query should rely in the same partition since locating and joining additional columns result in degradation of overall performance.
In contrast, horizontal partitioning addresses long database tables and how to divide them into smaller chunks of data. As a result, each portion of the database table contains a subset of the complete data. Splitting data in equivalent long horizontal partitions is used to support parallel search operations and to improve scalability. For example, a scan of the query history results in a full table scan. With a single partition, a single thread needs to access all individual history entries to check the relevant predicate for selection. When using a naïve round robin horizontal partitioning across ten partitions, the scan of the complete table is performed in parallel by ten threads simultaneously. It reduces the response time by approx. 1/9 compared to the aforementioned single threaded approach. This example shows that the partition length depends on the incorporated partitioning strategy. For example, instead of using round robin, range partitioning can be used, e.g. inquirers are portioned in groups of 1,000 with the help of their user id or requested EPC.
Parallelization can be applied to various locations within the application stack of enterprise systems—from within the application running on an application server to query execution in the database system. As an example of application-level parallelism, we assume the following. Incoming queries need to be processed in parallel by EPCIS repositories to satisfy response time expectations. Processing multiple queries can be handled by multi-threaded applications, i.e. the application does not stall when dealing with more than one query at a time. Operating systems threads are a software abstraction that needs to be mapped to physically available hardware resources. A CPU core is comparable to a single worker on a construction area. If it is possible to map each query to a single core, the system's response time is optimal. Query processing also involves data processing, i.e. the database needs to be queried in parallel, too. If the database is able to distribute the workload across multiple cores a single server works optimal. If the workload exceeds physical capacities of a single system, multiple servers or blades need to be installed for distribution of work to achieve optimal processing behavior. From the database point of view, data partitioning supports parallelization since multiple CPU cores even on multiple servers can process data simultaneously (Joseph M. Hellerstein, Michael Stonebraker, and James Hamilton. Architecture of a Database System, Foundation and Trends in Databases, volume 1. now Publishers, 2007, referred to as Hellerstein II in the following, therein Chap. 6). This example shows that multi-core architectures and parallelization depend each other while partitioning is the basis for parallel data processing.
We define two categories of data stores: active and passive. We refer to active data when it is accessed frequently and regular updates are expected, e.g. access rules of HBAC. In contrast, passive data are neither updated nor accessed regularly. They are purely used for analytical and statistical purposes or in exceptional situations where specific investigations require these data. For example, tracking events of a certain pharmaceutical product that was sold five years ago can be considered as passive data. Firstly, from the business' perspective, the pharmaceutical can be consumed until the best-before date of two years after its manufacturing date is reached. When the product is handled now, five years after it's manufacturing, it is no longer allowed to sell it. Secondly, the product was most probably sold to a customer four years ago, i.e. it left the supply chain and is typically already used within its best-before data. Therefore, the probability that details about this pharmaceutical are queried is very low. Nonetheless, the tracking history is conserved and no data is deleted in confor-mance to legal regulations. As a result, the passive data can still be accessed but with a higher latency than active data. For example, passive data can be used for reconstructing the path of a product within the supply chain or for financial long-term forecast. This example gives an understanding about active and passive data. Furthermore, introducing the concept of passive data results in a classification of data stores. Thus, active data that need to be accessed in real-time can be separated from passive data that is ready for archiving.
When data are moved to a passive data store they no longer consume fast accessible main memory. Dealing with passive data stores involves the definition of a memory hierarchy including fast, but expensive, and slow, but cheap memory. A possible storage hierarchy is given by: memory registers, cache memory, main memory, flash storages, solid state disks, SAS hard disk drives, SATA hard disk drives, tapes, etc. To distinguish between active and passive data, rules for migration of data from one store to another needs to be defined. We refer to them as data aging strategy or aging rules. We consider the process of aging, i.e. the migration of data from a fast to a slower store as background task, which is per-formed regularly, e.g. once a month or once a week. Since this process involves reorganization of the entire database, it should be performed only during times of low database access, e.g. during nights or weekends.
In application development, layers refer to levels of abstraction. Each application layer encapsulates specific logic and offers certain functionality. Although abstraction helps to reduce complexity, it also introduces obstacles. Examples for the latter are a) functionality is hidden within a layer and b) each layer offers a variety of functionality while only a small subset is in use. From the data point of view, layers are problematic since data are marshalled and unmarshalled for transformation to the layer-specific format. As a result, identical data are present in various layers and representations. A reduction of layer improves the use of hardware resources. Moving application logic to the data it operates on results in a smaller application stack and also code reduction. Reducing the code length results in improved maintainability. HBAC is implemented as a single layer application in Python and interacts directly with the in-memory database. As a result, processing overhead due to multiple layers is already addressed by its design.
Combination and Classification of Related Work
The wish of data protection in information systems is as old as the existence of any kind of data. Historically spoken, while the development of first computer systems started in World War II, such as ENIAC, the aspect of data protection arose. For instance, with the invention of radar systems airplane attacks could be detected by sending out a radio signal and observing its reflections. Identification Friend or Foe (IFF) systems were developed to distinguish unknown aircrafts from each other. Friendly aircrafts were equipped with an IFF system that sent out a special signal in response to a detected radar signal. Let us consider IFF systems as information systems since typical attacks for information system also apply for them. After introducing IFF systems, they were copied and security extensions, such as on-device encryption, were added to secure their operation.
Lampson defines “[ . . . ] all the mechanisms that control the access of a program to other things in the system” as protection (see Butler W. Lampson. Protection. In Proceedings of 5th Princeton Conference on Information Sciences and Systems, pages 437-443, 1971, referred to as Lampson in the following). This general definition contains the first indication of nowadays more popular term access control. In his application, the primarily goal of adding protection to information systems is named as protecting user's from their own or other user's malice. In context of this work, this is still valid, since the goal is to protect supply chain participants from malicious behavior—whether intended or unintended—of other supply chain participants, technical errors of other automatic information systems, competitors, counterfeiters, or any kind of attackers. In addition, Lampson discusses concepts of access control matrices as a strategy for protection. This concept is also incorporated by the given work. He names possible issues that reside in former hardware limitations of the year 1971. For instance, the complete access control matrix can grow fast depending on the amount of users and objects. Keeping it entirely in fast accessible main memory is considered as a waste of resources since its capacity is limited and only single entries of the access control matrix need to be accessed at a certain moment (see Lampson).
In this application, we consider these hardware limitations as no longer valid. We keep the entire access control matrix in a compressed format in fast access main memory by incorporating in-memory technology as discussed in the corresponding section above.
The historical examples show a common empiric paradigm that is still valid for modern information systems: aspects of data protection are rarely considered during the design phase. More often, data protection is investigated once a product is ready to sell and a critical number of users are running the system. After this critical mass has been reached, the product becomes a more attractive target for attackers. In context of EPCglobal networks, the EC recognized this gap for RFID systems and released a recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification in 2009. It contains the explicit advice to overcome the gap of security by recommending that “[ . . . ] privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-by-design’)” (see European Commission. Recommendation on Privacy and Data Protection in Applications Supported by Radio-frequency Identification. hxxp://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf, May 2009). In addition, it contains a list of guidelines and principles that should be considered while implementing RFID information systems to raise its acceptance.
From the risk assessment's point of view, classifications of security risks are helpful to identify threats, assess them, evaluate its monetary impact, and to design and implement countermeasures. Garfinkel et al. classify security risks accordingly to the location where they occur in one of the following classes (Simson L. Garfinkel, An Juels, and Ravi Pappu. RFID Privacy: An Overview of Problems and Proposed Solutions. IEEE Security and Privacy, 3:34-43, 2005):                Inside the Supply Chain: Locations and transportation systems con-trolled by supply chain participants,        Outside the Supply Chain: Locations after the product left the control of supply chain partners and is operated by the customer, and        In the Transition Zone: Locations when products are leaving from inside to outside the supply chain, e.g. when the product is handed to the customer.        
The present application primarily addresses the security of event repositories and the involved data exchange. Thus, we address threats that belong to the categories inside the supply chain and within the transition zone.
Spiekermann performed neutral studies on the acceptance of RFID technology and Privacy Enhancing Technologies (PETs) in retail businesses. In her work, she comes to the result that “[ . . . ] consumers do value the service spectrum, which can be realized through RFID [but] they are willing to forgo these benefits in order to protect their privacy” (see Sarah Spiekermann. Privacy Enhancing Technologies for RFID in Retail—An Empirical Investigation. In Proceedings of the 9th International Conference on Ubiquitous Computing, pages 56-72, Berlin, Heidelberg, 2007. Springer-Verlag). As a result, we stress the fact that improving security by using transparent privacy protection mechanisms is mandatory to increase acceptance for RFID-aided supply chains.
In 2006, the National Institute of Standards and Technology (NIST) published a technical report assessing access control systems. It observes that a wide range of access control systems is based on XML-based policy languages, but all of them lack the capability to express historical-based policies (Hu et al., Sect. 3.6.3). In context of EPCglobal networks the temporal and history aspect becomes more important since goods are moving from party to party and access rights need to be modified multiple times during the lifecycle of a certain product. During research of related work for EPCglobal networks, we observed only a small amount of related works dealing with temporal access control from Hu et al, (see for example Hu et al.). This motivated me to focus on processing of the query history to contribute with an HBAC system based in-memory data processing in the given application.
In the following, we classify related work correspondingly to the categories:
a) related work dealing with access control management systems and b) RFID-specific related work.
FIG. 5 depicts components of an RFID information system that might be addressed by RFID-specific work: The components of Infrastructure components of RFID-enabled companies are depicted as FMC block diagram. Company-internal and -external systems exchange event data through standardized interfaces of EPCIS as defined by EPCglobal.
TABLE 6ComponentLocationCategoryTypeEPCIS RepositoryCompany/SaaS ProviderE/ISWRFID MiddlewareCompanyISWRFID ReaderCompany, Freight Gates, Stock,IHWRFID TagGoodEHWService ProviderSaaS ProviderESWDiscovery ServiceSaaS ProviderESW
Table 6 categorizes these components correspondingly to their physical location within the supply chain and their technology affinity. Table 6 classifies components as E=External, HW=Hardware, I=Internal, SW=Software.
Table 6 further shows that RFID tags and readers are systems embedded in hardware to perform frequent actions in a very fast response time. In contrast, the remaining components are software system components of the enterprise software architecture. As a result, different requirements for interoperability and standardization exist for both categories. The classification in internal and external components is the basis to identify security threats. Company internal components can be controlled by enterprise-wide security policies that are enforced by regular trainings or tests of personnel. In contrast, external components cannot be controlled by company policies. Therefore, external components should be considered as uncontrollable components in terms of security that might be the foundation of further threats as discussed by Schapranow (Matthieu-P. Schapranow, Jürgen Müller, Alexander Zeier, and Hasso Plattner. Security Aspects in Vulnerable RFID-Aided Supply Chains. In Proceedings of 5th European Workshop on RFID Systems and Technologies. VDE, 2009, referred to in the following as Schapranow III). Two thirds of the components given in Table 6 are software, whereas we categorized the EPCIS repository as internal and external component equally. In this work, we focus on how to secure internal and external components, i.e. passive RFID tags and EPCIS repositories. The need for focusing on software components arises from the evaluation of components and categories addressed by related work.
FIG. 6 gives a comparison of related work depicting year of publication (2005-2009) vs. addressed component and amount of relevant publications. Left: publications addressing security of components tags, readers, and their communication dominate. Right: Work addressing security of software systems, such as EPCIS repositories, middleware, and ONS, dominate. Work addressing the security of EPCDS is not present.
FIG. 6 visualizes the results of our analysis of related work. It depicts the year of publication in relation to the addressed RFID component and quantity of publications. Starting in 2005, it shows that related work dealing with security focuses on the air interface between readers and tags. Due to the limited security capabilities of low-cost tags and uncontrollable vulnerable environments the tag's content can be obtained with various well-researched techniques. Moreover, FIG. 6 highlights two further characteristics of related work: a) research activities concerning security of enterprise components started after device-level security was researched and b) work dealing with security aspects of enterprise components of EPCglobal networks rarely exist in comparison of work addressing the air interface, tags, or reader hardware. Although switching to EPCglobal networks involves new hardware components, e.g. RFID readers for RFID technology or barcode scanner when incorporating visual identification techniques, there are also various software components required. Tab. 6 classifies components of RFID-aided supply chains accordingly to the categories location within the supply chain, its access type, and whether it is a hard- or software component. It highlights that the amount of involved enterprise software components, such as EPCIS repository, EPCDS, ONS, etc., is twice the amount of involved hardware components. The majority of involved enterprise software components motivate our research activities on business-level security in the rest of this application.
A similar trend can also be observed for industrial implementation projects, e.g. for product authenticity. For example, the pharmaceutical manufacturer Pfizer started a pilot project to use RFID technology for tracking pharmaceuticals in 2006, but it was not rolled out company-wide, until today (U.S. Pharmaceuticals Pfizer Inc. Anti-Counterfeit Drug Initiative Workshop and Vendor Display. www.fda.gov/OHRMS/DOCKETS/dockets/05n0510/05N-0510-EC21-Attach-1.pdf, 2006). The Metro Future Store initiative aims to improve supply chain management in the last step of supply chain: in retail stores, but most of the examples lack concrete productive implementation (METRO Group. METRO Group and RFID. www.future-store.org/fsi-internet/get/documents/FSI/multimedia/pdfs/broschueren/RFID24, 20111, 2008.).
Public discussions about the reasons for stopping these projects are not available. However, concerns about data security and privacy are considered as possible reasons (see Spiekermann). Initiatives, such as FoeBuD e.V. in Germany, fight for a strictly use of RFID tags in industries, e.g. in retail stores (FoeBuD e.V. Die StopRFID-Seiten des FoeBuD e.V. www.foebud.org/rfid/index_html, January 2012). FIG. 6 depicts that these privacy concerns are addressed by related work for securing RFID-specific enterprise systems starting in 2007. This application contributes by providing security extensions for RFID-specific enterprise software components to increase the acceptance and the future usage of EPCglobal networks.
The present application combines access control mechanisms, EPCglobal networks, and RFID technology as individual fields of research. We analyzed existing related work with respect to each of the research fields focusing on data security and applicability to the given pharmaceutical scenario.
Abadi and Fournet discuss the dynamic assignment of access rights for programs during their execution and refer to it as HBAC (Martin Abadi and Cedric Fournet. Access Control based on Execution History. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, pages 107-121, 2003). Edjlali et al. proposed years ago that HBAC “[ . . . ] has the potential to significantly expand the set of programs that can be executed without compromising security [ . . . ]” (Guy Edjlali, Anurag Acharya, and Vipin Chaudhary. History-based access control for mobile code. In Proceedings of 5th Conference on Computer and Communications Security, pages 38-48, 1998). The NIST observed that concrete HBAC implementations are limited, e.g. in terms of real-time analysis of the history (Hu et al.).
Based on the given components, related work dealing with RFID-specific data security and privacy may be classified. A comparison shows with respect to latest access control approaches a common usage of XML-based approaches for specification of access rights; primarily XACML, which is discussed in the following. Furthermore, there is a two-divided implementation approach for data security in RFID technology. For securing the communication between tag and reader fast hardware-based implementation are incorporated. However, the majority of related work dealing with EPCglobal components proposes software solutions, e.g. when focusing on the aspects authentication or access control. Only a small portion of related work actively makes use of encryption when exchanging data. We assume that most contributions do not consider data security in EPCglobal networks so far due to the missing standardization of the EPCglobal consortium.