Prof. Dr. h.c. Hasso Plattner

Real-time Security Extensions for EPCglobal Networks

Below, you can browse through the slide deck of my disputation hold on Sep. 19, 2012 in Potsdam. The corresponding public notice of the HPI is available here.


The number of detected counterfeits at the borders of the European Union (EU) increases steadily. Counterfeits of exclusive and expensive goods are ranked highest, e.g. pharmaceutical goods. Instead of using current identification techniques working on product classes, such as the Electronic Article Number (EAN), new identification methods working on item level, such as the Electronic Product Code (EPC), create the foundation of fine-grained tracking and tracing of individual goods. Appropriate techniques for automatic reading of product data, such as Radio Frequency Identification (RFID), instead of one-dimensional bar codes, can improve handling of goods. As a result, a product’s unique identity can be read automatically by passing it through reading gates. The gathered data can be verified and synchronized with enterprise applications, such as Enterprise Resource Planning (ERP) systems. For this purpose, the product’s identity, date and time of the reading, reading location, and further business relevant data are logged as events and stored in dedicated IT systems of supply chain parties in a distributed manner. Event data can be employed for a number of purposes, e.g. to verify certain goods or to identify the location of products affected by product recalls. In particular, with the help of gathered event data, heuristics can be used to validate the authenticity of products within seconds when passing them from one supply chain participant to the next. Furthermore, they can provide advices for decision taking when dealing with unknown suppliers or substitution products. The transformation towards an RFID-aided supply chain requires new technical equipment for capturing events and IT systems to store and exchange event data with other supply chain participants. Supply chain participants need to face the automatic exchange of event data with business partners for the very first time. Data protection of sensitive business secrets is therefore the major aspect that needs to be clarified before companies will start to adopt required transformation steps. The given work contributes towards data protection in EPCglobal networks as follows:

  • Design of transparent security extensions for EPCglobal networks for device- and business-level software,
  • Definition of authentication protocols for device with low computational resources, e.g. RFID tags,
  • Development of an access control mechanism for software components in EPCglobal networks based on the analysis of the complete query history to automatically protect event data,
  • Design of a fine-grained continuous filtering of event data instead of a currently widely used binary access decision,
  • Implementation of history-based access control based on an in-memory database to enable a real-time analysis of the complete query history, and
  • Integration of security extensions into the FOSSTRAK architecture to evaluate their applicability in context of the pharmaceutical industry.

The security extensions focus on event data since they need to be considered as sensitive data. Their knowledge can be misused to derive business secrets, e.g. business relationships. The given work defines strict requirements for the response time behavior of the security extensions to preserve a competitive advantage for business processes, e.g. during product receipt.


In zunehmendem Maße werden Produktfälschungen an den Grenzen zur Europäischen Union (EU) beschlagnahmt. Dabei führen Fälschungen hochpreisiger Produkte, wie pharmazeutische Produkte, die Liste der aufgedeckten Fälle an. Der Einsatz von Identifikationstechniken auf Instanzenebene, z.B. mittels elektronischem Produktcode (EPC), statt der bisherigen Identifikation basierend auf Produktklassen, z.B. mittels elektronischer Artikelnummer (EAN), bildet die Basis für eine feingranularere Verfolgung von Produkten in Lieferketten. Durch Verwendung geeigneter Techniken zum Auslesen von Produktdaten, wie Funkidentifikation (RFID) anstelle von eindimensionalen Strichcodes, können Informationen zur Identifikation von konkreten Produkten künftig automatisch beim Passieren von Lesegeräten abgefragt, geprüft und mit anderen Geschäftsanwendungen, wie Warenwirtschaftssystemen, abgeglichen werden. Dazu werden Datum, Uhrzeit, Standort, sowie für den Geschäftsprozess relevante Aktionen als Ereignisse protokolliert und in IT-Systemen jedes einzelnen Teilnehmers der Lieferkette abgespeichert. Sie können z.B. zur Überprüfung von Produkten und zur Koordination von Rückrufaktionen herangezogen werden. Durch Transformation zu einer RFID-gestützten Lieferkette sind technische Komponenten, wie Lesegeräte, sowie neue IT-Systeme, z.B. zur Speicherung und zum Austausch von Ereignisdaten, erforderlich. Einhergehend müssen sich teilnehmende Unternehmen erstmals einer automatisierten Abfrage von Ereignisdaten durch externe Firmen stellen. Dabei ist der Aspekt der Datensicherheit, z.B. von Ereignisdaten, Kundendaten und Betriebsgeheimnissen, eine der grundlegenden Fragen, die es zu klären gilt. Die vorliegende Arbeit trägt zum Datenschutz in EPCglobal-Netzwerken durch folgende Leistungen bei:

  • Entwurf transparenter Sicherheitserweiterungen für EPCglobal-Netzwerke auf Geräte- und Geschäftssoftware-Ebene,
  • Definition von Authentifizierungsprotokollen optimiert für den Einsatz auf Geräten mit minimalen Rechenressourcen, z.B. RFID-Tags,
  • Entwicklung eines auf der Anfragehistorie basierenden Zugriffskontrollverfahrens für Software-Komponenten in EPCglobal-Netzwerken zum automatisierten Schutz vor dem Ausspionieren von Geschäftsgeheimnissen durch die semantische Kombination von Ereignisdaten,
  • Implementierung einer feingranularen kontinuierlichen Filterung von Ereignisdaten anstelle einer üblicherweise binären Zugriffsentscheidung,
  • Umsetzung des Zugriffskontrollverfahrens mittels einer auf Hauptspeichertechnologie basierenden Datenbank zur Echtzeit-Analyse der vollständigen Anfragehistorie, sowie die
  • Evaluierung der Anwendbarkeit der Sicherheitserweiterungen für die Anforderungen der pharmazeutischen Industrie durch Integration in die EPC- Ereignisdatenbank der Open-Source-Lösung FOSSTRAK.

Die entwickelten Sicherheitserweiterungen beziehen sich auf Ereignisdaten, die im Geschäftskontext als schützenswert einzustufen sind, da sie durch geeignete Kombination zum Ausspähen von Betriebsgeheimnissen, z.B. Geschäftsbeziehungen, herangezogen werden können. Die vorliegende Arbeit stellt dabei strikte Anforderungen an das Antwortzeitverhalten der Sicherheitserweiterungen, um deren wirtschaftlichen Vorteile, z.B. während der automatischen Prüfung von Wareneingängen, nicht zu schmälern.

Architectural Overview

The Electronic Product Code (EPC) is the basis to identify product on instance level. In combination with Radio Frequency Identification (RFID) it enables wireless tracking and tracing of individual products throughout the product's lifecycle in the supply chain. Once a product passes a reading gate associated meta data is stored in distributed event repositories (EPCIS). For example, event data consist of the product's unique identifier, date and time, reading location, and involved business steps. Analysis of the product's event data is the basis for authenticity checks to prevent product counterfeits. However, the semantic combination of event data can be misused, e.g. to retrieve active product ingredients, to fake contents of packages, or to derive business relationships between business partners.  The designed security extensions for EPCglobal networks address the control of access to event data, the secured exchange of event data, and its filtering by incorporating in-memory technology for the first time. They perform real-time analyses of the complete access history of every participant to derive individual access rights and to restrict access to event data even after their exposure. In contrast to traditional access control mechanisms that enable a bivalent control of access (access granted vs. access denied) the developed security extensions enable a continuous spectrum of access while filtering sensitive data from the result set. Feasibility of the security extensions are proofed by integrating them into the open-source event repository FOSSTRAK EPCIS.

EPCglobal Secure Tracking Demo

The mobile iPad app can be used to gather detailed information for any individual item equipped with an EPC. It summarizes all events that characterize the product's path through the supply chain. The app can be used in the following two operation modes (by the toggle button in the scanning screen):

  • Toggle button deactivated: The application communicates directly with the EPCIS repository via unsecured communication channels. In this mode, exchanged event data can be manipulated, exchanged, or faked without the knowledge of the requester. As a result, counterfeited products are hidden by manipulating the virtual product path.
  • Toggle button activated: The application uses the developed security extensions. All data is transparently encrypted by the Access Control Client (ACC) when exchanged between requester and EPCIS repository. In addition, the Access Control Server (ACS) logs the entire inquirer history. When taking an access decision, the history is analyzed and user-specific access rights are derived. Before reading events are exposed to the user of the app, the result are filtered accordingly. Due to the very late access control, it is possible to revoke access rights even after data has been sent to the client site.

The prototype verifies that enabling the security extensions does not significantly affect the processing speed of event data. As a result, the viability aspect of the innovation is demonstrated.

Querying EPCIS directly without Security Extensions

The product's EPC can either be scanned using the integrated iPad camera or entered manually. Then the query is sent via wireless LAN to the EPCIS of the manufacturer.

Traditionally, any user can query all relevant event data from the EPCIS of the manufacturer. In other words, the result set is not filtered in any way.

Real-time security extensions are enabled in the prototype by toggling the security button. Instead of sending the query directly to the EPCIS, it is now send to the local ACC of the inquirer. The ACC transparently handles encryption and filtering of exchanged event data.

When having security extensions enabled, the result set is filtered accordingly to the user's querying behavior by analyzing his query history in real-time. Particular information regarding the movements of the queried item is no longer displayed in detail, e.g. to prevent expose of company-internal business steps for the current user.