Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI
  • de

Real-Time Security Extensions for EPCglobal Networks

The number of detected counterfeits at the borders of the European Union (EU) increases steadily. Counterfeits of exclusive and expensive goods are ranked highest, e.g. pharmaceutical goods [28]. Instead of using current identification techniques working on product classes, such as the Electronic Article Number (EAN), new identification methods working on item level, such as the Electronic Product Code (EPC), create the foundation of fine-grained tracking and tracing of individual goods [42]. Appropriate techniques for automatic reading of product data, such as Radio Frequency Identification (RFID), instead of onedimensional bar codes, can improve handling of goods. As a result, a product’s unique identity can be read automatically by passing it through reading gates. The gathered data can be verified and synchronized with enterprise applications, such as Enterprise Resource Planning (ERP) systems. For this purpose, the product’s identity, date and time of the reading, reading location, and further business relevant data are logged as events and stored in dedicated IT systems of supply chain parties in a distributed manner. Event data can be employed for a number of purposes, e.g. to verify certain goods or to identify the location of products affected by product recalls. In particular, with the help of gathered event data, heuristics can be used to validate the authenticity of products within seconds when passing them from one supply chain participant to the next. Furthermore, they can provide advices for decision taking when dealing with unknown suppliers or substitution products. The transformation towards an RFID-aided supply chain requires new technical equipment for capturing events and IT systems to store and exchange event data with other supply chain participants. Supply chain participants need to face the automatic exchange of event data with business partners for the very first time. Data protection of sensitive business secrets is therefore the major aspect that needs to be clarified before companies will start to adopt required transformation steps. The given work contributes towards data protection in EPCglobal networks as follows:

  • Design of transparent security extensions for EPCglobalnetworks for device and business-level software,
  • Definition of authentication protocols for device with low computational resources, e.g. RFID tags,
  • Development of an access control mechanism for software components in
    EPCglobal networks based on the analysis of the complete query history to automatically protect event data,
  • Design of a fine-grained continuous filtering of event data instead of a currently widely used binary access decision,
  • Implementation of history-based access control based on an in-memory database to enable a real-time analysis of the complete query history, and
  • Integration of security extensions into the FOSSTRAKarchitecture to evaluate their applicability in context of the pharmaceutical industry.

The security extensions focus on event data since they need to be considered as sensitive data. Their knowledge can be misused to derive business secrets, e.g. business relationships. The given work defines strict requirements for the response time behavior of the security extensions to preserve a competitive advantage for business processes, e.g. during product receipt.