Elsevier

Computers & Security

Volume 31, Issue 8, November 2012, Pages 870-885
Computers & Security

A secure and efficient discovery service system in EPCglobal network

https://doi.org/10.1016/j.cose.2012.08.005Get rights and content

Abstract

In recent years, the Internet of Things (IOT) has drawn considerable attention from the industrial and research communities. Due to the vast amount of data generated through IOT devices and users, there is an urgent need for an effective search engine to help us make sense of this massive amount of data. With this motivation, we begin our initial works on developing a secure and efficient search engine (SecDS) based on EPC Discovery Services (EPCDS) for EPCglobal network, an integral part of IOT. SecDS is designed to provide a bridge between different partners of supply chains to share information while enabling them to find who is in possession of an item. The most important property of SecDS is: while efficiently processing user's search, it is also secure. In order to prevent unauthorized access to SecDS, an extended attribute-based access control model is proposed and implemented such that information belonging to different companies can be protected using different policies. We design, implement SecDS and conduct extensive experiments on it. The results validate the practicality and cost effectiveness of our design and implementations.

Introduction

As an integral part of future Internet, Internet of Things (IOT) has drawn considerable attention from the industrial and research communities around the world. Through IOT, we can look forward to a world where physical objects and virtual data interact (Kosmatos et al., 2011), generating mass amount of data that will exceed that of what we have on the world-wide-web (WWW) today. There is an urgent need for a relevant search engine, to help us make sense of this data, just as how BING and GOOGLE are helping us navigate through the trillion-page Internet today.

EPCglobal network (EPCglobal, 2011a) is an important part of IOT. As a global standard RFID data sharing infrastructure, EPCglobal network is made up of Electronic Product Code (EPC) (EPCglobal, 2011c), EPC Information Services (EPCIS) (EPCglobal, 2011d), EPC Discovery Services (EPCDS) (EPCglobal, 2009), amongst others.

In EPCglobal network, each physical product is associated with an RFID tag, represented by an unique EPC. This EPC can be retrieved from the RFID tags wirelessly via RFID readers as it transits between locations without contact-of-sight. These read events are usually processed by a middleware (EPCglobal, 2011b), and are stored locally at each supply chain partner's location-centric EPCIS (Muller et al., 2010). With dynamic churn rates of partners and EPCIS, EPCDS becomes a unifying figure, helping partners locate information about a product in the supply chain. Through EPCglobal Network, participants can avoid information blackouts, and reaping the benefits of the RFID technology.

As the search and discovery component of EPCglobal network, EPCDS is designed with the intention of providing a bridge between supply chain partners, allowing them to share information, getting a step closer to achieve an automated supply chain. Due to the sensitivity and high value of the data transacted in EPCDS, a suitable access control mechanism is required. In this paper, we attempt to design and implement a secure and efficient EPCDS (SecDS) with an effective and efficient access control mechanism.

The road to achieve this is paved with the following challenges: (1) information transacted through EPCDS is constantly increasing, while churn rates of users is highly dynamic. This dynamism makes access control policies highly complex. (2) Each partner publishes information independently to EPCDS applying a myriad of access control policies. This disparate collection of access control policies in EPCDS makes it difficult to process, manage and maintain these policies effectively. Adding to this complexity, partners may not know of the existence of all participants in the supply chain. These made traditional access control mechanisms based on identity of users unsuitable. (3) As EPCDS is introduced to increase the visibility of RFID-related objects [9], it is important to support visibility policies (e.g. event information of an EPC is only allowed to be accessed by these partners who also handle the product with this EPC). It is thus necessary to provide an efficient approach to specify and enforce these policies.

Our contributions in this work are summarized as follows:

  • We provide the requirements of access control for SecDS after analyzing existing literals and standard documents.

  • An extended attribute based access control (ABAC) model is proposed for SecDS that enriches the expressiveness of access control policies, while supporting visibility policies.

  • We design and implement SecDS where this extended ABAC model is enforced without compromising on the efficiency of users' queries.

  • An extensive experiment is conducted to validate that SecDS is practical and cost-effective.

We begin with a description of background and motivations for our work in the following section. The extended ABAC model is presented in Section 3 and the implementation of SecDS is introduced in Section 4. Section 5 provides an evaluation of our implementation and finally we introduce related works, conclude the paper, and describe future works.

Section snippets

EPCglobal network

As an important part of Internet of Things, EPCglobal network is a global standard for RFID supply chain networks providing a platform for trading partners to share product information (EPCglobal, 2011a). As participants of the EPCglobal Network, companies publish event information of products into the EPCglobal Network, to share with each other. These information gives EPCglobal Network participants visibility of the location and movement of products within supply chains.

The architecture of

Attribute-based access control for SecDS system

Different from traditional access control models (DAC, MAC and RBAC), attribute based access control (ABAC) policies are specified based on attributes of subjects and objects (Yuan and Tong, 2005).

Architecture of secure discovery service system

Before introducing the detailed implementation, we first provide the architecture of SecDS as shown in Fig. 4.

SecDS comprises the following components: Data Storage Server, Policy Storage Server, Policy Management, Policy Service, and Query Modification. Each of them is briefly presented as follows.

Data Storage Server: Data Storage Server stores event data published by supply chain partners, which is also what users want to access. The access control mechanism in SecDS is used to protect the

Experiments

We implement a prototype of SecDS system. In these experiments, we aim to measure the cost of enforcing attribute-based access control in SecDS using the proposed approaches, i.e. we measure the performance of enforcing attribute-based access control comparing to that of no security mechanism. We also would like to study how the experimental parameters affect the performance of the enforcement. The parameters we consider are:

  • scNum: The total number of supply chains;

  • epcisNum: The total number of

Related work

For improving supply chain visibility, RFID-enabled supply chain network has drawn considerable attention from research and industrial community in recent years. Many track & trace systems are designed and implemented in the past decade, including IBM Theseos (Cheung et al., 2007), DIALOG (Främling and Nyman, 2009), and the system developed in BRIDGE project (Bridge, 2007). However, the problem of how to efficiently and effectively share supply chain information among different partners is

Conclusion

This paper described SecDS, a search engine based on EPCDS for EPCGlobal network. SecDS is not only efficient in processing users' search queries, but also secure and expressive in enforcing various data protection. We analyzed the requirements of access control for EPCDS and proposed an extended attribute based access control model to meet the requirements. In order to maintain efficiency, we proposed an approach of transforming ABAC policies to FGAC policies, and using query modification

Acknowledgments

The authors thank the anonymous reviewers for valuable comments and suggestions. This work is supported in part by the Office of Research at Singapore Management University.

Jie Shi received the B.S. degree from Hefei University of Technology in 2006 and received his Ph.D. degree from Huazhong University of Science and Technology in 2010. He is currently working as a research fellow in Singapore Management University. His current research interests are security and privacy of EPCglobal network, data and applications security.

References (40)

  • S. Chaudhuri et al.

    Fine grained authorization through predicated grants

  • L.W.F. Chaves et al.

    Industrial privacy in rfid-based batch recalls

  • A. Cheung et al.

    Theseos: a query engine for traceability across sovereign, distributed rfid databases

  • R.H. Deng et al.

    A new framework for rfid privacy

  • EPCglobal

    Data discovery (dd jrg) requirements document

    (2009)
  • EPCglobal
  • EPCglobal

    Application level events (ale) standard

    (2011)
  • EPCglobal

    Electronic product code

    (2011)
  • EPCglobal

    Epc information services

    (2011)
  • S. Evdokimov et al.

    Comparison of discovery service architectures for the internet of things

  • Cited by (11)

    • Outdoor UPnP for Services Discovery in Smart Cities

      2018, Proceedings of the 2018 International Conference on Applied Smart Systems, ICASS 2018
    • What can i do here? IoT service discovery in smart cities

      2016, 2016 IEEE International Conference on Pervasive Computing and Communication Workshops, PerCom Workshops 2016
    • Oliot-discovery service: Dealing with performance and security issues from intra-DS aspect for IoT

      2016, Proceedings - IEEE Global Communications Conference, GLOBECOM
    View all citing articles on Scopus

    Jie Shi received the B.S. degree from Hefei University of Technology in 2006 and received his Ph.D. degree from Huazhong University of Science and Technology in 2010. He is currently working as a research fellow in Singapore Management University. His current research interests are security and privacy of EPCglobal network, data and applications security.

    Yingjiu Li is currently an Associate Professor in the School of Information Systems at Singapore Management University. He received his Ph.D. degree in Information Technology from George Mason University in 2003. His research interests include RFID security, applied cryptography, and data applications security. He has published over 70 technical papers in international conferences and journals. He has served in the program committees for over 50 international conferences and workshops. Yingjiu Li is a senior member of the ACM and a member of the IEEE.

    Robert H. Deng is currently a professor, associate dean for Faculty and Research, School of Information Systems at Singapore Management University. He received his Ph.D. degrees from the Illinois Institute of Technology. He has more than 200 technical publications in international conferences and journals in the areas of computer networks, network security, and information security. He has served as general chair, program committee chair, and program committee member of numerous international conferences. He is an Associate Editor of the IEEE Transactions on Dependable and Secure Computing, Associate Editor of Security and Communication Networks Journal (John Wiley).

    View full text