An access control model for mobile physical objects

Access to distributed databases containing tuples collected about mobile physical objects requires information about the objects' trajectories. Existing access control models cannot encode this information efficiently. This poses a policy management problem to administrators in real-world supply chains where companies want to protect their goods tracking data. In this paper we propose a new access control model as an extension to attribute-based access control that allows trajectory-based visibility policies. We prove the security properties of our novel authentication protocol for distributed systems that can supply the decision algorithm with the necessary reliable information using only standard passive RFID tags. As a result companies will be able to improve confidentiality protection and governance of their object tracking data and more trustingly engage in data sharing agreements.

[1]  Mei-Yu Wu,et al.  Applying Context-Aware RBAC to RFID Security Management for Application in Retail Business , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[2]  Florian Kerschbaum,et al.  RFID-based supply chain partner authentication and key agreement , 2009, WiSec '09.

[3]  Norbert Felber,et al.  ECC Is Ready for RFID - A Proof in Silicon , 2008, Selected Areas in Cryptography.

[4]  Trent Jaeger,et al.  Managing access control policies using access control spaces , 2002, SACMAT '02.

[5]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[6]  Alvin Cheung,et al.  Towards Traceability across Sovereign, Distributed RFID Databases , 2006, 2006 10th International Database Engineering and Applications Symposium (IDEAS'06).

[7]  Daniel W. Engels,et al.  RFID Systems and Security and Privacy Implications , 2002, CHES.

[8]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9]  Holger Bock,et al.  A Milestone Towards RFID Products Offering Asymmetric Authentication Based on Elliptic Curve Cryptography , 2008 .

[10]  Sjouke Mauw,et al.  Secure Ownership and Ownership Transfer in RFID Systems , 2009, ESORICS.

[11]  Markus Müller,et al.  Fine-Grained Access Control for EPC Information Services , 2008, IOT.

[12]  Dan Suciu,et al.  Physical Access Control for Captured RFID Data , 2007, IEEE Pervasive Computing.

[13]  Frédéric Thiesse,et al.  An Analysis of Data-on-Tag Concepts in Manufacturing , 2008, MMS.

[14]  Florian Kerschbaum,et al.  Industrial Privacy in RFID-based Batch Recalls , 2008, 2008 12th Enterprise Distributed Object Computing Conference Workshops.

[15]  Peter Steenkiste,et al.  Exploiting Hierarchical Identity-Based Encryption for Access Control to Pervasive Computing Information , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[16]  Vidyasagar Potdar,et al.  A Survey of RFID Authentication Protocols , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[17]  B. Song RFID Tag Ownership Transfer , 2008 .

[18]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[19]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[20]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[21]  Florian Kerschbaum,et al.  Privacy-preserving computation of benchmarks on item-level data using RFID , 2010, WiSec '10.

[22]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[23]  S. Chou,et al.  Cost Reduction of Public Transportation Systems with Information Visibility Enabled by RFID Technology , 2009 .

[24]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[25]  Vijayalakshmi Atluri,et al.  A Chinese wall security model for decentralized workflow systems , 2001, CCS '01.

[26]  Kenneth P. Birman,et al.  Exploiting virtual synchrony in distributed systems , 1987, SOSP '87.

[27]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[28]  Debmalya Biswas,et al.  On the practical importance of communication complexity for secure multi-party computation protocols , 2009, SAC '09.

[29]  Florian Kerschbaum,et al.  Practical Privacy-Preserving Benchmarking , 2008, SEC.

[30]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[31]  Vincent Rijmen,et al.  AES implementation on a grain of sand , 2005 .

[32]  Phil Blythe RFID for road tolling, road-use pricing and vehicle access control , 1999 .

[33]  Setsuo Ohsuga,et al.  INTERNATIONAL CONFERENCE ON VERY LARGE DATA BASES , 1977 .

[34]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[35]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[36]  Daniel W. Engels,et al.  Radio Frequency Identification and the Electronic Product Code , 2001, IEEE Micro.

[37]  Florian Michahelles,et al.  Dual Ownership: Access Management for Shared Item Information in RFID-enabled Supply Chains , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[38]  Brian L. Dos Santos,et al.  RFID in the supply chain , 2008, Commun. ACM.

[39]  Andrew S. Tanenbaum,et al.  Keep on Blockin' in the Free World: Personal Access Control for Low-Cost RFID Tags , 2005, Security Protocols Workshop.

[40]  Tim Kerins,et al.  Public-Key Cryptography for RFID-Tags , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[41]  Ralf Ackermann,et al.  Proof of Possession: Using RFID for Large-Scale Authorization Management , 2007, AmI Workshops.

[42]  David A. Wagner,et al.  A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[43]  Hyun-Dong Lee,et al.  Enterprise Application Framework for Constructing Secure RFID Application , 2006, ICHIT.

[44]  Frédéric Thiesse,et al.  Extending the EPC network: the potential of RFID in anti-counterfeiting , 2005, SAC '05.

[45]  Douglas B. Terry,et al.  Continuous queries over append-only databases , 1992, SIGMOD '92.