Fine-grained privacy control for the RFID middleware of EPCglobal networks

The Electronic Product Code (EPC) is a Radio Frequency IDentification (RFID) that offers a new way of automating identification. However, once RFID tags carry more than just an identifier, privacy may be violated. Treating the privacy in early stages helps to master the data view before interpreting and storing it in databases. An RFID middleware is the entity that sits between tag readers and database applications. It is in charge of collecting, filtering, aggregating and grouping the requested events from heterogeneous RFID environments. Thus, the system, at this point, is likely to suffer from parameter manipulation and eavesdropping, raising privacy concerns. We propose a privacy controller module that enhances the Filtering and Collection middleware of the RFID EPCglobal network. We provide a privacy policy-driven model using some enhanced contextual concepts of the extended Role Based Access Control model. To show the feasibility of our privacy-enhanced model, we provide a proof-of-concept prototype integrated into the middleware of the Fosstrak framework, an open-source implementation of the EPCglobal specifications.

[1]  David Simplot-Ryl,et al.  Contracts and Grants with Industry - European FP7 ICT IP “Advanced Sensors and lightweight Programmable middleware for Innovative Rfid Enterprise applications” (ASPIRE) 2008-2010 , 2008 .

[2]  Nora Cuppens-Boulahia,et al.  Privacy-enhanced filtering and collection middleware in EPCglobal networks , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[3]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007, Third International Symposium on Information Assurance and Security.

[4]  Joaquín García,et al.  A Practical Implementation Attack on Weak Pseudorandom Number Generator Designs for EPC Gen2 Tags , 2011, Wirel. Pers. Commun..

[5]  Nora Cuppens-Boulahia,et al.  Semantic context aware security policy deployment , 2009, ASIACCS '09.

[6]  Sokratis Kartakis,et al.  Enhancing Health Care Delivery through Ambient Intelligence Applications , 2012, Sensors.

[7]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[8]  Joseph Gray Jackson,et al.  Privacy and Freedom , 1968 .

[9]  Amirreza Masoumzadeh,et al.  PuRBAC: Purpose-Aware Role-Based Access Control , 2008, OTM Conferences.

[10]  Nora Cuppens-Boulahia,et al.  KEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems , 2014, J. Netw. Comput. Appl..

[11]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.

[12]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[13]  Nora Cuppens-Boulahia,et al.  Management of Exceptions on Access Control Policies , 2007, SEC.

[14]  Sushil Jajodia,et al.  Balancing confidentiality and efficiency in untrusted relational DBMSs , 2003, CCS '03.

[15]  Jorge Lobo,et al.  On the Correctness Criteria of Fine-Grained Access Control in Relational Databases , 2007, VLDB.

[16]  Nora Cuppens-Boulahia,et al.  Dynamic deployment of context-aware access control policies for constrained security devices , 2011, J. Syst. Softw..

[17]  Wei Tsang Ooi,et al.  WinRFID: A Middleware for the Enablement of Radiofrequency Identification (RFID)Based Applications , 2005 .

[18]  Nora Cuppens-Boulahia,et al.  Privacy query rewriting algorithm instrumented by a privacy-aware access control model , 2014, Ann. des Télécommunications.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Nora Cuppens-Boulahia,et al.  Contextual Privacy Management in Extended Role Based Access Control Model , 2009, DPM/SETOP.