The motivation for RESCUE IT is our ever increasing dependency of robust supply chains. Whether you look at dairy products (like milk or joghurt) or other sensitive goods - the process from production to delivery is increasing in complexity and in the number of involved parties. Supply chains of today are handled by complex IT and communication systems, their robustness against errors must be increased to meet our societies demands of an uninterupted supply stream. The errors RESCUE IT will be adressing range from sabotage of production, risks during transport, attacks on the underlying IT-Infrastructure, to targeted attacks on the quality and loss of consumability of goods in the wholesale sector. The research is scenario-driven and will be conducted together with industry partners, SCM software developers, and universities.
The software making up the Coordination and Execution Platform is created using a model-transformation based approach . That means, it is not manually programmed. Instead, a transformation-procedure is created which converts supply-chain models to the software that makes up the Coordination and Execution Platform. Because the Coordination and Execution Platform is not programmed in a traditional way, its software functionality can be predicted from the transformation procedure, and, once the transformation has been certified to deliver the desired software result according to a given supply-chain model as input, the resulting software can be trusted to correctly reflect the supply-chain model content in the resulting software. The risk of unwanted programming mistakes or intended malicious behaviour of software is reduced by this approach.
RFID sensors are attached to pallets which measure e. g. temperature, light and acceleration. While fluctuations of single sensor values alone might not be dangerous, a pattern of fluctuations in a certain time-frame might be a hint towards greater threats such as intoxication of foods. E. g., an attacker intending to intoxicate goods in a truck might need to first open the truck door (which will trigger the light and temperature sensor) and then to open a box on the pallet (which will trigger the acceleration sensor). The process of detecting such patterns in streams of separated sensor events is called Complex Event Processing (CEP). ReSCUeIT offers CEP facilities which are automatically configured during the model transformation based upon the supply chain process. An extension of the classical CEP feature which was introduced in the frame of ReSCUeIT is event patterns which include physical as well as logical events in order to detect cyber-physical threats. E.g. an attacker might attack the supply chain by detouring foods to a warehouse containing goods with emitting toxic vapors. In such a case the physical RFID sensors alone cannot detect the contamination, but the collocation of incompatible goods in terms of mutual contamination needs to be detected.
Our chair has lead the security workpackage and contributed the design and development of the integrity and authenticity mechanisms for ReSCUeIT. In particular:
Sanitizable Signatures have extensively been researched in RESCUE IT with respect to their speed , their applicability to the XML domain and in particular their legal implications . This resulted in numerous adjustments of cryptographic properties to fulfil the high legal requirements for digital signatures of EU regulations to the highest possible extend allowing RESCUE IT participants to generate sanitizable signatures with a high value of legal evidence. All the methods have been cryptographically proven to be as strong as the underlying unforgeable signature scheme, i.e., RSA-PSS.
We have implemented them all as Web Services allowing for an easy integration and flexible deployment. We build an individual prototype with a web-based GUI to showcase the generation of a classical signature on a purchase order and we can also show the generation of a sanitizable signature on a report of a laboratory , as well as the lifecycle management components , in more detail.
Beim Anzeigen des Videos wird Ihre IP-Adresse an einen externen Server (Vimeo.com) gesendet.