RESCUE IT

• Supply Chain Modelling: We built a high-level supply chain modeling tool that can be used to represent complex supply chains. On basis of a risk database  threats to this supply chain are automatically identified. Controls that mitigate these threats can then be dragged & dropped  onto the identified risk. Legal demands concerning food production, storage and handling as well as data security law and regulations concerning data storage are incorporated in order to ease legal and contractual compliance.
   
• Security & Safety Controls: We initially did envision only basic controls such as a separation of duties, digital signatures or a sensor monitoring  the temperature of an asset. However throughout the course of the project several other types of controls were implemented including sanitizable signatures; life cycle management of authenticity and integrity statements; unobservable communication; attribute-based authentication; a benchmarking service and prepared product recall procedures
   
• Enforcement: All this is done on basis of a Coordination and Execution Platform. Monitoring of supply chain activities and automatic checks for validity of the process execution according the conceptually modeled supply chain are two key features for achieving security. This is realized by the Coordination and Execution Platform, which receives status information and interchanged electronic documents of the supply chain partners, and compares the received as-is information to the modeled to-be situation in the specified models. This way, anomalies in the process execution , e. g. wrong transport routes taken, or invalid entries in interchanged electronic document, can be detected, which previously would not have been taken notice of.

  The software making up the Coordination and Execution Platform is created using a model-transformation based approach . That means, it is not manually programmed. Instead, a transformation-procedure is created which converts supply-chain models to the software that makes up the Coordination and Execution Platform. Because the Coordination and Execution Platform is not programmed in a traditional way, its software functionality can be predicted from the transformation procedure, and, once the transformation has been certified to deliver the desired software result according to a given supply-chain model as input, the resulting software can be trusted to correctly reflect the supply-chain model content in the resulting software. The risk of unwanted programming mistakes or intended malicious behaviour of software is reduced by this approach.

  RFID sensors are attached to pallets which measure e. g. temperature, light and acceleration. While fluctuations of single sensor values alone might not be dangerous, a pattern of fluctuations in a certain time-frame  might be a hint towards greater threats such as intoxication of foods. E. g., an attacker intending to intoxicate goods in a truck might need to first open the truck door (which will trigger the light and temperature sensor) and then to open a box on the pallet (which will trigger the acceleration sensor). The process of detecting such patterns in streams of separated sensor events is called Complex Event Processing (CEP). ReSCUeIT offers CEP facilities which are automatically configured during the model transformation based upon the supply chain process. An extension of the classical CEP feature which was introduced in the frame of ReSCUeIT is event patterns which include physical as well as logical events in order to detect cyber-physical threats. E.g.  an attacker might attack the supply chain by detouring foods to a warehouse containing goods with emitting toxic vapors. In such a case the physical RFID sensors alone cannot detect the contamination, but the collocation of incompatible goods in terms of mutual contamination needs to be detected.

• Secure Logging: Usual log files, even encrypted ones, do not offer facilities to protect their content against attacks such as removal of log entries, reordering of log entries, or inserting new log entries. Therefore, usual log files are not secure by means of IT forensics. Secure logging aims at providing facilities which protect log files against the aforementioned attacks and thus form the base for audit trails where no repudiation is possible  for the single stakeholders. Decrypting and verifying the validity of the log entries is only possible for the ReSCUeIT platform which is therefore viewed as a Trusted Third Party (TTP) for all stakeholders. In order to complicate inserting new log entries by attackers at the end of the log file, all observed systems are obliged to periodically report to the TTP with their current number of log entries.

Our chair has lead the security workpackage and contributed the design and development of the integrity and authenticity mechanisms for ReSCUeIT. In particular:

• Sanitizable signatures enable to verify the authenticity of signed documents even if trade secrets or personally identifying information have been removed. Thus, they allow sharing integrity protected supply chain documents with a verifiable origin, such as orders or lab-reports more freely among the partners of a supply chain. This exchange creates a more transparent supply-chain among the partners while respecting each partner’s individual privacy requirements (trade secrets / employee data protection regulations). Utilized to the full extend this would allow technically to identify all the ingredients of any product. This data in the hands of consumers increases confidence and allows identifying potentially risky products.

Sanitizable Signatures have extensively been researched in RESCUE IT with respect to their speed  , their applicability to the XML domain  and in particular their legal  implications . This resulted in numerous adjustments of cryptographic properties to fulfil the high legal requirements for digital signatures of EU regulations to the highest possible extend allowing RESCUE IT participants to generate sanitizable signatures with a high value of legal evidence. All the methods have been cryptographically proven to be as strong as the underlying unforgeable signature scheme, i.e., RSA-PSS.

We have implemented them all as Web Services allowing for an easy integration and flexible deployment. We build an individual prototype with a web-based GUI to showcase the generation of a classical signature on a purchase order  and we can also show the generation of a sanitizable signature on a report of a laboratory , as well as the lifecycle management components , in more detail.

• We provide services for lifecycle management of authenticity and integrity statements. The generation of a signature over a document represents an endorsement of the signed contents by the signer. However, this happens at the time of signature generation. If at a later time the signer does not want to continue this endorsement he needs to recall the signature. In most cases he does not want to invalidate the whole signature but rather indicate that a certain signed value, which represent a produced physical good’s condition, i.e. frozenness, is no longer endorsed. This update is possible with ReSCUeIT, such that it allows the signer to ‘revoke’ his statement and allows others on verification of the signed document to query the current status of each endorsed value. ReSCUeIT calls them ‘certified property states’ and building upon existing standard technologies for certificate revocation ReSCUeIT offers a secure, verifiable and efficient state management and retrieval system . ReSCUeIT enhanced the standardized Online Certificate Status Protocol (OCSP) and facilitates X.509 compatible certificates to enable this functionality. Both technologies are reliable and secure, e.g. they are used in the Internet for SSL webserver certificates. All functions have been implemented as Web Services  and their interworking is best shown in our dedicated demonstrator web-based GUI . Additionally, the use of these services has been documented with code snippets in JAVA and as BPEL process models.

• Dr. Henrich C. Pöhls
• Prof. Dr. Joachim Posegga
• Arne Bilzhause