Attack and Defense Mechanisms of Malicious EPC Event Injection in EPC Discovery Service

Author

Mon Kywe SU, Singapore Management UniversityFollow
Yingjiu LI, Singapore Management UniversityFollow
Jie SHI

Publication Type

Conference Proceeding Article

Publication Date

9-2013

Abstract

A supply chain usually involves collaboration among multi-national companies and it is well-known that information sharing is a critical success factor in supply chain management. Electronic Product Code Discovery Service (EPCDS) is a newly proposed concept which allows supply chain companies to search for their unknown partners globally and share information efficiently. As EPCDS contains critical business information about partnership relationship and product movement, access control systems are integrated into EPCDS for privacy protection. Although currently proposed access control systems include authentication and authorization of supply chain companies, they do not consider authentication of business information published by the companies. This vulnerability enables malicious EPC event injection attack, where forged business information are registered to EPCDS by malicious parties. With such exploitation, adversaries can impersonate as legitimate supply chain partners, bypass the access control systems of EPCDS and get access to previously unauthorized information. To the best of our knowledge, our paper is the first to discover the possibility of such attack in EPCDS. Our paper discusses threat model and different types of adversaries for the attack. We then present general defense mechanisms and define the security requirements of preventive measures. We also propose a new prevention mechanism, where pseudo-random numbers are generated by EPC tags and serves as authentication tokens for registering EPC events. Moreover, our paper analyzes how existing solutions, such as tailing, can be modified to detect malicious EPC event injection in EPCDS.

Keywords

authorisation, business data processing, message authentication, random number generation, supply chains

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

2013 IEEE International Conference on RFID Technologies and Applications (RFID-TA), 4-5 September 2013, Johor Bahru: Proceedings

First Page

1

Last Page

6

ISBN

9781479921140

Identifier

10.1109/RFID-TA.2013.6694532

Publisher

IEEE

City or Country

Johor Bahru

Citation

SU, Mon Kywe; LI, Yingjiu; and SHI, Jie. Attack and Defense Mechanisms of Malicious EPC Event Injection in EPC Discovery Service. (2013). 2013 IEEE International Conference on RFID Technologies and Applications (RFID-TA), 4-5 September 2013, Johor Bahru: Proceedings. 1-6.
Available at: https://ink.library.smu.edu.sg/sis_research/2039

Additional URL

http://dx.doi.org/10.1109/RFID-TA.2013.6694532