RESCUE IT

Robuste und verfügbare SCM - Unterstützende IT-Plattform

The motivation for RESCUE IT is our ever increasing dependency of robust supply chains. Whether you look at dairy products (like milk or joghurt) or other sensitive goods - the process from production to delivery is increasing in complexity and in the number of involved parties. Supply chains of today are handled by complex IT and communication systems, their robustness against errors must be increased to meet our societies demands of an uninterupted supply stream. The errors RESCUE IT will be adressing range from sabotage of production, risks during transport, attacks on the underlying IT-Infrastructure, to targeted attacks on the quality and loss of consumability of goods in the wholesale sector. The research is scenario-driven and will be conducted together with industry partners, SCM software developers, and universities.

Main ReSCUeIT Achievements

Supply Chain Modelling: We built a high-level supply chain modeling tool that can be used to represent complex supply chains. On basis of a risk database threats to this supply chain are automatically identified. Controls that mitigate these threats can then be dragged & dropped onto the identified risk. Legal demands concerning food production, storage and handling as well as data security law and regulations concerning data storage are incorporated in order to ease legal and contractual compliance.
Security & Safety Controls: We initially did envision only basic controls such as a separation of duties, digital signatures or a sensor monitoring the temperature of an asset. However throughout the course of the project several other types of controls were implemented including sanitizable signatures; life cycle management of authenticity and integrity statements; unobservable communication; attribute-based authentication; a benchmarking service and prepared product recall procedures
Enforcement: All this is done on basis of a Coordination and Execution Platform. Monitoring of supply chain activities and automatic checks for validity of the process execution according the conceptually modeled supply chain are two key features for achieving security. This is realized by the Coordination and Execution Platform, which receives status information and interchanged electronic documents of the supply chain partners, and compares the received as-is information to the modeled to-be situation in the specified models. This way, anomalies in the process execution , e. g. wrong transport routes taken, or invalid entries in interchanged electronic document, can be detected, which previously would not have been taken notice of.
The software making up the Coordination and Execution Platform is created using a model-transformation based approach . That means, it is not manually programmed. Instead, a transformation-procedure is created which converts supply-chain models to the software that makes up the Coordination and Execution Platform. Because the Coordination and Execution Platform is not programmed in a traditional way, its software functionality can be predicted from the transformation procedure, and, once the transformation has been certified to deliver the desired software result according to a given supply-chain model as input, the resulting software can be trusted to correctly reflect the supply-chain model content in the resulting software. The risk of unwanted programming mistakes or intended malicious behaviour of software is reduced by this approach.
RFID sensors are attached to pallets which measure e. g. temperature, light and acceleration. While fluctuations of single sensor values alone might not be dangerous, a pattern of fluctuations in a certain time-frame might be a hint towards greater threats such as intoxication of foods. E. g., an attacker intending to intoxicate goods in a truck might need to first open the truck door (which will trigger the light and temperature sensor) and then to open a box on the pallet (which will trigger the acceleration sensor). The process of detecting such patterns in streams of separated sensor events is called Complex Event Processing (CEP). ReSCUeIT offers CEP facilities which are automatically configured during the model transformation based upon the supply chain process. An extension of the classical CEP feature which was introduced in the frame of ReSCUeIT is event patterns which include physical as well as logical events in order to detect cyber-physical threats. E.g. an attacker might attack the supply chain by detouring foods to a warehouse containing goods with emitting toxic vapors. In such a case the physical RFID sensors alone cannot detect the contamination, but the collocation of incompatible goods in terms of mutual contamination needs to be detected.
Secure Logging: Usual log files, even encrypted ones, do not offer facilities to protect their content against attacks such as removal of log entries, reordering of log entries, or inserting new log entries. Therefore, usual log files are not secure by means of IT forensics. Secure logging aims at providing facilities which protect log files against the aforementioned attacks and thus form the base for audit trails where no repudiation is possible for the single stakeholders. Decrypting and verifying the validity of the log entries is only possible for the ReSCUeIT platform which is therefore viewed as a Trusted Third Party (TTP) for all stakeholders. In order to complicate inserting new log entries by attackers at the end of the log file, all observed systems are obliged to periodically report to the TTP with their current number of log entries.

Role of University of Passau in ReSCUeIT

Our chair has lead the security workpackage and contributed the design and development of the integrity and authenticity mechanisms for ReSCUeIT. In particular:

Sanitizable signatures enable to verify the authenticity of signed documents even if trade secrets or personally identifying information have been removed. Thus, they allow sharing integrity protected supply chain documents with a verifiable origin, such as orders or lab-reports more freely among the partners of a supply chain. This exchange creates a more transparent supply-chain among the partners while respecting each partner’s individual privacy requirements (trade secrets / employee data protection regulations). Utilized to the full extend this would allow technically to identify all the ingredients of any product. This data in the hands of consumers increases confidence and allows identifying potentially risky products.

Sanitizable Signatures have extensively been researched in RESCUE IT with respect to their speed , their applicability to the XML domain and in particular their legal implications . This resulted in numerous adjustments of cryptographic properties to fulfil the high legal requirements for digital signatures of EU regulations to the highest possible extend allowing RESCUE IT participants to generate sanitizable signatures with a high value of legal evidence. All the methods have been cryptographically proven to be as strong as the underlying unforgeable signature scheme, i.e., RSA-PSS.

We have implemented them all as Web Services allowing for an easy integration and flexible deployment. We build an individual prototype with a web-based GUI to showcase the generation of a classical signature on a purchase order and we can also show the generation of a sanitizable signature on a report of a laboratory , as well as the lifecycle management components , in more detail.

We provide services for lifecycle management of authenticity and integrity statements. The generation of a signature over a document represents an endorsement of the signed contents by the signer. However, this happens at the time of signature generation. If at a later time the signer does not want to continue this endorsement he needs to recall the signature. In most cases he does not want to invalidate the whole signature but rather indicate that a certain signed value, which represent a produced physical good’s condition, i.e. frozenness, is no longer endorsed. This update is possible with ReSCUeIT, such that it allows the signer to ‘revoke’ his statement and allows others on verification of the signed document to query the current status of each endorsed value. ReSCUeIT calls them ‘certified property states’ and building upon existing standard technologies for certificate revocation ReSCUeIT offers a secure, verifiable and efficient state management and retrieval system . ReSCUeIT enhanced the standardized Online Certificate Status Protocol (OCSP) and facilitates X.509 compatible certificates to enable this functionality. Both technologies are reliable and secure, e.g. they are used in the Internet for SSL webserver certificates. All functions have been implemented as Web Services and their interworking is best shown in our dedicated demonstrator web-based GUI . Additionally, the use of these services has been documented with code snippets in JAVA and as BPEL process models.

Project Members

Contact

Dr. Henrich Pöhls
Raum ITZ/IH 136
Innstr. 43

Tel.: +49(0)851/509-3217
Henrich.Poehls@uni-passau.de

Website

Sprechzeiten: Dienstags 15:00-17:00

2013

27.

H. C. Pöhls, "Contingency Revisited: Secure Construction and Legal Implications of Verifiably Weak Integrity" in Trust Management VII , Fernandez-Gago, Carmen and Martinelli, Fabio and Pearson, Siani and Agudo, Isaac, Eds. Springer Berlin Heidelberg , 2013. pp. 136-150.
DOI: http://dx.doi.org/10.1007/978-3-642-38323-6_10
http://henrich.poehls.com/papers/2013_Poehls_Contingency.pdf

26.

C. Brzuska, H. C. Pöhls and K. Samelin, "Efficient and Perfectly Unlinkable Sanitizable Signatures without Group Signatures" in Proc. of the 10th European Workshop: Public Key Infrastructures, Services and Applications (EuroPKI 2013) , Katsikas, Sokratis and Agudo, Isaac, Eds. Springer Berlin Heidelberg , 2013. pp. 12-30.
DOI: http://dx.doi.org/10.1007/978-3-642-53997-8_2
http://henrich.poehls.com/papers/2013_BrzuskaPoehlsSamelin_Efficient-and-Perfectly-Unlinkable-Sanitizable-Signatures_EuroPKI13.pdf

25.

H. C. Pöhls, S. Peters, K. Samelin, J. Posegga and H. Meer, "Malleable Signatures for Resource Constrained Platforms" in Information Security Theory and Practice. Security of Mobile and Cyber-Physical Systems , Cavallaro, Lorenzo and Gollmann, Dieter, Eds. Springer-Verlag , 2013. pp. 18-33.
DOI: http://dx.doi.org/10.1007/978-3-642-38530-8_2
http://henrich.poehls.com/papers/2013_PoehlsPetersSamelinPoseggaDeMeer_WISTP.pdf

24.

H. Meer, H. C. Pöhls, J. Posegga and K. Samelin, "Scope of Security Properties of Sanitizable Signatures Revisited" in Proc. of the 8th International Conference on Availability, Reliability and Security (ARES 2013) , IEEE , 2013. pp. 188-197.
DOI: http://dx.doi.org/10.1109/ARES.2013.26
http://henrich.poehls.com/papers/2013_DeMeer_Poehls_Posegga_Samelin-ScopeofSecurityPropertiesofSanitizableSignaturesRevisited.pdf

2012

23.

H. C. Pöhls, K. Samelin, J. Posegga and H. Meer, "Flexible Redactable Signature Schemes for Trees --- Extended Security Model and Construction" in Proc. of the International Conference on Security and Cryptography (SECRYPT 2012) , SciTePress , 2012. pp. 113-125.
http://henrich.poehls.com/papers/2012-Poehls-Samelin-DeMeer-Posegga_SECRYPT12_Flexible-Redactable-Signature-Schemes-for-Trees.pdf

22.

H. Meer, M. Liedel, H. C. Pöhls, J. Posegga and K. Samelin, "Indistinguishability of One-Way Accumulators" , 2012.
https://www.fim.uni-passau.de/fileadmin/files/forschung/mip-berichte/MIP_1210.pdf

21.

H. C. Pöhls, K. Samelin, J. Posegga and H. Meer, "Length-Hiding Redactable Signatures from One-Way Accumulators in O(n)" , 2012.
http://henrich.poehls.com/papers/2012_Poehls-Samelin-Posegga-deMeer_TechReport_MIP1201.pdf

19.

C. Brzuska, H. C. Pöhls and K. Samelin, "Non-Interactive Public Accountability for Sanitizable Signatures" in Proc. of the 9th European PKI Workshop: Research and Applications (EuroPKI 2012) , Springer-Verlag , 2012. pp. 178.
http://henrich.poehls.com/papers/2012_BrzuskaPoehlsSamelin_NonInteractive-Public-Accountability-for-SanSigs.pdf

18.

K. Samelin, H. C. Pöhls, A. Bilzhause, J. Posegga and H. Meer, "On Structural Signatures for Tree Structured Data" in Proc. of the 10th International Conference on Applied Cryptography and Network Security (ACNS 2012) , Springer , 2012.
DOI: http://link.springer.com/chapter/10.1007/978-3-642-31284-7_11
http://henrich.poehls.com/papers/2012_Samelin-Poehls-Bilzhause-Posegga-DeMeer-OnStructuralSignaturesForTrees.pdf

17.

F. Höhne, H. C. Pöhls and K. Samelin, "Rechtsfolgen editierbarer Signaturen" , Datenschutz und Datenrecht (DuD) , vol. Volume 36 , no. 6 , pp. 485-491 , 2012.
http://henrich.poehls.com/papers/2012_HoehnePoehlsSamelin_DuD1207.pdf

16.

K. Samelin, H. C. Pöhls, A. Bilzhause, J. Posegga and H. Meer, "Redactable Signatures for Independent Removal of Structure and Content" in Proc. of the 8th International Conference on Information Security Practice and Experience (ISPEC 2012) , Springer , 2012.
http://henrich.poehls.com/papers/2012_Samelin_Poehls_Bilzhause_Posegga_DeMeer_ISPEC_SeperateRedactionOfContentAndStructure.pdf

15.

K. Samelin, H. C. Pöhls, J. Posegga and H. Meer, "Redactable vs. Sanitizable Signatures" , 2012.

14.

H. C. Pöhls and F. Höhne, "Sticky Signatures: Legal Advantages of Redactable Signatures and Credentials in the Food Supply Chain" in Proc. of the 5th Interdisciplinary Conference on Current Issues in IT Security 2012 , Dunker \& Humblot, Berlin , 2012.

13.

H. C. Pöhls and F. Höhne, "The Role of Data Integrity in EU Digital Signature Legislation - Achieving Statutory Trust for Sanitizable Signature Schemes" in Proc. of 7th International Workshop on Security and Trust Management (STM 2011) , Springer , 2012. pp. 175-192.
http://henrich.poehls.com/papers/2011_Poehls-Hoehne_STM-11_Role-of-Data-Integrity-in-EU-Digital-Signature-Legislation.pdf

12.

H. C. Pöhls, K. Samelin, J. Posegga and H. Meer, "Transparent Mergeable Redactable Signatures with Signer Commitment and Applications" , 2012.
http://henrich.poehls.com/papers/2012_Poehls-Samelin-Posegga-deMeer_TechReport_MIP1206.pdf

2011

10.

H. C. Pöhls, K. Samelin and J. Posegga, "Sanitizable Signatures in XML Signature - Performance, Mixing Properties, and Revisiting the Property of Transparency" in Proc. of 9th International Conference on Applied Cryptography and Network Security (ACNS 2011) , Springer , 2011.
http://henrich.poehls.com/papers/2011_Poehls-Samelin-Posegga_ACNS_Sanitizable-Signatures-in-XML-Signature.pdf

H. C. Pöhls, A. Bilzhause, K. Samelin and J. Posegga, "Sanitizable Signed Privacy Preferences for Social Networks" in Proc. of GI Workshop on Privacy and Identity Management for Communities - Communities for Privacy and Identity Management (DICCDI 2011) , GI , 2011.
http://henrich.poehls.com/papers/2011_Poehls-Bilzhause-Samelin-Posegga_Sanitizable-Signed-Privacy-Preferences-for-Social-Networks_DICCDI-2011.pdf

2010

F. Höhne and H. C. Pöhls, "Grund und Grenzen staatlicher Schutzpflichten für die IT-Infrastruktur" in Tagungsband der 11. Herbstakademie der Deutschen Stiftung für Recht und Informatik (DSRI): Digitale Evolution - Herausforderungen für das Informations- und Medienrecht , {OlWIR} Oldenburger Verlag für Wirtschaft, Informatik und Recht , 2010.

F. Höhne and H. C. Pöhls, "Staatliche Schutzpflichten für die IT-Infrastruktur" in Proc. of D-A-CH Security 2010 , 2010.

R. Herkenhöner, M. Jensen, H. C. Pöhls and H. Meer, "Towards Automated Processing of the Right of Access in Inter-Organizational Web Service Compositions" in IEEE 2010 International Workshop on WebService and Business Process Security (WSBPS 2010) , IEEE , 2010.
DOI: http://www.computer.org/csdl/proceedings/services/2010/4129/00/4129a645-abs.html
http://henrich.poehls.com/papers/2010_Herkenhohner_Poehls_Jensen_AutomatedRightofAccess.pdf

H. C. Pöhls, "Why Showing one TLS Certificate is not enough? Towards a Browser Feedback for Multiple TLS Certificate Verifications" in Proc. of GI Sicherheit 2010 - Gesellschaft für Informatik , GI , 2010.
http://web.sec.uni-passau.de/papers/2010_Poehls_Show_Multiple_SSL_Certificate_Verifications_GI-Sicherheit.pdf