Skip to main content

Advertisement

SpringerLink
Log in

Access and privacy control enforcement in RFID middleware systems: Proposal and implementation on the fosstrak platform

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Radio Frequency IDentification (RFID) technology offers a new way of automating the identification and storing of information in RFID tags. The emerging opportunities for the use of RFID technology in human centric applications like monitoring and indoor guidance systems indicate how important this topic is in term of privacy. Holding privacy issues from the early stages of RFID data collection helps to master the data view before translating it into business events and storing it in databases. An RFID middleware is the entity that sits between tag readers and database applications. It is in charge of collecting, filtering and aggregating the requested events from heterogeneous RFID environments. Thus, the system, at this point, is likely to suffer from parameter manipulation and eavesdropping, raising privacy concerns. In this paper, we propose an access and privacy controller module that adds a security level to the RFID middleware standardized by the EPCglobal consortium. We provide a privacy policy-driven model using some enhanced contextual concepts of the extended Role Based Access Control model, namely the purpose, the accuracy and the consent principles. We also use the provisional context to model security rules whose activation depends on the history of previously performed actions. To show the feasibility of our privacy enforcement model, we first provide a proof-of-concept prototype integrated into the middleware of the Fosstrak platform, then evaluate the performance of the integrated module in terms of execution time.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11

Similar content being viewed by others

Notes

  1. http://www.w3.org/TR/wsdl

  2. http://code.google.com/p/fosstrak/wiki/LlrpMain

  3. http://www.transcends.co/community

References

  1. Agrawal, R., Cheung, A., Kailing, K., Schonauer, S.: Towards traceability across sovereign, distributed RFID databases. In: 10th International Database Engineering and Applications Symposium, (IDEAS’06), pp. 174–184. IEEE (2006)

  2. Ajam, N., Cuppens-Boulahia, N., Cuppens, F.: Contextual privacy management in extended role based access control model. Data Priv. Manag. Auton. Spontaneous Secur., 121–135 (2010)

  3. Ajana, M.E., Boulmalf, M., Harroud, H., Hamam, H.: A policy based event management middleware for implementing rfid applications. In: International Conference on Wireless and Mobile Computing, Networking and Communications, (WIMOB’09), pp. 406–410. IEEE (2009)

  4. Architecture Review Committee: The EPCglobal architecture framework. Tech. rep., EPClobal (2010)

  5. Chaudhry, M., Ahmad, Q., Sarwar, I., Akbar, A.H.: Comparative study of RFID middlewares-defining the roadmap to SOA-based middlewares (2010)

  6. Common criteria for information technology security evaluation (2012). https://www.niap-ccevs.org/Documents_and_Guidance/cc_docs/CCPART2V3.1R4.pdf

  7. Damiani, E., Vimercati, S., Jajodia, S., Paraboschi, S., Samarati, P.: Balancing confidentiality and efficiency in untrusted relational DBMSs. In: Proceedings of the ACM conference on Computer and communications security, pp. 93–102. ACM (2003)

  8. EPCglobal.: EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860–960 MHz. Tech. rep., Version 1.2.0, http://www.epcglobalinc.org/standards/ (2008)

  9. EPCglobal. Inc: (ALE) Specification, version 1.1 - Part 1: Core Specification. Tech. rep., EPCGlobal (2008)

  10. EPCGlobal Inc: Low Level Reader Protocol (LLRP). Tech. Rep. Version 1.1, EPCGlobal (2010)

  11. EPCglobal. Inc: Public Policy. http://www.gs1.org/epcglobal/public_policy (2011)

  12. EPCglobal Inc: The EPCglobal Website. http://www.gs1.org/epcglobal (2014)

  13. Floerkemeier, C.: Integrating rfid readers in the enterprise it–overview of intra-organizational rfid system services and architectures. Academic publication of the Auto-ID Labs (2008)

  14. Floerkemeier, C., Schneider, R., Langheinrich, M.: Scanning with a purpose–supporting the fair information principles in rfid protocols. In: Ubiquitous computing systems, pp. 214–231. Springer, Berlin (2005)

    Google Scholar 

  15. for Economic Co-operation & Development Council, O.: Recommendation of the council concerning guidelines governing the protection of privacy and transborder flows of personal data. OECD (1980)

  16. Fosstrak: Project License (2009). http://fosstrak.googlecode.com/svn-history/r2112/legacy_website/license.html

  17. Grummt, E., Müller, M.: Fine-grained access control for epc information services. In: The internet of things, pp. 35–49. Springer (2008)

  18. IBM Corp.: IBM websphere premises server (2010). http://www-01.ibm.com/software/integration/sensor-events/

  19. INRIA: ASPIRE-Advanced Sensors and lightweight Programmable middleware for Innovative RFID Enterprise applications (2009). www.fp7-aspire.eu/

  20. Ismael, A., Carlos, C., Jose, C., Rubén, H., Enrique, V.: Managing RFID sensors networks with a general purpose RFID middleware. Sensors 12(6), 7719–7737 (2012)

    Google Scholar 

  21. Juels, A.: RFID security and privacy: a research survey. J. Sel. Areas Commun 24, 381–394 (2006)

    Article  Google Scholar 

  22. Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: POLICY. 4th IEEE International Workshop on Policies for Distributed Systems and Networks (2003)

  23. Kartakis, S., Sakkalis, V., Tourlakis, P., Zacharioudakis, G., Stephanidis, C.: Enhancing health care delivery through ambient intelligence applications. Sensors 12, 11,435–11,450 (2012)

    Article  Google Scholar 

  24. Kerschbaum, F.: An access control model for mobile physical objects. In: Proceedings of the 15th ACM symposium on Access control models and technologies, pp. 193–202 (2010)

  25. Kywe, S.M., Li, Y., Shi, J.: Attack and defense mechanisms of malicious epc event injection in epc discovery service. In: RFID-Technologies and Applications (RFID-TA), IEEE International Conference on, pp. 1–6 (2013)

  26. Masoumzadeh, A., Joshi, J.: PuRBAC: purpose-aware role-based access control (2008)

  27. Motorola: RFID technology and EPC in retail. Tech. rep., Symbol Technologies (2004)

  28. Ni, Q., Lin, D., Bertino, E., Lobo, J.: Privacy-aware role based access control. In: 12th ACM symposium on Access control models and technologies, pp. 41–50. ACM (2007)

  29. of the European Communities, O.J. (ed.): Directive 95/46/EC of the European Parliament and of the Council on the protection of Individuals with regard to the processing of personal data and on the free movement of such data, no. 281 in 31. t1_en.pdf (1995)

  30. Oracle: Oracle application server wireless. Tech. Rep. 10.1.2 (2005)

  31. Oulmakhzoune, S., Cuppens-Boulahia, N., Cuppens, F., Morucci, S., Barhamgi, M., Benslimane, D.: Privacy query rewriting algorithm instrumented by a privacy-aware access control model. In: Annals of telecommunications (ANTE) (2013)

  32. Prabhu, B., Su, X., Ramamurthy, H., Chu, C.C., Gadh, R.: WinRFID: a middleware for the enablement of radiofrequency identification (RFID)-based applications. Mobile, wireless, and sensor networks: Technology, applications, and future directions (2006)

  33. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Comput. 29 (2), 38–47 (1996)

    Article  Google Scholar 

  34. Sarma, S., Brock, D.L., Ashton, K.: The networked physical world. Tech. Rep. White Paper MIT-AUTOID-WH-001, Auto-ID Center (2000)

  35. Schapranow, M., Zeier, A., Plattner, H.: Security Extensions for Improving Data Security of Event Repositories in EPCglobal Networks. In: 9th International Conference on Embedded and Ubiquitous Computing (IFIP EUC’11), pp. 213–220. IEEE (2011)

  36. Song, J., Kim, H.: The RFID middleware system supporting context-aware access control service. In: The 8th International Conference on Advanced Communication Technology, 2006. (ICACT’06), vol. 1. IEEE (2006)

  37. Song, J., Kim, T., Lee, S., Kim, H.: Security enhanced RFID middleware system. World Acad. Sci. Eng. Technol. 10 (2005)

  38. Tounsi, W.: Security and privacy controls in rfid systems applied to EPCglobal networks. Ph.D. thesis, Télécom Bretagne - Institut Mines-Telecom (2014)

  39. Tounsi, W., Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J.: Fine-grained privacy control for the rfid middleware of epcglobal networks. In: Proceedings of the Fifth International Conference on Management of Emergent Digital EcoSystems, MEDES ’13, pp. 60–67. ACM (2013)

  40. Tounsi, W., Cuppens-Boulahia, N., Garcia-Alfaro, J., Chevalier, Y., Cuppens, F.: KEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems. J. Netw. Comput. Appl. 39(0), 152–166 (2014)

    Article  Google Scholar 

  41. Tounsi, W., Garcia-Alfaro, J., Cuppens-Boulahia, N., Cuppens, F.: Securing the communications of home health care systems based on RFID sensor networks. In: 8th Conference on Communications Networks and Services Research (CNSR’10), pp. 284–291. IEEE (2010)

  42. Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.W.: On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd international conference on Very large data bases, pp. 555–566 (2007)

  43. Westin, A.F.: Privacy and freedom. Wash. Lee Law Rev. 25(1), 166 (1968)

    Google Scholar 

  44. Yang, N., Barringer, H., Zhang, N.: A purpose-based access control model. In: Third International Symposium on Information Assurance and Security (IAS), pp. 143–148. IEEE (2007)

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers and Dr. Langar for their valuable comments and suggestions to improve the quality of the paper. The authors also gratefully acknowledge the partial support received from the French FUI16 GINTAO project.

Author information

Authors and Affiliations

  1. Telecom Bretagne, 2 Rue de la chataigneraie, 35510, Cesson-Sevigné, France

    Wiem Tounsi, Nora Cuppens-Boulahia & Frédéric Cuppens

  2. LIP6/UPMC - University of Paris 6, 4 Place, Jussieu, 75005, Paris

    Wiem Tounsi & Guy Pujolle

Authors
  1. Wiem Tounsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guy Pujolle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wiem Tounsi.

Appendix: Specifications and results in XML Files

Appendix: Specifications and results in XML Files

Figure 12
figure 12

ECSpec filtering to obtain Type C tags (nurse application)

Full size image
Figure 13
figure 13

ECSpec filtering to obtain tags numbers (pharmacist application)

Full size image
Figure 14
figure 14

ECReports for the cardiology (nurse) application

Full size image
Figure 15
figure 15

ECReports for the pharmacist application

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tounsi, W., Cuppens-Boulahia, N., Cuppens, F. et al. Access and privacy control enforcement in RFID middleware systems: Proposal and implementation on the fosstrak platform. World Wide Web 19, 41–68 (2016). https://doi.org/10.1007/s11280-015-0325-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-015-0325-5

Keywords

Search

Navigation