Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
For Product Life Cycle of Electronic Parts
Ya‐Shian Li‐BaboudEric SimmonYaw Obeng
ya‐shian.li‐[email protected]
NIST
OutlineChallengesIdentity ManagementStandardsOther IndustriesPitfalls and Lessons LearnedOpportunities
ChallengesCounterfeit detection
Identical appearance for packaging and productRequires expertise, forensics
Data accessibility, synchronization and qualityEnforcement officers require access to identity dataFragmented databases and workflows
CostManaging risk‐cost tradeoffs
Dynamic natureCat and mouse game
Confidentiality and privacySellers and buyers
Assessing securityIs the identity management solution secure?
Supply Chain (sub)Product
ChipManufacturer
Board Assembler
SystemProducer
Data Management Systems
Board Build System Build
Confident
Product Lifecycle
Product Authentication
Identity Management
Managing the Identity of the ProductAuthenticationTracking Traceability
Authentication ArchitectureCentralized Federated
Identity Life Cycle
Identity and Uses
01001101System Build Material and Process
Chemicals
Data Sheets
RecyclingInformation
Identity Management SystemIdentity ProvisioningIdentity SynchronizationAccess ManagementFederated ServicesDirectory ServicesAuditing and Reporting
Federated IMSHeterogeneous authentication network
Best‐of‐breedCost‐effective for application
Flexibility Use of best available security technologies
AccessibilityCommunication interfaces among disparate security domains
Existing StandardsLeverage current efforts
How can standards help?
Standard AdvantageInteroperability
Rapid data accessEase communicationFocus solutions on security
Data integrityEliminates translation errors
SecurityRobustness
Customer ProtectionConfidence in anti‐counterfeiting solution
And what we can learn
E‐Authentication GuidelineNIST 800‐63 specifies Authentication LevelsAssurance Criteria:
TokensIdentity proofingRemote authentication mechanismsAssertion mechanisms
Level Assurance Confidence
1 Tokens without identity proofing None to little
2 Identity proofing with single‐factor authentication Some
3 Multi‐factor authentication High
4 Hard cryptographic tokens (FIPS 140‐2) Very high
Multi‐Factor AuthenticationUser Product
Liberty AllianceThe Project:
Global body to establish business, policy and technical standards for digital identity managementExpert and public special interest groups, industry, government
Identity Assurance, Public Policy, Technology EGseGovernment, Strong Authentication, Web Services Harmonization SIGs
Formed in 2001, by 30 organizationsToday, it is comprised of more than 150 organizations
Specifies:Assurance Levels (NIST800‐63)Criteria for meeting assurance levelsLiabilityGovernanceCommunication
Liberty AllianceObjectives:
Open standard‐based specification for federated identityInteroperability testingCertificationEstablish best practices, rulesCollaborate with other standards bodies, government policiesPrivacy and confidentiality
Vertical and horizontal issues:Networked healthcare privacyE‐GovernmentIdentity theft
SAMLSecurity Assertion Markup Language
For managing single sign‐on (SSO) problemXML‐based solution for web servicesSAML2
Communication among disparate security domainsAuthenticationAttributeAuthorization
Common CriteriaAssessment of security solutions
Latest update CC version 3.1 in September 2007ISO 18045Comprised of:
Part 1: Introduction and general modelPart 2: Security functional requirementsPart 3: Security assurance requirements
PharmaceuticalStandards• Unique identifying code
• 2D Matrix labels• Each medicine pack distributed
• Avoid issues of localized encoding approaches• Supply chain elements
• Wholesalers, distributors, pharmacies for traceability
Legislation (Europe)• Possible ban of re‐packaging to ensure labels are not destroyed until
end use
Challenges:• Management and ownership of serialized codes• Global parallel efforts (US, Europe, Asia)• Cost of implementation
Current Landscape
Product Identification EffortsUnique Identification
SEMI Anti‐Counterfeiting TFProduct Message + ASP URL
Tracking and TraceabilityBill of Materials (IPC 175x)Product life cycle information management (iNEMI – Information Management Systems TWG)
SecurityRobustness Compliance and certification levels
Customer ProtectionCommon Criteria (ISO 18405)Confidence in product authentication security
SEMI Anti‐CounterfeitingAnti‐Counterfeiting Task Force (ACTF)
Enable infrastructure for encrypted codesOnline product authentication
Standards and EffortsSystem architecture – SEMI T20‐1108Object labelingASP communicationASP qualifications
IPC 175x Supplier Declaration Standard
Supply chain data exchange1751 is the generic declaration information
Business, contact, productVersion 2.0 draft under committee review
Supply chain communication of unique ID“Unique ID” element for product identifierCan be used to support SEMI encrypted codes
Pitfalls and Lessons LearnedToo many standards!
Supply chain integration issuesInteroperabilityAwareness and understanding
Slow to evolveCumbersome standardization processRoom for growth and flexibility
SecuritySecurity in obscuritySecurity in diversityOpen prototyping and testing
OpportunitiesUnderstand Market Needs
Develop a vision for electronic product identity managementDevelop use cases for product authentication
Develop SpecificationsDevelop unique IDsIncorporate unique IDs into current BoMsLeverage user authentication schemes for product authenticationLeverage security assessment criteria for product authentication solutions
Drive ConvergenceManage product life cycle identity informationStandards interoperability
Innovate!
Official contribution of the National Institute of Standards and Technology; not subject to copyright in the United States.
Certain trademarks are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology.