Randomization—An Interview with Ken Traub—Part 3: Threat Analysis

Hacker typing on a laptopThis is the third of a five part interview with Ken TraubGS1 standards expert and independent consultant, on GS1 serial number randomization.  The full series includes essays covering:

  1. GS1 Serial Number Considerations
  2. Properties of Randomization
  3. Threat Analysis (this essay)
  4. Algorithmic Approach
  5. Other Approaches to Randomization

This week Ken introduces the concept of threat analysis.  – Dirk.

___________________________________________

Dirk RodgersYou’ve talked about the theory of randomization and the three properties, and that’s great.  What about the practicality of each specific approach, acknowledging that—by the way, you mentioned EFPIA earlier…they do recommend randomization, but what really matters is what the European Union, or European Commission, is going to require and they have specified randomization without, as far as I know, putting any parameters around what they mean by that yet.  I assume they mean, having the three properties, or at least two of the three properties that you mentioned.

Ken Traub:  In the EFPIA document they specify, one in ten thousand, and, they said a couple of other things.   I think as you can see from everything I’ve said before, is that there is quite a bit more to random than meets the eye, and most of the practitioners I’ve encountered in pharma haven’t realized that, because it quickly gets into a fairly technical, mathematical way of looking at it that is not the orientation of most of the supply chain folks.

DRRight.

KT:  Your question about the practicality, I think, there may be two things we should explore there.  One is, different methods of randomization, which are more-or-less easy or practical to implement, but I think another aspect is to consider why you would select one randomization policy over another. There are lots of things you can do, but what is worth doing?

DRRight.

KT:  So let me take that one first, if I could.  Suppose you say, “well, the reason we want to randomize is because we think it will prevent counterfeiting”, or “we think it will prevent people from guessing our sales volume”, or something like that.  What you’ve now done is you have proposed that randomization is a countermeasure to some kind of threat.  In other words, you’re appealing to a security requirement of some kind.  I think whenever there is a question of security involved, it is really important to do a proper threat analysis.  And I think it’s a very common pitfall when people talk about security issues, they start jumping directly to countermeasures, in other words, technical things we’re going to do that we think will solve the problem.

But there is a well-established procedure for doing security analysis in a methodical way.  It’s actually ensconced in an ISO specification called the “Common Criteria”, which is another one of those names that doesn’t really tell you what it is, but the Common Criteria is kind of a framework for security analysis that is very widely accepted.  The way they look at security is, besides just thinking about countermeasures, there are a few other things you have to think about.  What they say is, the first step is not to consider countermeasures but to identify “threat agents”.  A threat agent is a motivated, capable adversary that you’re concerned is going to do something bad.  Those words “motivated” and “capable” are very important, because in classifying adversaries it is important to understand their motivation and their capability, not just what they’re going to do.

Threat agents, in this model, lead to threats, which are sometimes called attacks, which is a specific thing a threat agent is going to do to exploit a vulnerability.  A vulnerability is something that’s in the system that a threat agent can exploit by mounting an attack, which leads to risk.  And then a countermeasure is something you do to thwart the attack, or to thwart the threat with respect to that vulnerability.

The nice thing about this framework is that it forces you to consider who the threat agents are, what their motivations and capabilities are, and then by the time you get to countermeasures for these things, that helps you pick the most effective countermeasure and also gives you some sense of whether it is cost-effective or worth it relative to the risk that is posed.  And in this framework you can consider threat agents that include actual malefactors, people whose motivation is to cause harm in some way, as well as other threat agents.

Although even in the realm of malefactors, there are gradations.  There are some people who want to cause harm for the sake of causing harm, like terrorists; there are some people who want to cause harm because they’re trying to prove something, like a hacker;  and there are some people whose motivation could be to cause harm because they are trying to obtain unauthorized information, espionage or corporate espionage.  You can see that they’re going to lead to different kinds of threats.  The terrorist is going to do something that is very visible and obvious in its effects, because he’s trying to show the world, but the espionage guy is going to do something that is going to be as hidden as possible, because he doesn’t want to get caught or be detected.  He wants to be able to keep doing it.

But another kind of threat agent—in some circumstances—is human error, or mistakes, and there the motivation is very different.  People aren’t motivated to cause damage but they could still have capabilities to do that, and then that leads to different kind of countermeasures.  To take a familiar example of access to a computer system, if what you’re worried about is people making mistakes, then a very simple username and password system is usually sufficient.  If you are worried about malefactors then you may consider a stronger password system.  And if it is somebody that you think is going to do espionage then you may need to supplement just denying access to also providing various audit trails and things like that to detect what’s going on. You see how the threat analysis framework helps reason through all of this logically and methodically.

Now those examples are different than anything related to randomization of serial numbers, but now let’s go back and look at randomization in the context of a threat analysis framework.  What are the threats for which randomization might be a countermeasure?

I already posited one threat agent which is somebody who is trying to get illicit information, namely, sales volume.  And the threat they’re going to mount is to examine a series of serial numbers.  The sufficient countermeasure there is, you don’t really need sparseness, but you do need randomization, and it’s got to be fully random so there is no discernable pattern in the serial numbers, and then that thwarts the attack because the attack is one that is seeking to find a pattern and to learn something from it.

Now you had proposed a threat agent which is a counterfeiter.  His motivation is to put a product into the supply chain and not have anybody notice that it is illicit in some way.  So now I would ask, well, OK, does randomizing the serial numbers actually thwart that attack?  And I really question that, because what is the premise of that?

If I were assigning my serial numbers sequentially, 1, 2, 3, 4, 5, then, what’s the counterfeiter going to do?  Well, he could do one of two things.  He could say, I’m going to put something into the supply chain and I’m going to use a serial number that I’ve already seen, because I know that’s a valid serial number and anybody who is checking the serial numbers will see that that serial number is valid.  And so, he just finds an existing number, and he puts it on his product as well and he puts the thing in the supply chain.  If that is his method of attack, then sparseness or randomization doesn’t make any difference at all, because his way of operating is to find a package…find a serial number that already exists and just copy it and so what does he care if they are assigned randomly or sequentially…he’s making copies.  So if that’s his mode of attack, randomization or sparseness is not a countermeasure for that kind of attack.

Now let’s consider a counterfeiter who uses a different attack.  This counterfeiter reasons, well, I don’t want to copy an existing serial number, because if I copy an existing serial number, somebody is going to notice there is a duplicate and I’ll be found out eventually.  So I am going to try to make up a number that doesn’t exist on a product.  OK, well if you’re assigning sequentially, then he can do that by…if he sees low numbers being used, he’ll pick a high number.  But what if sparse numbers are being used?  If you are assigning numbers sparsely, then you just made it really easy for him to pick a number that is not likely to be a legitimate serial number.  Basically, he can pick one at random and you’ve just made the odds very high that it won’t be a serial number that actually appears on another product.  So again, sparseness and randomization is not a countermeasure.

So now you say, the way he’s thinking is, “well I don’t want to use a serial number that I know is already on another product, on the other hand, I don’t want to use a serial number that’s not going to be on a product because then if somebody looks up the serial number, it won’t be in the database.  Then if I reuse a serial number, it would be a duplicate.”  So really, my task is, I’ve got to find a serial number that is just about to be put on a product, but I’m going to get my product into the marketplace first with that number so that people will see my product as the legitimate product, because by the time they look it up, the manufacturer has already used that serial number himself.  But, I’m going to get it in quickly enough that no one will see it as a duplicate.  If that’s the attack, first of all, that’s a very difficult attack to carry out because you’ve got to inject your serial number just after the product with the same number is manufactured, but just before it reaches anybody who’s going to detect it as a duplicate.

DR Right.

KT:  I would claim that that is equally difficult to do, whether serial numbers are being assigned sequentially or at random.  Unless you’re able to observe the sequential serial numbers right off the manufacturing line, then you’re going to be very hard-pressed to predict the number that occurs just after that.

DRRight.  It would require some inside information.

KT:  Right, and if you’ve got the inside information, there are probably more direct ways of mounting a counterfeiting attack.

DRHmmm.

KT:  So, once you go through methodical threat analysis I think it calls into question the assertion that sparseness or randomization is any kind of effective countermeasure against the kind of attacks that counterfeiters are likely to mount.

DRHm.

KT:  Or, at least it narrows it down to a very, very small subset of possible counterfeiting attacks that involve first knowing what serial numbers the manufacturer is about to inject in the supply chain and then being able to get just a little bit ahead.  But I think if you’ve got that kind of inside information then, again, the easiest way to get that information would be, you’ve got somebody on the shipping dock at the manufacturer who is looking at these serial numbers and you’re trying to take advantage of the days or weeks it takes for those products to reach the retailer.  But, again, if you’ve got access to that, you’re just going to duplicate the numbers that are fresh off the manufacturing line and get them to the retailer as quickly as you can.  And again, since you’re duplicating, it doesn’t matter whether they’re sequential or random.

DR But if they are sequential, they just need to see what one of the unit serial numbers are, where if they have some amount of randomization to them, they would have to see at least a block of them to get some quantity of unit serial numbers to reproduce.

KT:  Yeah, that’s true.  And if that is the attack that you’re concerned about, then it actually leads you to consider… well, I’m going to use some degree of sparseness or randomization, you don’t need to do lots of it to be able to throw that off.

DRExactly.  I love the fact that you’ve sort of debunked the value of intense randomization.  The way I see, there are some easy, practical ways that have less complexity or difficulties than some of the more rigorous approaches to randomization where you’re doing fully, or true randomizing, and those are the techniques I was hoping we would be able to talk about.

For the next installment of this interview, see the Algorithmic Approach.