1. Introduction
The internet and technology have been developed so rapidly that the whole world is experiencing the fourth industrial revolution (Industry 4.0) [
1] in all aspects of humankind, where the Internet of Things (IoT) [
2] plays a significant role for its diverse adoption. IoT is a network of interlinked physical objects (e.g., devices, machines, and appliances) installed with sensors, software, and electronics, provided with unique identifiers. IoT sensors also possess the capacity to exchange data over the internet without human intervention. It can create information about the associated objects, examine them and make decisions. It has enormous potential to give various elating services across numerous spaces from industry, healthcare [
3], smart home [
4], smart cities, social media, and supply chain. IoT devices have revolutionized the supply chain management (SCM) system [
5].
SCM is the management of the movement of goods through various parties like manufacturers, distributors, retailers, and customers [
3]. It helps to check the traversal of products and information without any complexities. A supply chain involves a series of steps to get a product or service to the customer. The steps include moving and transforming raw materials into finished products, transporting and distributing them to the end-user.
IoT devices can be connected to a product to confirm the product’s authenticity, investigate the origin and quality. Moreover, IoT devices can ensure real-time tracking, traceability, and visibility of a product in the supply chain. A recent survey reveals that Australian retailers have integrated IoT devices into their supply chain. It includes internet-based barcode technology, sensors and scanners, palm-held tablets/smart devices, smartphones, mobile apps, GPS-based location awareness, and Internet-based security and surveillance system [
6].
There is no doubt regarding the advantages of the IoT in the supply chain. Despite the benefits, some concerns are related to the IoT integrated supply chain. The IoT devices generate a large amount of data stored in a centralized server, i.e., in a cloud as a plaintext. As a result, there is a chance that the centralized server might act dishonestly and make fallacious use of users’ sensitive data. There is a severe threat related to the privacy and security of user data in the centralized IoT infrastructure [
7]. Even most of the existing supply chains are not IoT integrated, and because of human intervention [
8], there is a high risk in the privacy and security of product and user’s data.
Besides the above-discussed articles, there are some other investigations where IoT and blockchain [
9] are integrated into the supply chain, whereas there are no studies that focus on the incorporation of asymmetric key encryption technique elliptic curve cryptography (ECC), IoT, and supply chain. Moreover, none of the earlier studies which are discussed in
Section 2 focuses on key distributions and key agreements for authenticating IoT devices. Blockchain is a decentralized and distributed network of peers that shares the same ledger of transactions connected with the system without any central server. The transaction records in the blockchain ledger are immutable, and therefore, it assures authenticity, transparency, traceability, security, and visibility among supply chain entities. The immutable nature of the blockchain platform ensures the SCM transactions data authenticity and security, but it does not ensure data privacy. Therefore, users’ sensitive data needs to be protected from disclosure. Due to the resource limitations (i.e., small memory, limited battery power, and insufficient processing capability) of the IoT device, conventional PC-based cryptographic solutions are not appropriate for most IoT devices [
10]. Therefore, a lightweight cryptographic protocol is required for the system.
This research converges IoT, lightweight asymmetric key cryptography, i.e., ECC, and Hyperledger fabric for secure and trusted supply chain transactions to mitigate the existing supply chain problems. A lightweight key agreement scheme based on ECC has been introduced to ensure the authenticity of IoT devices. Hyperledger fabric assures faster and private supply chain transactions between participating entities. All products or services carry a quick response (QR) code from their production. The proposed system will scan QR codes with an IoT-enabled QR scanner, whereas the transaction data will be stored into the blockchain automatically and securely. Every participant’s (e.g., manufacturer, distributor, and retailer) QR scanner will be registered through the lightweight authentication process in the blockchain network. After the registration and successful mutual authentication between the IoT device of two entities, the product information scanned by the QR scanner is stored in the blockchain. The proposed approach serves as a peer-to-peer, trusted distributed supply chain that introduces the product’s real-time tracking and traceability and guarantees product information authenticity and confidentiality with an authenticated IoT device. Integration of IoT in the blockchain-based supply chain will enhance the supply chain’s flexibility, traceability, transparency, real-time audibility, autonomy, and transaction privacy.
The main contributions of this paper are as follows:
IoT and Blockchain are used to reduce human intervention at the time of recording the supply chain transaction;
Asymmetric key encryption technique ECC based Key distribution and key agreement are developed in SCM. ECC is used for managing the cryptographic operations and also for lightweight authentication of entities;
Hyperleadger fabric based blockchain technology will ensure the transaction data privacy and security;
Security and Privacy analysis illustrate the efficiency of the proposed method.
The rest of the article is structured as follows. Related works are analyzed in
Section 2. Preliminaries, System Overview, and Model Construction are delineated in
Section 3,
Section 4 and
Section 5, respectively.
Section 6 illustrates the Performance Evaluation. Finally,
Section 7 concludes this article.
5. Model Construction
The section describes the entire system in detail. This scheme mainly consists of two parts, i.e., registration and authentication.
5.1. System Setup
This section only focuses on the system setup. Here, selects an elliptic curve , where is a finite field, which is decided by prime p. It also selects a generator on the curve with order q and a master or secret key . It publishes the public key , , p, q, where and . Here, is a multiplicative group of integers modulo q.
5.2. Registration
This section describes the registration process and protocol
in detail, which illustrates the registration process of
,
, and
with
. All these participants follow protocol
at the time of interaction. The registration process of
with
is described below and
and
’s registration follow the same protocol.
submits its identity
to the
. The
generates a nonce
∈
, and works out
=
,
=
, and
+
. Then, the
sends
to
secretly.
Figure 3 shows the entire registration process of
.
5.2.1. Blockchain-Based Data Sharing (via Chain 1)
During the registration stage through protocol , the generates the hash of the of , , and and encrypt them with the in order to generate a digital signature (). Now, the concats s’ of , and , and its sign which are publicly available. The commits the concated information in the blockchain by calling the smart contract. Algorithm 1 shows the working process of smart contract for registration, where functions and stand for generation of keys and register for writing data into the chain 1. The procedure is described in detail below:
utilize Equation (
1) for generating the
and then (
).
Similarly, generates , and then (), (), respectively. Publicly available information from chain 1 are as follows:
Public key of the entities;
Verifiable digital signatures of the entities;
Sign of the service provider.
Algorithm 1: Working process of smart contract for registration. |
![Symmetry 14 00064 i001]() |
5.2.2. Security Analysis of Protocol
Proposition 1. (Security of Protocol Φ). Protocol Φ in Figure 3 is secured in case of adversaries . Proof of Proposition 1. In Protocol
:
, and
, four entities are involved in three scenario. The actions and processes of all of them are the same. Therefore, one scenario is secured means all of them are secured. This section considers the scenario of
Figure 3. The function is
:
Clearly, none of this information can be used to infer any private data of other participants. Therefore, in case
is a semi-honest adversary, he would not able to infer any private information of other participants from these data. Again, if
is an outsider dishonest adversaries, he might try to take control over the network and try to infer data but that’s not possible as the interactions are happening under the Blockchain network. On the other hand,
is a trusted entity. Lastly, it is important to discuss the security and privacy issues related to the public ledger of chain 1. Therefore, public view, which also can be seen by
:
Now,
,
and
has no security concerns as they are just addresses. Thus, protocol
is secured in presence of semi-honest and dishonest adversaries for
Figure 3. □
5.3. Authentication
This section describes the authentication process and protocol in detail, which illustrates the authentication process of with , and with . All these participants follow protocol at the time of interaction. The authentication process of with is illustrated in this section and others follow the same protocol.
5.3.1. Verification of and Corresponding
This section describes the verification of participants’ (
,
, and
)
, where any participant can identify the corresponding
for any
. Let us consider a scenario where a
attempts to verify the
of an
and identify its corresponding
.
Figure 4 illustrates the entire process.
retrieves
’s
along with
and
from chain 1. It recognizes
from
. It decrypts
with
and gets
, which is generated by
. It generates
as
. It compares
and
, if matches then
is verified with
. All participants use this process to verify the
of other participants in the same process and follow the protocol
.
5.3.2. Authentication between and
This section is described in three phases and shown in
Figure 5.
sends its IoT device ID to
using asymmetric encryption.
- 1.
Phase 1: chooses a nonce , , , . Then the message is sent to .
- 2.
Phase 2: calculates and checks . If true, continues to select and calculates , , , and . Then the message is sent to .
- 3.
Phase 3: calculates , , and checks and . If true, then the two IoT devices of and are the authenticated on the both side.
5.3.3. Blockchain Based Data Sharing (via Chain 2)
During the authentication stage through protocol
, all participants verify the authenticity of other participants’
. In the case of
Figure 5,
generates the hash of the
and commits it in the blockchain by calling the smart contract along with its
. On the other hand,
generates the hash of the
,
and commits it in the blockchain by calling the smart contract along with its
. Algorithm 2 shows the working process of smart contract for authentication, where functions
and
stand for authentication and register for writing data into the chain 2. The procedure is described in detail below:
generates
using (
2)
generates
using (
3)
Again, in the case of the registration process of generates the hash of the and commits it in the blockchain by calling the smart contract along with its . On the other hand, generates the hash of the , and commits it in the blockchain by calling the smart contract along with its . The procedure is described in detail below:
generates
using (
4)
generates
using (
5)
Publicly available information from chain 2 are as follows:
Algorithm 2: Working process of smart contract for authentication. |
![Symmetry 14 00064 i002]() |
5.3.4. Security Analysis of Protocol
Proposition 2. (Security of Protocol Γ). Protocol Γ in Figure 5 is secured in case of adversaries . Proof of Proposition 2. In Protocol
: mainly
and
, three entities are involved in two scenario. The actions and processes for both of them are the same. Therefore, one scenario is secured means another one is also secured. This section considers the scenario of
Figure 5. The function is
:
Here,
can authenticate
by checking
and there are no other available data visible to
from where it can infer further private information. Again, the view of each
is:
can authenticate
by checking
and there are no other available data visible to
from where it can infer further private information. On the other hand, it is important to discuss the view outsider dishonest adversaries
. In ideal case its view is:
In the ideal case
can not infer any information from
,
,
and
as
s’ are addresses and hash values has no backward operations. Considering the threat from the threat model,
has far more ability and visibility than the publicly available data. It is also important to analyze the security of those threats. It is clear that the
are secured by the hash values
and
, respectively. The outcomes needs
or
and
or
to directly or indirectly forge those hash values. These keys’ are private to their respective owners. Again, in the case of Forward Secrecy
breaks and obtains all of the secret keys from
and
such as
and
. However,
failed to infer past session keys as all of them are generated based on the ECDH issue. Since
are not precisely calculable, the forward secrecy is preserved. Again for impersonation attack, if
intends to infer any message at the time of key agreement, it requires
or
. Yet according to the premise of
, it cannot get any of them. Therefore, it will fail to build the entire message. Therefore, this invasion will fail. Lastly, in case of a reply attack, all individuals utilize unexplored random numerals
v and
u every time.
will not be able to crack the ECDH issue depending on (
u,
) or (
,
v), despite any message is being replayed. Thus, protocol
is secured in presence of semi-honest and dishonest adversaries for
Figure 5. □
7. Conclusions
Integration of IoT devices in a centralized nature increases the issue of transaction data privacy and security of the supply chain management system. Therefore, this paper proposed a unified solution with the distributed ledger technology, i.e., Hyperledger fabric, IoT, and elliptic curve cryptography, to protect the transaction data from privacy and security breaches. ECC ensured the lightweight cryptographic operations and authentication of IoT devices. Authenticated IoT scanner guarantees an error-free supply chain transaction enabling the trusted immutable ledger among all participants. Rigorous implementation of the proposed system on the Hyperledger fabric network confirmed that the system works smoothly in a multi-party setup. The result and security analysis prove that the proposed system is robust and secure for real-life applications.
In future research, we want to integrate self-sovereign identity (SSI) with the distributed ledger technology for faster and more reliable peer-to-peer authentication processes for all supply chain entities. The decentralized SSI module will guarantee frictionless supply chain transactions where data privacy and security can also be ensured.