Role and attribute-based access control scheme for decentralized medicine supply chain

The medicine supply chain (MSC) is an intricate structure that extends across multiple organizations and geographic locations and is an important basis for essential daily services. It involves manufacturing, distributing, and delivering medicine to patients. The intermediaries in the MSC include manufacturers, warehouses, distributors, transporters, retailers, consumers, and patients, in which each intermediary plays a vital role and responsibility in an MSC. MSC poses different challenges, such as medicine counterfeiting, data temperament, and cold chain shipping, leading to various security and privacy issues. To overcome the aforementioned issues, public blockchain (BC) provides transparency, traceability, and data security to some extent but often fails to protect MSC's data privacy. To address the aforementioned, we adopted the Hyperledger Fabric consortium BC, which preserves the data security and privacy of the proposed scheme. Hyperledger Fabric uses a role-based access control (RBAC) policy for all writers and readers, where each reader and writer accesses all the smart contract information based on their static roles (reader and writer). This RBAC scheme limits the dynamicity and granularity of the access control. With this concern, we adopt the combination of RBAC and attribute-based access control (ABAC) schemes to provide fine-grained access to the smart contract functions. Additionally, we use a distributed interplanetary file system (IPFS) to enhance the scalability of the proposed scheme. Before saving data, IPFS does not use any encryption algorithm. We embraced the advanced encryption standard (AES) algorithm to encrypt MSC data. Next, we integrated RBAC and fine-grained ABAC through smart contracts to prevent unauthorized access in an MSC environment. Further, the proposed scheme is evaluated using various performance parameters, such as scalability for different number of clients, average latency (0.12 s), minimum execution time is around (115 s) for 100 transactions execution, and throughput of (72.5) transactions per second (TPS) of invoke-based smart contract functions while 618.7 (TPS) for query-based smart contract functions.