An authentication protocol for an industrial automation system is provided. This includes at least one industrial control component that communicates security information across a network. Such networks can be public or private and are employed to communicate the security information including lightweight cryptographic data which is exchanged on the network to authenticate various components of the automation system. At least one protocol component is provided that employs mutual authentication data that is based in part on a private key exchange to facilitate authentication of the industrial control component via the network, where the private key exchange can be a symmetric key exchange. By employing an architecture that is not based substantially on public key exchanges or trusted third parties, the protocol component mitigates protocol attacks.
It is noted that as used in this application, terms such as “component,” “protocol,” “model, ” and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution as applied to an automation system for industrial control. For example, a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program and a computer. By way of illustration, both an application running on a server and the server can be components. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers, industrial controllers, and/or modules communicating therewith.
Referring initially to
In general, the protocol component provides a lightweight implementation of cryptographic primitives. The lightweight nature of the protocol component 110 facilitates improved efficiency such as reducing the code base of traditional solutions due in part to reducing communications with a third party or other trusted entities and also minimizes the number of crypto primitives that consume library space. Since communications with a trusted third party are reduced via the protocol component 110, authentication speed across the network 114 can be increased. The lightweight nature of the protocol also enables faster execution speeds and provides more features than other protocols. As will be described in more detail below, the protocol component 110 supports a simplified architecture than can reduce processing requirements of the system 100, for example.
As noted above, the protocol component 110 enables authentication between industrial control components 130 and components 120, to mitigate network protocol attacks, and to facilitate system performance of the components. In one aspect, a cryptographic authentication protocol is provided by the protocol component 110 that employs a mutual authentication scheme based in part on a symmetric key system that generally does not require a public key infrastructure to be present. The protocol is such that it is resistant to commonly known attacks. Additional features are provided that allow the protocol to be used to negotiate private sessions keys and encryption of subsequent transmissions. In this manner, a cryptographic-based authentication protocol provides a technical barrier to unauthorized applications and devices participating on an industrial automation network 114 that includes controllers, I/O modules, factory devices, computers, servers, clients, and/or other network components.
In general, the protocol component 110 provides strong and mutual authentication processes between components. This includes provisions for session management including signing and encryption. The lightweight nature minimizes the use of cryptographic primitives and generally does not require the use of clocks/calendars in the respective applications or devices. This also includes exportable world wide functionality. In a Dolev-Yao threat model for example, the protocol component 110 is generally not subject to replay; man in the middle; high jacking of authentication; or Lowe attacks. Furthermore, security generally does not depend on secrecy of protocol.
Before proceeding, it is noted that the components 120 can include various computer or network components such as servers, clients, communications modules, mobile computers, wireless components, control components and so forth which are capable of interacting across the network 114. Similarly, the term PLC as used herein can include functionality that can be shared across multiple components, systems, and or networks 114. For example, one or more PLCs 130 can communicate and cooperate with various network devices across the network 114. This can include substantially any type of control, communications module, computer, I/O device, sensor, Human Machine Interface (HMI)) that communicate via the network 114 which includes control, automation, and/or public networks. The PLC 130 can also communicate to and control various other devices such as Input/Output modules including Analog, Digital, Programmed/Intelligent I/O modules, other programmable controllers, communications modules, sensors, output devices, and the like.
The network 114 can include public networks such as the Internet, Intranets, and automation networks such as Control and Information Protocol (CIP) networks including DeviceNet and ControlNet. Other networks include Ethernet, DH/DH+, Remote I/O, Fieldbus, Modbus, Profibus, wireless networks, serial protocols, and so forth. In addition, the network devices can include various possibilities (hardware and/or software components). These include components such as switches with virtual local area network (VLAN) capability, LANs, WANs, proxies, gateways, routers, firewalls, virtual private network (VPN) devices, servers, clients, computers, configuration tools, monitoring tools, and/or other devices.
Referring now to
Another component of the authentication protocol 200 includes a Random Number Generator 230. The random number generator 230 is generally a complex algorithm that produces a random number. The randomness of the generator has profound effects on the security of the protocol. Programmatically this operation is shown as RNGX. At 240, a Sequential Number Generator is provided. The sequential number generator 240 can be a simple algorithm that produces the next sequential number from the number generated in the previous call. The sequential number is allowed to wrap to zero and restart when the maximum sequential number is reached. Programmatically this operation is shown as SNGX.
At 250, a nonce component is provided. The Nonce 250 is a message digest of the SHA-1 hash of a random number, RNG, concatenated with a sequential number, SGN, both of which are generated by the device or application. Programmatically, a NonceX=SHA-1[RNGX& SNGX]. At 260, an RSA is provided which is an asymmetric (public/private key) encryption and decryption standard. The public key of owner X is designated as KX while the private key of owner X is designated as KX−1. A message encrypted with a public key can be decrypted with a matching private key. Similarly, a message encrypted with a private key can be decrypted with a matching public key. Programmatically RSA is shown as: Message2=RSA[Message1, KX−1] where a Message1=RSA[Message2, KX−1]. At 270, a digital signature is an RSA encrypted message of the SHA1 message digest of the message being signed. Programmatically the digital signature for participant X is DSIGNX=RSA[SHA1[message], KX−1]. It is noted that unless otherwise designated, DSIGNX can be used to indicate the digital signature of the entire, immediate preceding message.
Turning to
At 640, assuming the proceeding acts were validated, Bob allows a Session. In general, Bob validates the digital signature of Alice's message, its data integrity, and that the NAME matches that in Alice's certificate. If not valid at 640, Bob resets the protocol. If valid, Bob decodes NonceBOB using KBOB−1. If NonceBOB as returned by Alice does not match NonceBOB as sent by Bob earlier, Bob resets the protocol. If it matches, the mutual authentication is complete and the session may proceed between authenticated entities.
Now turning to
At 830, inclusion of an Authentication Phase may be provided. The possibility of having authentication steps out of phase between entities such as application or devices such as Alice and Bob in these examples may be reduced by including a unique authentication phase in each exchange by concatenating it after the NAME field. At 840, invalid attempt entropy may be provided. Security can be enhanced if Bob logs invalid certificates from Alice (and vice versa) and begins to geometrically lengthen time between retries. This will spoil attempts at spoofing certificates. Care should be exercised to prevent this from being used as a denial of service attack. At 850, certificate form versioning can be provided. In this case, the protocol may include a certificate version number in the body of the certificate to allow different decoding methods as requirements or circumstances dictate. This could also be used if the CA private key is compromised. At 860, a certificate form can be created that is a revocation certificate. This would require devices participating in the architecture to issue all known revocation certificates at the start of a session authentication. Thus, the devices register their own revocation certificates as well as those transmitted by others and then reject certificates that match the revoked list.
Referring to
It is noted that the above authentication protocols can be processed on various types of computing devices and resources, where some of these devices may be associated with an industrial control component and other devices associated with standalone or networked computing devices. Thus, computers can be provided to execute the above protocols that include a processing unit, a system memory, and a system bus, for example. The system bus couples system components including, but not limited to, the system memory to the processing unit that can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can be employed as the processing unit.
The system bus can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures including, but not limited to, 11-bit bus, Industrial Standard Architecture (ISA), Micro-Channel Architecture (MSA), Extended ISA (EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB), Peripheral Component Interconnect (PCI), Universal Serial Bus (USB), Advanced Graphics Port (AGP), Personal Computer Memory Card International Association bus (PCMCIA), and Small Computer Systems Interface (SCSI).
The system memory includes volatile memory and nonvolatile memory. The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer, such as during start-up, is stored in nonvolatile memory. By way of illustration, and not limitation, nonvolatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM), or flash memory. Volatile memory includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM). Computing devices also includes removable/non-removable, volatile/non-volatile computer storage media.
It is to be appreciated that software components can be provided that act as an intermediary between users and the basic computer resources described in suitable operating environment. Such software includes an operating system which can be stored on disk storage, acts to control and allocate resources of the computer system. System applications take advantage of the management of resources by operating system through program modules and program data stored either in system memory or on disk storage. It is to be appreciated that the present invention can be implemented with various operating systems or combinations of operating systems or shared with control systems.
Computers can operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s). The remote computer(s) can be a personal computer, a server, a router, a network PC, a workstation, a microprocessor based appliance, a peer device or other common network node and the like, and typically includes many or all of the elements described relative to computer. Remote computers can be logically connected through a network interface and then physically connected via communication connection. Network interfaces encompass communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet/IEEE 1102.3, Token Ring/IEEE 1102.5 and the like. WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL), and wireless networks.
The systems described above employing the authentication protocols can include one or more client(s). The client(s) can be hardware and/or software (e.g., threads, processes, computing/control devices). The systems can also include one or more server(s). The server(s) can also be hardware and/or software (e.g., threads, processes, computing/control devices). The servers can house threads to perform transformations by employing the authentication protocol, for example. One possible communication between a client and a server may be in the form of a data packet adapted to be transmitted between two or more computer processes.
What has been described above includes various exemplary aspects. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing these aspects, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the aspects described herein are intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Furthermore, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.