Patent Application
20210144016
The invention relates to a method for carrying out permission-dependent communication between at least one field device of automation technology and an operating device, wherein the field device and the operating device are connected to one another via a communication link and wherein the field device has an electronic field device identifier.
Field devices in automation technology are usually various sensors or actuators that are installed “in the field”, i.e. in a technical process, where they receive measured values, output control variables or act as actuators to actively influence the process. Such field devices are thus in direct contact with a technical process, for example in a production plant. Field devices of the type mentioned here are used, for example, to measure flow rates, pressures, temperatures, pH values and other process-relevant variables or to influence the process, for example by triggering control valves.
The field devices under consideration here can be connected to an operating device via a communication link. The operating device can then be used to receive data from the field device or to influence the field device, for example by transmitting certain parameters to the field device or by enabling and/or configuring functionalities in the field device.
For various reasons, it may be desired that a certain operating device should not contact a connected field device or may only enter into communication with the field device to a certain extent. For example, the field device must meet certain safety-related requirements and therefore requires reliable protection. However, it is also possible that only certain functionalities of the field device are intended for access by an operator interface, for example by purchasing certain function blocks. For example, the operating device can be an external device with a so-called Device Type Manager (DTM).
A solution known from the state of the art for an operating device or a software component operated on the operating device only being able to enter into a communication link with a certain connected field device in a certain way consists, for example, in that the operating device is designed device-specifically and thus can only enter into a communication link with certain field devices in a certain way. The access possibility of the respective operating device to certain field devices is compiled directly into the software equipment of the operating device. Other solutions require that the operating device must be connected to a license server at runtime in order to query certain authorizations. Both solutions are complex, since in the first case an individual software must be generated for the operating device and in the second case a connection to a license server must be established.
The object of the present invention is to find the simplest possible solution for allowing an operating device to enter into a communication link with a field device in communication link only within a certain scope of permission.
In the method described above for carrying out permission-dependent communication between the field device and the operating device, the previously derived and described object is achieved in that, if the operating device has permission from a permission provider to communicate with the field device, cryptographic verification data that is dependent on the field device identifier is stored on the operating device, and the operating device receives the field device identifier from the field device in preparation for communication with the field device, in that it is checked in a cryptographic comparison step whether the verification date uniquely depends on the field device identifier that the operating device received from the field device, and that if the verification datum uniquely depends on the field device identifier that the operating device received from the field device, the operating device communicates with the field device, otherwise it does not communicate with the field device.
The permission provider can be, for example, the manufacturer of the operating device and/or the field device who wants to ensure that the operating device can only be operated in connection with certain field devices or that a certain software component of the operating device can be operated in connection with certain field devices.
A correlation between the operating device and its access to the field device is achieved by storing a cryptographic verification datum on the operating device that depends on the field device identifier. The field device identifier can, for example, consist of a serial number or a unique identifier of the field device in the installed process. A cryptographic verification datum refers to information that has been processed using encryption—i.e. cryptographic.
If the field device and the operating device are connected to each other or will be connected to each other via a communication link, the operating device first receives its field device identifier from the field device. In the cryptographic comparison step, encryption methods are then used to check whether the verification datum uniquely depends on the field device identifier, i.e. on the field device identifier that the operating device received from the field device. It is not necessary to recognize whether the field device identifier is contained in the verification datum in plain text, because it does not have to be in plain text. What is also meant, is that the verification datum can be determined indirectly, i.e. by using the field device identifier, and thus it is recognized whether the received field device identifier is contained in the verification datum in any way also cryptographically concealed. If it is determined in this sense that the verification datum is unambiguously dependent on the field device identifier, i.e. on the field device identifier that the operating device received from the field device, i.e. the comparison step is positive, it is decided in the operating device that it can communicate with the field device; if the cryptographic comparison step is negative, the operating device or the affected software component on the operating device cannot communicate with the field device. Based on the result of the cryptographic comparison step, the operating device decides whether it can communicate with the connected field device or not. However, this is completely sufficient for many applications in industrial practice.
If the operating device has no permission to communicate with the field device, it is of course still possible that a cryptographic verification datum is stored on the operating device, but this is not dependent on the corresponding field device identifier. In this case, the cryptographic comparison step can still be carried out, but it will then have a negative result so that the operating device cannot communicate with the field device.
According to a preferred design of the method, it is provided that a first license key with a cryptographic license algorithm is calculated as verification datum depending on the field device identifier and depending on a secret key. This calculation can be done, for example, on a license server on which it is known which field device with which field device identifier is to be accessible by an operating device via a communication link. The secret key is usually known to the permission provider, in particular the manufacturer of the operating device and/or the manufacturer of a communication software to be executed on the operating device for communication with the field device.
In a preferred design of the above-mentioned method, it is provided that the cryptographic license algorithm performs the calculation of a hash value from a combination of the field device identifier and the secret key.
According to a further development of the method, the secret key is stored on the operating device. This can be done in plain text, but especially protected, for example in the compiled communication software of the operating device or in another encrypted form.
In a further development of the method, a second license key with the cryptographic license algorithm is calculated in the cryptographic comparison step depending on the field device identifier received from the field device and depending on the secret key stored on the operating device. In order to prove whether the verification datum uniquely depends on the field device identifier that the operating device received from the field device, it is then checked whether the first license key matches the second license key.
Preferably, the calculation of the second license key is performed on the operating device. Alternatively, the calculation can also be performed on a computer connected to the operating device.
The design example shows that the required unambiguous dependence of the verification datum on the field device identifier that the operating device received from the field device does not necessarily mean that the field device identifier is “contained” in the verification datum, in the sense that the field device identifier must be obtainable in plain text from the verification datum. The calculation of a hash value depending on a field device identifier is a suitable means to prove that the verification datum unambiguously depends on the field device identifier, i.e. on the field device identifier the operating device received from the field device.
According to an alternative design of the method, i.e., as an alternative to the use of a secret key, it is provided that a digital certificate is created as the verification datum, wherein the digital certificate comprises, in a first certificate part, a public cryptographic key of the permission provider as well as the at least one field device identifier of those field devices for which the operating device received or is to receive permission to communicate. In a second certificate part, the digital certificate comprises a digital signature calculated from the first certificate part, wherein the digital signature is calculated with a private cryptographic certificate key of an asymmetric cryptographic certificate key pair.
While the first design of the method based on a private key is essentially suitable for assignment of an operating device to a single field device or a software component on an operating device to a single field device, the certificate solution now being discussed is also suitable for assignment to several field devices.
The digital certificate can preferably also be issued by the permission provider, i.e. in particular by the manufacturer of the operating device and/or the manufacturer of a communication software to be executed on the operating device for communication with the field device. However, this is not necessary. Alternatively, the digital certificate can also be created by a Certification Authority (CA) different from the permission provider, as is known from certificates in the field of internet communication, for example.
In a further development of the certificate-based method, it is provided that in the cryptographic comparison step on the operating device, the at least one field device identifier contained in the digital certificate is determined and the at least one determined field device identifier is compared with the at least one field device identifier obtained from the field device. If the field device identifiers match, proof is provided that the verification datum depends in an unambiguous manner on the field device identifier. In this case, the operating device can communicate with the connected field device.
In this context, a particularly preferred design of the method provides that the public certificate key of the asymmetric cryptographic certificate key pair is transmitted to the operating device and the integrity of the certificate is verified with the public certificate key on the operating device. If the verification result is negative, communication between the operating device or the software component of the operating device and the connected field device is barred and/or, if the verification result is negative, corruption of the certificate is displayed and/or reported further.
In detail, there is now a plurality of possibilities for designing the method according to the invention for carrying out permission-dependent communication between at least one field device of automation technology and an operating device. Corresponding further developments are described in the following on the basis of illustrated embodiments.
All three figures show a method 1 for carrying out a permission-dependent communication 2 between at least one field device 3 of automation technology and an operating device 4. The field device 3 and the operating device 4 are connected via a communication link 5. The communication link 5 can be a wired connection, but it can also be implemented via a radio interface. It can be a standardized interface, but also a connection using, for example, a manufacturer-specific, proprietary device interface; this is not important here. In any case, the field device 3 has an electronic field device identifier IDF. Such field device identifiers can be issued, for example, by the manufacturer; alternatively or additionally, unique field device identifiers IDF can also be defined by the user of the field device; this is not important here either.
With the described methods 1, it should be possible to implement a permission-dependent communication 2 between the field device 3 and the operating device 4 with very simple means, e.g., without a connection to a license server being necessary or without the operating device 4 and/or the field device 3 having to be operated with device-specific software.
Common to all described methods 1 is that in the case that operating device 4 has or is to receive permission from a permission provider 6 to communicate with the field device 3, a cryptographic verification datum VDL dependent on the field device identifier IDF_L is stored on the operating device 4. The field device identifier is referred to here as “IDF_L” and not only as “IDF” to distinguish where the field device identifier is present. The field device identifier IDF is located on the field device 3 itself in the embodiments. The field device identifier IDF_L, on the other hand, is the field device identifier that is present, for example, on the permission provider 6. If IDF and IDF_L match, communication between the field device 3 and the operating device 4 should be established, otherwise it should not. In any case, the cryptographic verification datum VDL is such that it is the bearer of the permission for communication. Furthermore, it is provided that the operating device 4 receives the field device identifier IDF from the field device 3 in preparation for communication with the field device 3. In a cryptographic comparison step 9, it is checked whether the verification datum VDL clearly depends on the field device identifier IDF that the operating device 4 received from the field device 3. The cryptographic comparison step 9 is carried out in all embodiments on the operating device 4. In case the verification datum VDL depends in a unique way on the field device identifier IDF, the operating device 4 can communicate with the field device 3, otherwise it cannot communicate with the field device 3. The internal verification on the operating device 4 therefore determines whether the operating device 4 or a software component operated on the operating device 4 can use the communication link 5 to communicate with the field device 3.
That the cryptographic verification datum VDL depends on a field device identifier is indicated in
In all representations, the cryptographic comparison step 9 takes place on the operating device 4 and is represented there as a hashtag. In
The embodiment in
In the embodiment shown in
In the case of the method 1 shown in
In practice, it is the case that the secret key KEY and the verification datum VDL are transmitted to the operating device 4 at different times. The secret key KEY is preferably stored such that it cannot be changed (or can only be changed with “factory privileges”) during production or during manufacture when the device is “christened”, while the verification datum VDL is preferably stored such that it can be changed in the operating device 4 after commissioning of the operating device 4 in the field or during customer-specific provisioning of the operating device 4 in the factory.
The embodiment of the method 1 shown in
In the cryptographic comparison step 9, the at least one field device identifier IDF_L contained in the digital certificate ZERT is determined 10 on the operating device 4. In the present case, two field device identifiers are contained in the digital certificate ZERT, namely the field device identifiers IDF_L1 and IDF_L2. The determined field device identifiers IDF_L1, IDF_L2 are compared with the field device identifiers IDF1, IDF2 obtained from field device 3. If the field device identifiers IDF1, IDF2, IDF_L1, IDF_L2 match, proof is provided that the respective field device identifiers IDF1, IDF2 received by the operating device 3 are contained in the verification datum VDL and insofar the verification datum VDL depends in an unambiguous way on the field device identifier IDF. Accordingly, the communication between the operating device 4 and the field device 3 or the field devices 3 is enabled or disabled.
In
In practice, it is the case that the public key PUBZ—like the secret key KEY in
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2019 130 067.3 | Nov 2019 | DE | national |
