Professional Documents
Culture Documents
Tencon 2006 344134
Tencon 2006 344134
OV
>i ia 11I so that spoofed acks can be counteracted. In the
final phase, KD redirects this received k-ack
back to the master M. Once again, there is the
similar restriction that prevents a particular
master from making key proposal for more than
one Field level device. Hence, the k-ack need
not include the identifier of the Field device.
Although these restrictions appear to be
stringent, they serve to improve performance by
reducing the need for transmitting encrypted
acknowledgments during key exchange.
Fig 2. The presence of the Key
Distributor at the highest level The outline of the key exchange protocol is seen
below.
Key Exchange
* M 4 KD: Ekmkd(IDM ID F km,fd
Now that the initial configuration has been TS1)- (1)
put in place, the KD can securely exchange
messages with other devices in its level and also
* KD: Verify the key
the Field level devices (usually PLCs). This * KD - FD: Ekfd,kd(IDM km,fd TS2
secure channel is made use to facilitate key TS1) note TS, from (1)
exchange between Master and slave devices so
that they can proceed to communicate directly. * FD stores the key in its DB
The actual key exchange occurs as follows.
* FD - KD: k-ack
(Note: Only one Master Device can enter Key acquisition
The Master (M) starts off by sending an phase with a FD, at a time)
encrypted message to KD (encrypted by the key
km,kd shared between M and KD) that includes * KD - M: k-ack
(Note: Any Master can acquire key to one field device at a
the master's identity (optional - depending upon time)
underlying communication protocol), the * M stores the key in its DB
identifier of the Field device (F, usually the PLC,
terms used interchangeably) with which it wants
to communicate, a newly generated 56-bit key Once Key Exchange is completed, both
km fd for communication with F and a Time parties can directly exchange encrypted
stamp TS1. KD then proceeds to verify the key information over the network. It is advisable to
include timestamps in each message before
encryption so that replay attacks are not possible. undesirable load upon the Field level
In addition to timestamps, the messages should microcontrollers. A better alternative is to go for
be appended with a hash (or CRC) prior to Key Refresh.
encryption. This will ensure that no attacker is
able to transmit well-furnished junk packets in The Master Time Frame (MTF)
an attempt to confuse the communicating parties.
However, it is not advisable to allow the
Key Refresh (KR) Master to infinitely refresh the key without the
intervention of the Key Distributor. In case an
One well-known use of time stamped eavesdropper manages to crack a particular key,
messages is guarding against packet replay he can very well keep track of all KR messages
attacks. But in this case the timestamp also helps and deduce the updated keys. To get over this
to thwart Known Text & Cipher Attacks problem, a Master Time Frame (MTF) is preset,
(KTCA) and other key guessing schemes. A once again beginning from TS1. At the end of
KTCA is possible if the attacker has knowledge this time interval, the shared key is abandoned
of both the plain text and the corresponding and rendered invalid by both parties. Now, the
encrypted version (in pairs). An obvious Master has to once again go through the key
vulnerability of Fieldbus networks is that control exchange protocol by contacting the KD, and
messages from the supervisory levels are very propose a new key.
much recurrent. Thus, if the attacker knows the
command likely to be frequented by a particular Security at the Field level
master, he can deduce its corresponding
ciphertext simply by a frequency analysis. To
guard against this type of attack, the protocol At the Field Level, the individual field
mandates Key Refresh (KR) operation at fixed devices are equipped with the TMSC50 and
time intervals, beginning from time TS1. This is C240 to run the DES cipher. In case of a Multi-
the significance of forwarding TS1 to F. Both the Master configuration, with more than one PLC
communicating parties (M and F) start a counter connected to a bus, the same protocol can be
from the value of TS1 This interval should be operated, with each node acting as the local Key
large enough for the key exchange protocol to Distributor for itself
finish and small enough to avoid KTCA attacks.
The Key Refresh(KR) operation occurs as Conclusion
highlighted below.
The TMS C240 is present embedded in many
Key Refresh (KR): of the state-of-art field devices such as motorized
control valves and sensors. Hence, it is easier to
implement the SecFB protocol without the need
* M - FD: Ekm,fd(IDM new km,fd)
for additional hardware. SecFB is highly
* FD - M: ack customizable and can run over any of the
existing commercial protocols such as the
Here, the Master chooses a new key and Profibus. It was tested with the Simple FieldBus
transmits it to the Field device, encrypted by the Protocol (SFBP) [2] stack as the underlying
old key. The Field device, upon receipt of the platform.
new key, updates its database and fires back an
acknowledgment. From here on, all future
communication must use the new key. References:
[1] Data Encryption Standard (DES) Implementation
on the TMS320C6000, Internet Whitepaper
NOTE: If we include timestamps with every
recurring control message, it is possible that the [2] Claudio Ghiotto and Paolo Marchetto, "Simple
encrypted versions will differ from one another. Field Bus Protocol"©) Softmedia 2003, HEXEL
However, there is the difficulty of packing the Electronic Lab
entire packet (control msg + timestamp) into one
DES block of 64 bits. To get over this, DES can
be operated in chaining or feedback mode so
that adjacent blocks influence each other during
encryption. This however, levies an additional