EP4406188A1 - Certificate management method for heterogeneous installations, computer system and computer program product - Google Patents
Certificate management method for heterogeneous installations, computer system and computer program productInfo
- Publication number
- EP4406188A1 EP4406188A1 EP22808838.1A EP22808838A EP4406188A1 EP 4406188 A1 EP4406188 A1 EP 4406188A1 EP 22808838 A EP22808838 A EP 22808838A EP 4406188 A1 EP4406188 A1 EP 4406188A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- certificate
- component
- directory
- information
- profile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims description 16
- 238000004590 computer program Methods 0.000 title claims description 4
- 238000009434 installation Methods 0.000 title abstract description 7
- 238000000034 method Methods 0.000 claims description 21
- 238000004891 communication Methods 0.000 claims description 14
- 238000012360 testing method Methods 0.000 claims description 11
- 230000001419 dependent effect Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 claims description 2
- 230000015572 biosynthetic process Effects 0.000 claims 2
- 238000012550 audit Methods 0.000 claims 1
- 238000010200 validation analysis Methods 0.000 description 10
- 238000010801 machine learning Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000010327 methods by industry Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 229910052684 Cerium Inorganic materials 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- GWXLDORMOJMVQZ-UHFFFAOYSA-N cerium Chemical compound [Ce] GWXLDORMOJMVQZ-UHFFFAOYSA-N 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/303—Terminal profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- Adequate protection will mostly include encryption and/or authentication of the transmitted data.
- Appropriate encryption and authentication mechanisms are usually part of secure communication protocols (such as TLS, OPC UA).
- secure communication protocols such as TLS, OPC UA.
- the use of secure communication protocols requires that the communication participants have up-to-date digital certificates.
- PKI public key infrastructure
- the application for missing certificates and the revocation of certificates that are no longer required is usually carried out via a Registration Authority (RA), which plays the role of an intelligent gateway.
- the Registration Authority RA checks whether the incoming certificate and/or revocation applications are correct and whether they come from legitimate, trustworthy system components - i.e. depending on the present certificate management scenario (such as "bootstrapping", i.e.
- the Registration Authority RA when examining an application, determines that the application is incorrect or that the applicant is not directly known to it and has submitted its application via an untrustworthy LRA, it will reject the application the application, so that the respective applicant does not receive the requested certificates and/or his revocation application is not forwarded to the responsible Certification Authority CA.
- the system components can, for example, be included in the directory / inventory manually by a user (who has checked their trustworthiness in a certain way) by the user filling out an input mask manually or with the help of a script
- the mask is usually optional (see the four lines below, for example), while other information (in particular the device name, the manufacturer name and the device identifier are binding, because they are required for the clear identification of the system components.
- system components can be automatically included in the directory/inventory of the system after a successful originality check (proof of originality), for example as part of provisioning.
- the directory/inventory can be represented by a component integrated into the Registration Authority RA or by a dedicated component such as a list or a database.
- the directory/inventory entry corresponding to a plant component usually contains the following components, for example:
- Device ID e.g. the serial number of the system component or a Product Instance URI, Uniform Resource Identifier
- LRA Local Registration Authority
- the directory/inventory created/structured in the manner described is used in the system context, among other things, by the Registration Authority RA when validating the incoming certificate and revocation applications.
- the Registration Authority RA checks whether the incoming certificate application comes from a component that is already included in the directory / inventory and has therefore already been checked in an adequate manner and may apply for certificates in the context of the system, 302.
- the Registration Authority RA validates the signature of the certificate application using the Signing Certificate used for signing, the role of which in the CDC application is usually played by the associated Manufacturer Device Certificate, MDC.
- the Registration Authority RA takes into account in particular the so-called device ID, which is used both in the corresponding directory / inventory entry and in the certificate entry and in the one used to sign the entry (and also in the directory / inventory entry included) certificate (e.g. Manufacturer Device Certificate (MDC) ) is included.
- MDC Manufacturer Device Certificate
- the validation fails, 311. Otherwise, 305, the inventory entry with the serial number contained in the certificate application / signing certificate is searched for, 306 The validation is successful, 310, if the corresponding entry was found, 308. Otherwise, 309, the validation has also failed.
- the signing certificate e.g. MDC
- the problem on which the present invention is based is due to the fact that there are currently several or different manufacturer and protocol-specific specifications or definitions with regard to the device ID.
- the serial number of the devices should assume this role.
- the serial number of the devices for some manufacturers e.g. Siemens
- MLFB machine-readable product designation
- a ge devices creates the requirement to link or concatenate the serial number of the respective device with the MLFB (machine-readable product designation) of the device, so that a unique device number / device ID results.
- the OPC UA Specification, Part 21, which only applies to OPC UA devices, requires that the "Product Instance URI" should be viewed as a unique device number / device ID.
- the problem on which the present invention is based is that in a heterogeneous system, due to the various (possibly also dynamically changing) specifications and definitions regarding the device number Device ID, no uniform sequence for validating certificate applications can be defined.
- the process illustrated in FIG. 3 applies only to devices/manufacturers that use the serial number of the devices as a device ID, whereby they are derived from the so-called "Subj ect" is read out .
- the process would have to be adapted in principle by - instead of the serial number contained in the "Subj ect" the Product Instance URI contained under "SAN” being used as the device ID .
- the Product Instance URI has not yet been evaluated, the serial number, the serial number linked to the MLFB or a device ID formed in a different way is also used for the OPC UA devices.
- the corresponding Change specifications and definitions dynamically, which can be fully automated and/or influenced by the user (for example through their corresponding manual entries).
- the method according to the invention offers certificate management for heterogeneous systems, the system consisting of at least two components and a certificate management system storing information about the components in a directory.
- the certificate administration receives an application for a certificate for operation and/or communication from each component and, after examining the application, decides whether this certificate can be issued or confirmed, with the exam depending on the respective component-specific Rules based on information available about the component in the directory. Additional information about a device profile is stored in the directory, which in each case specifies a valid test rule for the component to be tested, on the basis of which the test is carried out or a suitable certificate is generated.
- Figure 1 a certificate management system with internal inventory
- FIG. 1 shows a system for certificate management, with a certificate authority CA hierarchy 109, which contains a root CA 1091 and issuing CAs 1092, 1093, 1094.
- the device 101 makes a certificate request (Certificate Request) 1011 to this Registration Authority RA and expects a suitable response as a response Certificate 1012.
- the idea of the present invention consists in supplementing the configuration of the Registration Authority RA or the entity that takes over its tasks in an industrial plant with (dynamically) configurable new checking rules, Device ID Profiles, and when a plant component is included in the directory / Inventory:
- This component is either assigned a new, already configured check rule, Device ID Profile fully automatically (e.g. based on a rule preconfigured for the type of component) or manually by the responsible user (based on a decision/specification according to which the user acts). ,
- Device ID profile can be configured dynamically.
- the idea of the present invention consists in the (as described above) preconfigured or dynamically configured at runtime (based on user input) ated device ID profile must be taken into account when validating the certificate applications.
- the Registration Authority RA uses the new verification rule Device ID Profile assigned to this system component to determine at which point (or in which column of the table illustrated as an example above) it places it new check rule Device ID has to search in the directory / inventory and how it can be made up of several components (e.g.
- the problem described is solved by enabling the Registration Authority RA to handle different new checking rules for device IDs when validating the certificate entries in a heterogeneous industrial installation.
- the configuration of the Registration Authority RA is expanded by the new checking rule Device ID Profile.
- This can be configured, for example, via a template or directly in a JSON or XML file.
- the rules are defined for each new Device ID Profile check rule
- the assignment rules and device ID rules can be changed dynamically at any time. It is also possible at any time to dynamically assign a different Device ID profile to a system component - either automatically (e.g. as part of provisioning) or manually (e.g. by the user). For example, a system component currently supports OPC UA, but not (yet) the OPC UA Spec. Part 21 and the Product Instance URI defined in that part.
- this system component can currently use the device ID profile "Siemens SIMATIC CPU Device ID” or "IEEE 802.1. AR Device ID”, for example.
- the device ID profile "OPC UA Part 21 Device ID” can be assigned to the system component.
- the directory/inventory of the system is expanded by an additional column "Device ID Profile", which specifies the new test rule.
- the contents of the column can be changed by the authorized user or not changeable ("Read Only"). See the Exemplary representation in the following table, which shows an example of a directory / inventory expanded by the display and assignment of the device ID profile, based on the table above
- the Registration Authority RA takes into account the device ID profiles explained above when validating the certificate applications, whereby it first uses the assignment rules (assignment rules) introduced above to check whether a corresponding profile has already been configured. If such a profile already exists, the Registration Authority RA uses this profile immediately to determine/compose the device ID. Otherwise, the user is prompted to answer the question of which Device ID profile to use or how the Device ID should be determined or composed. This procedure is also shown in detail in the flowchart in FIG. To do this, the user can receive suggestions from the Registration Authority RA.
- machine learning/AI methods can be used in order to draw conclusions about the existing test rules/device ID profiles or those to be newly created from individual decisions/entries by the responsible user.
- the directory/inventory created/structured in the manner described is used in the system context, among other things, by the Registration Authority RA when validating the incoming certificate and revocation applications.
- the Registration Authority RA when initially applying for the customer certif icate, signed with a signing certif icate, e.g. B.
- the Re- Registration Authority RA whether the incoming certificate application comes from a component that is already contained in the register/inventory and which has therefore already been checked in an adequate manner and is allowed to apply for certificates in the context of the system, 302.
- the Registration Authority RA validates the signature of the certificate application using the Signing Certificate used for signing, the role of which in the CDC application is usually played by the associated Manufacturer Device Certificate, MDC.
- the Registration Authority RA takes into account in particular the so-called device ID, which is used both in the corresponding directory / inventory entry and in the certificate entry and in the one used to sign the entry (and also in the directory / inventory Entry included) certificate (e.g. the Manufacturer Device Certificate MDC) is included.
- the certificate request does not match the signing certificate (e.g. MDC), 304, then the validation has failed, 311. To this extent, the process still corresponds to the procedure described in FIG.
- 305 it is checked on the basis of the existing assignments (e.g. using device name and manufacturer) whether a device ID profile is already configured for this combination, 401. If a suitable device ID profile is found (device ID, profile X ), 402, 403, the device ID is determined in the certificate application/signing certificate according to the determined device ID, profile X, 408.
- the inventory entry is searched for with the determined device ID, 409.
- the validation is successful if the corresponding entry was found, 307, 308. Otherwise, 309, the validation failed.
- a suitable profile could be determined or a new profile could be created, 405 via user input, 406.
- This user input is then assigned to an existing or newly created DeviceID profile assigned, possibly only after a certain number of entries or with the help of machine learning, AI, 407. As soon as the new profile is created in this way, it can then be saved back to the inventory.
- the procedure described makes it possible for the Registration Authority RA in a heterogeneous system to be able to validate all incoming certificate applications - despite the different (possibly dynamically changing) specifications/definitions with regard to the device ID for system components that can come from different manufacturers .
- the certificate profiles introduced for this purpose can be static / preconfigurable and / or dynamically configurable at runtime - based on user inputs/decisions and ML/AI methods.
- Registration Authority RA can always be dynamically expanded with new assignment rules and examination rules/device ID profiles, so that it is always able to validate certificate applications without the Registration Authority RA software always having to make new case distinctions ("if ...then” ) has to be laboriously expanded to prevent exceptions.
- the proposed method makes a significant contribution to meeting the PKI-related requirements of IEC 62443 and thus also to better interoperability and usability, because all system components of a heterogeneous (possibly brownfield) system can now be integrated into the certificate management. Only the appropriate device ID profiles should be available or configured dynamically.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Beschreibung Description
Verfahren für ein Zertifikatsmanagement für heterogene Anlagen, Computersystem und Computerprogrammprodukt Procedure for certificate management for heterogeneous systems, computer systems and computer program products
Die zunehmende Verwendung von offenen IT-Standards und Protokollen sowie die Anforderungen der IEC 62443 („Industrial communication networks - IT security for networks and systems") als des führenden Industrial Security Standards führt auch in der industriellen Umgebung zu steigendem Schutzbedarf . Die müssen Kommunikationsverbindungen in Leitsystemen technischer Anlagen zunehmend abgesichert, d.h. gegen unberechtigte Zugriffe angemessen geschützt werden. The increasing use of open IT standards and protocols as well as the requirements of IEC 62443 ("Industrial communication networks - IT security for networks and systems") as the leading industrial security standard also leads to an increasing need for protection in the industrial environment. The communication connections in Control systems of technical plants are increasingly secured, i.e. adequately protected against unauthorized access.
Ein angemessener Schutz wird zumeist die Verschlüsselung und/ oder die Authentifizierung der übertragenen Daten umfassen. Entsprechende Verschlüsselungs- und Authentifizierungsmechanismen sind in der Regel ein Bestandteil sicherer Kommunikationsprotokolle (wie z. B. TLS, OPC UA) . Der Einsatz sicherer Kommunikationsprotokolle setzt dabei zwingend voraus, dass die Kommunikationsteilnehmer über aktuelle digitale Zertifikate verfügen. Adequate protection will mostly include encryption and/or authentication of the transmitted data. Appropriate encryption and authentication mechanisms are usually part of secure communication protocols (such as TLS, OPC UA). The use of secure communication protocols requires that the communication participants have up-to-date digital certificates.
Die Zertifikate, die in einer operativen Umgebung (wie in der oben bereits erwähnten industriellen Anlage) eingesetzt werden, um beispielsweise sichere Kommunikation oder Benutzerauthentifizierung zu ermöglichen, werden im Folgenden als sogenannte „Operative Zertifikate" (engl. Operational Certificates, OC) bezeichnet. Aus Security-Gründen ist es empfehlenswert, ein dediziertes operatives Zertifikat pro verwendetes Kommunikationsprotokoll zu nutzen. The certificates that are used in an operational environment (such as in the industrial plant already mentioned above), for example to enable secure communication or user authentication, are referred to below as so-called "operational certificates" (engl. Operational Certificates, OC). For security reasons, it is recommended to use a dedicated operative certificate for each communication protocol used.
Je nach Rolle diverser Komponenten einer industriellen (d. h. einer verfahrenstechnischen oder einer diskreten) Anlage und je nach verwendeten Kommunikationsprotokoll sind in der Regel pro Komponente eine Vielzahl von Zertifikaten mit verschiedenen Schlüsselverwendungszwecken (engl. „Key Usages") für den Betrieb notwendig - z. B. : OPC UA-Zertif ikate für die Kommunikation mit einemDepending on the role of various components of an industrial (i.e. a process engineering or a discrete) plant and depending on the communication protocol used, a large number of certificates with different key usages are usually required for operation per component - e.g . : OPC UA certificates for communication with a
Fremdsystem mit OPC UA, External system with OPC UA,
- TLS-Zertif ikate für das Bedienen und Beobachten via Web (HTTPS) , oder - TLS certificates for operation and monitoring via the web (HTTPS), or
- TLS-Zertif ikate für eine sichere Übertragung der Login- formationen und Security-Events an eine zentrale Instanz (per Secure Syslog nach RFC 5425) . - TLS certificates for secure transmission of login information and security events to a central instance (via secure syslog according to RFC 5425).
Mit einer steigenden Anzahl von Anlagenkomponenten, die in sichere Kommunikationsbeziehungen involviert sind und Zertifikate benötigen, ist es sinnvoll, das Ausstellen von operativen Zertifikaten - basierend auf den von den Anlagenkomponenten generierten Zertifikatsanträgen (engl. Certificate Requests, CR) - sowie die Zuweisung der ausgestellten Zertifikate den Komponenten zu automatisieren. Ein derartiges automatisiertes Zertifikatsmanagement setzt in der Regel eine sog. Public Key Infrastruktur (PKI) voraus, die in der jeweiligen operativen Umgebung (z. B. einer industriellen Anlage) vorhanden sein soll. Mit Public-Key-Inf rastruktur (PKI) bezeichnet man in der Kryptologie ein System, das digitale Zertifikate ausstellen, verteilen und prüfen kann. Die innerhalb einer PKI ausgestellten Zertifikate werden zur Absicherung rechnergestützter Kommunikation verwendet. With an increasing number of plant components that are involved in secure communication relationships and require certificates, it makes sense to issue operational certificates - based on the certificate requests (CR) generated by the plant components - and the assignment of the issued certificates to automate the components. Such an automated certificate management usually requires a so-called public key infrastructure (PKI), which should be available in the respective operational environment (e.g. an industrial plant). In cryptology, a public key infrastructure (PKI) is a system that can issue, distribute and check digital certificates. The certificates issued within a PKI are used to secure computer-aided communication.
Die Beantragung von fehlenden, sowie die Revokation von nicht mehr benötigten Zertifikaten erfolgt in der Regel über eine Registration Authority (RA) , die die Rolle eines intelligenten Gateways spielt. Dabei prüft die Registration Authority RA, ob die eingehenden Zertifikats- und/oder Revokationsanträge korrekt sind und ob sie von legitimen, vertrauenswürdigen Anlagenkomponenten - d. h. je nach dem vorliegenden Zertifikatsmanagementszenario (wie z . B. „Bootstrapping", d. h. Schaffen einer Grundlage für eine PKI -Umgebung, einschließlich der Zertifizierungsstellen CA und Beauftragten, muss nach einer neuen Systeminstallation durchgeführt werden, bevor das System für die Produktion von Zertifikaten verwendet werden kann, sowie „Update", „Revocation") unter Verwendung der jeweiligen Herstellergerätezertifikate (Manufacturer Device Certificate, MDC) , Kundengerätezertifikate (Customer Device Certificate CDC) oder deren operativen Zertifikate (OC) - signiert sind, die im Zertifikats-Verzeichnis, dem sogenannten „Inventory" der Anlage auf gelistet sind. Stellt die Registration Authority RA bei der Prüfung eines Antrags fest, dass der Antrag nicht korrekt ist oder dass der Antragsteller ihr nicht direkt bekannt ist und über eine nicht vertrauenswürdige LRA seinen Antrag eingereicht hat, so lehnt sie den Antrag ab. Somit bekommt der jeweilige Antragsteller nicht die beantragten Zertifikate und/oder sein Revokationsantrag wird nicht an die zuständige Certification Authority CA weitergeleitet . The application for missing certificates and the revocation of certificates that are no longer required is usually carried out via a Registration Authority (RA), which plays the role of an intelligent gateway. The Registration Authority RA checks whether the incoming certificate and/or revocation applications are correct and whether they come from legitimate, trustworthy system components - i.e. depending on the present certificate management scenario (such as "bootstrapping", i.e. creating a basis for a PKI -Environment, including certification authorities CA and agents, must be done after a new system installation before using the system for the production of certificates can be, as well as "Update", "Revocation") using the respective manufacturer device certificates (Manufacturer Device Certificate, MDC), customer device certificates (Customer Device Certificate CDC) or their operative certificates (OC) - are signed, which are in the certificate directory, the so-called "inventory" of the facility. If the Registration Authority RA, when examining an application, determines that the application is incorrect or that the applicant is not directly known to it and has submitted its application via an untrustworthy LRA, it will reject the application the application, so that the respective applicant does not receive the requested certificates and/or his revocation application is not forwarded to the responsible Certification Authority CA.
Nach den aktuellen Konzepten können die Anlagenkomponenten beispielsweise manuell von einem Benutzer (der ihre Vertrauenswürdigkeit auf eine bestimmte Art und Weise geprüft hat) in das Verzeichnis / Inventory aufgenommen werden, indem der Benutzer eine Eingabe-Maske manuell oder mit Hilfe eines Skriptes ausfüllt According to the current concepts, the system components can, for example, be included in the directory / inventory manually by a user (who has checked their trustworthiness in a certain way) by the user filling out an input mask manually or with the help of a script
<Eingabemaske Beispiel> <Input mask example>
Name: SIMATIC S7-1500CPU1 Name: SIMATIC S7-1500CPU1
Device Identifier: 64eeexxx Device identifier: 64eeexxx
Manufacturer: Siemens AG Manufacturer: Siemens AG
Man. Device Certificate: MDC_1500. cer Man. Device Certificate: MDC_1500. cerium
La s t PoO : > La s t PoO : >
Additional Customer Device Certificate: > Additional Customer Device Certificate: >
Customer Device Certificate: > Local Registration Authority > Customer Device Certificate: > Local Registration Authority >
Dabei ist zu beachten, dass einige Angaben in der Maske in der Regel eher optional sind (siehe dazu beispielsweise die vier unteren Zeilen) , während andere Angaben (insbesondere der Gerätename, der Herstellername und der Device Identifier verbindlich sind, denn sie werden für die eindeutige Identifizierung der Anlagenkomponenten benötigt. It should be noted that some information in the mask is usually optional (see the four lines below, for example), while other information (in particular the device name, the manufacturer name and the device identifier are binding, because they are required for the clear identification of the system components.
Alternativ zur manuellen Aufnahme können Anlagenkomponenten nach einer erfolgreichen Originalitätsprüfung (engl. Proof of Originality) , beispielsweise im Rahmen der Provisionierung, automatisiert in das Verzeichnis / Inventory der Anlage aufgenommen werden. As an alternative to manual inclusion, system components can be automatically included in the directory/inventory of the system after a successful originality check (proof of originality), for example as part of provisioning.
Dabei kann das Verzeichnis / Inventory durch eine in die Registration Authority RA integrierte oder dedizierte Komponente wie beispielsweise eine Liste oder eine Datenbank repräsentiert werden. The directory/inventory can be represented by a component integrated into the Registration Authority RA or by a dedicated component such as a list or a database.
Der einer Anlagenkomponente entsprechende Verzeichnis / In- ventory-Eintrag beinhaltet nach den aktuellen Konzepten in der Regel beispielsweise folgende Bestandteile: According to current concepts, the directory/inventory entry corresponding to a plant component usually contains the following components, for example:
- Name (Gerätename und/oder der im Anlagenkontext vergebene Name) - Name (device name and/or the name assigned in the system context)
- Name des Herstellers - Name of the producer
- Gerätenummer, Device ID (wie z. B. die Seriennummer der Anlagenkomponente oder eine Product Instance URI, Uniform Resource Identifier) - Device number, Device ID (e.g. the serial number of the system component or a Product Instance URI, Uniform Resource Identifier)
- Zeitpunkt der Originalitätsprüfung (optional) - Time of originality check (optional)
- Herstellergerätezertifikat (engl. Manufacturer Device Certificate, MDC) - Manufacturer Device Certificate (MDC)
- Kundengerätezertifikat (engl. Customer Device Certificate, CDC) - Customer Device Certificate (CDC)
- Lokale Registrierungsbehörde, (engl. Local Registration Authority, LRA) über die Anlagenkomponenten, die die Registration Authority RA netzwerktechnisch nicht direkt erreichen können, um ihre Zertifikatsanträge bzw. Revokationsanträge an die RA übermitteln - Local Registration Authority (LRA) via the system components that cannot reach the Registration Authority RA directly in terms of network technology, in order to transmit their certificate applications or revocation applications to the RA
- Kundengeräts-Zertifikate (engl. Customer Device Certificates, CDC) , die zuletzt ausgestellt wurden - Customer Device Certificates (CDC) that were last issued
- Operative Zertifikate (engl. Operation Certificates, OC) , die zuletzt ausgestellt wurden. Im Folgenden ist dazu beispielhaft ein Verzeichnis / Invento- ry dargestellt : - Operational Certificates (OC) that were last issued. A directory/inventory is shown below as an example:
Siehe dazu auch die beispielhafte Darstellung des Validierungsablauf s in Figur 3 . Das auf beschriebene Art und Weise angelegte / aufgebaute Verzeichnis / Inventory wird im Anlagenkontext unter anderem von der Registration Authority RA bei der Validierung der eingehenden Zertif ikats - und Revokationsanträge benutzt . Ins besondere bei der initialen Beantragung der Kundenzertif ikate 301 (engl . Customer Device Certif icates , CDC) , die die Anlagenkomponenten an die Anlage binden sollen und die Basis für die Beantragung weiterer applikationsspezif ischer Zertif ikate (Operational Certif icates , OC) bilden sollen, prüft die Registration Authority RA, ob der eingehende Zertif ikatsantrag von einer Komponente kommt, die im Verzeichnis / Inventory bereits enthalten ist und die somit bereits auf eine adäquate Art und Weise geprüft wurde und Zertifikate im Kontext der Anlage beantragen darf, 302. See also the exemplary representation of the validation process in FIG. The directory/inventory created/structured in the manner described is used in the system context, among other things, by the Registration Authority RA when validating the incoming certificate and revocation applications. In particular, when initially applying for the customer certificates 301 (Customer Device Certificates, CDC), which should bind the system components to the system and should form the basis for the application for further application-specific certificates (Operational Certificates, OC), The Registration Authority RA checks whether the incoming certificate application comes from a component that is already included in the directory / inventory and has therefore already been checked in an adequate manner and may apply for certificates in the context of the system, 302.
Zusätzlich validiert die Registration Authority RA die Signatur des Zertifikatsantrags unter Verwendung des zum Signieren verwendeten Signing Certificate, dessen Rolle bei der CDC- Beantragung in der Regel das zugehörige Manufacturer Device Certificate, MDC, spielt. Bei der Prüfung in Rücksprache mit dem Verzeichnis / Inventory berücksichtigt die Registration Authority RA insbesondere die sogenannte Device ID, die sowohl im entsprechenden Verzeichnis / Inventory-Eintrag als auch im Zertifikatseintrag und in dem zum Signieren des Eintrags verwendeten (und ebenfalls im Verzeichnis / Inventory- Eintrag enthaltenen) Zertifikats (z.B. Manufacturer Device Certificate (MDC) ) enthalten ist. In addition, the Registration Authority RA validates the signature of the certificate application using the Signing Certificate used for signing, the role of which in the CDC application is usually played by the associated Manufacturer Device Certificate, MDC. When checking in consultation with the directory / inventory, the Registration Authority RA takes into account in particular the so-called device ID, which is used both in the corresponding directory / inventory entry and in the certificate entry and in the one used to sign the entry (and also in the directory / inventory entry included) certificate (e.g. Manufacturer Device Certificate (MDC) ) is included.
Wenn der Zertifikatsantrag nicht zum Signing Certificate (z. B. MDC) passt, 304, dann ist die Validierung fehlgeschlagen, 311. Anderenfalls, 305, wird der Inventory Eintrag mit der Seriennummer, die im Zertifikatsantrag / Signing Certificate enthalten ist, gesucht, 306. Die Validierung ist erfolgreich, 310, wenn der entsprechende Eintrag gefunden wurde, 308. Anderenfalls, 309, ist die Validierung ebenfalls fehlgeschlagen . If the certificate application does not match the signing certificate (e.g. MDC), 304, then the validation failed, 311. Otherwise, 305, the inventory entry with the serial number contained in the certificate application / signing certificate is searched for, 306 The validation is successful, 310, if the corresponding entry was found, 308. Otherwise, 309, the validation has also failed.
Das der vorliegenden Erfindung zugrundeliegende Problem ist darauf zurückzuführen, dass es derzeit mehrere bzw. unterschiedliche hersteiler- und protokollspezifische Vorgaben bzw. Festlegungen hinsichtlich der Device ID gibt. The problem on which the present invention is based is due to the fact that there are currently several or different manufacturer and protocol-specific specifications or definitions with regard to the device ID.
Beispielsweise soll nach dem Standard IEEE 802.1AR („Secure Device Identity") die Seriennummer der Geräte diese Rolle übernehmen. In diesem Zusammenhang wurde jedoch festgestellt, dass es vorkommen kann, dass die Seriennummer der Geräte für manche Hersteller (z. B. Siemens) werksübergreifend nicht eineindeutig ist. Um Kollisionen vorzubeugen, wurde für eini- ge Geräte die Vorgabe erstellt, die Seriennummer des jeweiligen Gerätes mit der MLFB (Maschinen-Lesbare Fabrikate- Bezeichnung, Machine-readable Product Designation) des Gerätes zu verknüpfen bzw. zu konkatenieren, damit sich dadurch eine eindeutige Gerätenummer / Device ID ergibt. Gleichzeitig wird in der OPC UA Specification, Teil 21, die allerdings nur für OPC UA-Geräte gilt, gefordert, dass die „Product Instance URI" als eine eindeutige Gerätenummer / Device ID betrachtet werden soll. Somit ist in einem MDC, dessen Inhalte nach der OPC UA Specification Teil 21, gestaltet sind, einerseits die Seriennummer (als Bestandteil des „Subject") und andererseits die „Product Instance URI" als Wert des Parameters Subject Alternate Name (SAN) enthalten. Siehe dazu die folgende Tabelle: (die Angaben in der ersten Spalte sind zum Teil engli- sehe Fachbegriffe und daher für die bessere Verständlichkeit für den Fachmann nicht ins Deutsche übertragen) : For example, according to the IEEE 802.1AR ("Secure Device Identity") standard, the serial number of the devices should assume this role. In this context, however, it was found that the serial number of the devices for some manufacturers (e.g. Siemens) is not unique across plants. To prevent collisions, a ge devices creates the requirement to link or concatenate the serial number of the respective device with the MLFB (machine-readable product designation) of the device, so that a unique device number / device ID results. At the same time, the OPC UA Specification, Part 21, which only applies to OPC UA devices, requires that the "Product Instance URI" should be viewed as a unique device number / device ID. Thus, in an MDC, its content is of the OPC UA Specification Part 21, contain on the one hand the serial number (as part of the "Subject") and on the other hand the "Product Instance URI" as the value of the Subject Alternate Name (SAN) parameter. See the following table: (the information in the first column there are some English technical terms and therefore not translated into German to make it easier for the person skilled in the art to understand) :
Folglich liegt das der vorliegenden Erf indung zugrundeliegende Problem darin, dass sich in einer heterogenen Anlage auf grund der verschiedenen ( sich ggf . auch noch dynamisch verändernder) Vorgaben und Festlegungen hinsichtlich der Gerätenummer Device ID kein einheitlicher Ablauf zur Validierung von Zertif ikatsanträgen def inieren lässt . Beispielsweise trif ft der in der Figur 3 veranschaulichte Ablauf nur für die Geräte/Hersteller zu , die die Seriennummer der Geräte als ei ne Geräte ID verwenden, wobei sie aus dem sog . „ Subj ect" aus gelesen wird . Für OPC UA-Geräte müsste der Ablauf im Prinzip angepasst werden, indem - anstelle der im „ Subj ect" enthaltenen Seriennummer die unter „ SAN" enthaltene Product Instance URI als Device ID zum Einsatz kommt . Findet j edoch im Kontext einer bestimmten Anlage noch keine Auswertung der Product Instance URI statt , wird auch für die OPC UA-Geräte die Seriennummer , die mit der MLFB verknüpfte Seriennummer oder eine auf eine andere Art und Weise gebildete Device ID verwendet . Manchmal können sich die entsprechenden Vorgaben und Festlegungen dynamisch ändern, was vollautomatisiert und/oder vom Benutzer (beispielsweise durch dessen entsprechende manuelle Eingaben) beeinf lusst werden kann . Consequently, the problem on which the present invention is based is that in a heterogeneous system, due to the various (possibly also dynamically changing) specifications and definitions regarding the device number Device ID, no uniform sequence for validating certificate applications can be defined. For example, the process illustrated in FIG. 3 applies only to devices/manufacturers that use the serial number of the devices as a device ID, whereby they are derived from the so-called "Subj ect" is read out . For OPC UA devices, the process would have to be adapted in principle by - instead of the serial number contained in the "Subj ect" the Product Instance URI contained under "SAN" being used as the device ID . Finds j However, in the context of a specific system, the Product Instance URI has not yet been evaluated, the serial number, the serial number linked to the MLFB or a device ID formed in a different way is also used for the OPC UA devices.Sometimes the corresponding Change specifications and definitions dynamically, which can be fully automated and/or influenced by the user (for example through their corresponding manual entries).
Es ist daher Aufgabe der Erf indung , ein System und ein Verfahren anzugeben, welches die oben beschriebenen Probleme löst . It is therefore the object of the invention to specify a system and a method which solves the problems described above.
Diese Aufgabe wird gelöst durch die Merkmale der unabhängigen Patentansprüche . Die Aufgabe wird gelöst durch ein Verfahren gemäß den Merkmalen des Patentanspruchs 1 , durch ein System gemäß den Merkmalen des Patentanspruchs 8 und durch ein Computerprogrammprodukt gemäß den Merkmalen des Patentanspruchs 10 . This problem is solved by the features of the independent patent claims. The object is achieved by a method according to the features of patent claim 1 , by a system according to the features of patent claim 8 and by a computer program product according to the features of patent claim 10 .
Das erf indungsgemäße Verfahren bietet ein Zertif ikatsmanagement für heterogene Anlagen, wobei die Anlage aus zumindest zwei Komponenten besteht und eine Zertif ikatsverwaltung Informationen über die Komponenten in einem Verzeichnis spei chert . The method according to the invention offers certificate management for heterogeneous systems, the system consisting of at least two components and a certificate management system storing information about the components in a directory.
Die Zertif ikatsverwaltung erhält von j eder Komponente einen Antrag auf ein Zertif ikat für den Betrieb und/oder die Kommunikation, und entscheidet nach Prüfung des Antrages , ob dieses Zertif ikat erteilt oder bestätigt werden kann, wobei die Prüfung abhängig von j eweils komponentenspezif i schen Regeln auf Informationen basiert , welche zu der Komponente in dem Verzeichnis vorliegen . In dem Verzeichnis ist eine zusätzliche Angabe über ein Geräteprof il hinterlegt , welche für die zu prüfende Komponente j eweils eine gültige Prüfungs -Regel angibt , anhand derer die Prüfung erfolgt oder ein geeignetes Zertif ikat erzeugt wird . The certificate administration receives an application for a certificate for operation and/or communication from each component and, after examining the application, decides whether this certificate can be issued or confirmed, with the exam depending on the respective component-specific Rules based on information available about the component in the directory. Additional information about a device profile is stored in the directory, which in each case specifies a valid test rule for the component to be tested, on the basis of which the test is carried out or a suitable certificate is generated.
Weitere vorteilhafte Ausführungsformen sind in den Unteransprüchen angegeben . Further advantageous embodiments are specified in the dependent claims.
Die Erf indung wird weiterhin dargestellt durch die beigefügten Figuren . Dabei zeigen The invention is further illustrated by the accompanying figures. show it
Figur 1 ein Zertif ikatsmanagementsystem mit internem Inventory, Figure 1 a certificate management system with internal inventory,
Figur 2 ein Zertif ikatsmanagement mit externem Inventory, Figur 3 beispielhaft die Validierung eines Zertif ikatantrages durch die RA anhand der Seriennummer als Device ID , und Figur 4 die Validierung eines Zertif ikatantrages durch die RA anhand der gemäß einer entsprechenden Device ID Prof ile zusammengesetzten / bestimmten Device ID Figur 1 zeigt ein System für Zertifikatsmanagement, mit einer Certificate Authority CA Hierarchy, 109, welche eine Root CA, 1091 und Issuing CAs 1092, 1093, 1094 enthält. Diese steht in Verbindung mit dem Zertifikatsmanagement, Registration Authority RA, 102 welche als Konfiguration mit der erfindungsgemäßen neue Prüfungsregel, 1026, enthält und beispielhaft diverse Module weitere wie CMP Client / PKI Library, 1028, Web UI, 1027, Logfiles, 1025, TLS Server/Client , 1024, das Inventory, 1023, einen Windows Certificate / Key Store, 1022 und einen CMP Server / Key Store, 1021. An diese Registration Authority RA stellt das Gerät 101 eine Zertifikatsanfrage (Certificate Request) 1011 und erwartet als Antwort ein passendes Zertifikat 1012. Figure 2 shows a certificate management with external inventory, Figure 3 shows an example of the validation of a certificate application by the RA using the serial number as a device ID, and Figure 4 shows the validation of a certificate application by the RA using the profiles composed/determined according to a corresponding device ID Device ID FIG. 1 shows a system for certificate management, with a certificate authority CA hierarchy 109, which contains a root CA 1091 and issuing CAs 1092, 1093, 1094. This is in connection with the certificate management, Registration Authority RA, 102 which, as a configuration, contains the new examination rule according to the invention, 1026, and various other modules such as CMP Client/PKI Library, 1028, Web UI, 1027, log files, 1025, TLS server /Client, 1024, the inventory, 1023, a Windows Certificate/Key Store, 1022 and a CMP Server/Key Store, 1021. The device 101 makes a certificate request (Certificate Request) 1011 to this Registration Authority RA and expects a suitable response as a response Certificate 1012.
Die Idee der vorliegenden Erfindung besteht darin, die Konfiguration der Registration Authority RA bzw. der Instanz, die deren Aufgaben in einer industriellen Anlage übernimmt durch (dynamisch) konfigurierbare neue Prüfungsregel, Device ID Profile zu ergänzen und bei der Aufnahme einer Anlagenkomponente in das Verzeichnis / Inventory: The idea of the present invention consists in supplementing the configuration of the Registration Authority RA or the entity that takes over its tasks in an industrial plant with (dynamically) configurable new checking rules, Device ID Profiles, and when a plant component is included in the directory / Inventory:
- dieser Komponente entweder eine bereits konfigurierte neue Prüfungsregel, Device ID Profile vollautomatisiert (z. B. basierend auf einer für den Typ der Komponente vorkonfigurierten Regel) oder manuell durch den zuständigen Benutzer (anhand einer Entscheidung/Vorgabe , gemäß der Benutzer handelt) zugewiesen bekommt, - This component is either assigned a new, already configured check rule, Device ID Profile fully automatically (e.g. based on a rule preconfigured for the type of component) or manually by the responsible user (based on a decision/specification according to which the user acts). ,
- oder den zuständigen Benutzer im laufenden Betrieb die Regeln zum Bilden der neue Prüfungsregel Device ID definieren zu lassen, anhand deren (ggf . zu einem späteren Zeitpunkt, unter Berücksichtigung von einer größeren Anzahl von Benutzereingaben und basierend auf Machine Learning) ein zusätzliches neue Prüfungsregel, Device ID Profil dynamisch konfiguriert werden kann. - or to have the responsible user define the rules for forming the new Device ID check rule during operation, based on which (possibly at a later point in time, taking into account a larger number of user inputs and based on machine learning) an additional new check rule, Device ID profile can be configured dynamically.
Des Weiteren besteht die Idee der vorliegenden Erfindung darin, die (wie oben beschrieben) vorkonfigurierten oder zur Laufzeit (auf Basis der Benutzereingaben) dynamisch konfigu- rierten Device ID Profile bei der Validierung der Zertifi- katsanträge zu berücksichtigen. Furthermore, the idea of the present invention consists in the (as described above) preconfigured or dynamically configured at runtime (based on user input) ated device ID profile must be taken into account when validating the certificate applications.
Bei der Validierung eines Zertifikatsantrags, den die Registration Authority RA von einer Anlagenkomponente erhalten hat, bestimmt die Registration Authority RA anhand des dieser Anlagenkomponente zugeordneten neue Prüfungsregel Device ID Profils , an welcher Stelle (bzw. in welcher Spalte der oben exemplarisch veranschaulichten Tabelle) sie diese neue Prüfungsregel Device ID im Verzeichnis / Inventory suchen muss und wie sie diese gegebenenfalls aus mehreren Bestandteilen (z.When validating a certificate application that the Registration Authority RA has received from a system component, the Registration Authority RA uses the new verification rule Device ID Profile assigned to this system component to determine at which point (or in which column of the table illustrated as an example above) it places it new check rule Device ID has to search in the directory / inventory and how it can be made up of several components (e.g.
B. der Seriennummer und der MLFB) zusammensetzen muss. B. the serial number and the MLFB).
Das beschriebene Problem wird dadurch gelöst, indem die Registration Authority RA dazu befähigt wird, bei der Validierung der Zertifikatseinträge in einer heterogenen industriellen Anlage verschiedene neue Prüfungsregel Device IDs zu behandeln . The problem described is solved by enabling the Registration Authority RA to handle different new checking rules for device IDs when validating the certificate entries in a heterogeneous industrial installation.
Im Folgenden werden die zur Umsetzung der Idee erforderlichen technischen Merkmale detailliert erläutert und in zwei Tabellen und den Figuren 2 und 4 veranschaulicht. The technical features required to implement the idea are explained in detail below and illustrated in two tables and in FIGS.
Erfindungsgemäß wird die Konfiguration der Registration Authority RA durch die neue Prüfungsregel Device ID Profile erweitert. Dies kann beispielsweise über ein Template oder direkt in einer JSON- oder einer XML-Datei konfiguriert werden. Pro neue Prüfungsregel Device ID Profil werden insbesondere die Regeln dafür definiert, According to the invention, the configuration of the Registration Authority RA is expanded by the new checking rule Device ID Profile. This can be configured, for example, via a template or directly in a JSON or XML file. In particular, the rules are defined for each new Device ID Profile check rule
- wie eine derartige ID zusammengesetzt/ gebildet wird, sowie - how such an ID is composed/formed, as well as
- wie die Zuordnung von dem jeweiligen Profil zu den bestimmten Geräten erfolgen soll. - how the respective profile should be assigned to the specific devices.
Siehe dazu die exemplarische Darstellung in der folgenden Tabelle: Konfiguration der Device ID Profile (Beispiel) See the example representation in the following table: Configuration of the Device ID Profile (example)
Die Zuordnungsregeln und Device ID Regeln können jederzeit dynamisch geändert werden. Auch ist dies jederzeit möglich, einer Anlagenkomponente ein anderes Device ID Profil dynamisch - entweder automatisiert (z. B. im Rahmen der Provisio- nierung) oder manuell (z. B. durch den Benutzer) - zuzuweisen . Beispielsweise unterstützt eine Anlagenkomponente aktuell zwar OPC UA, jedoch (noch) nicht die OPC UA Spec. Teil 21 und die in diesem Teil definierte Product Instance URI . The assignment rules and device ID rules can be changed dynamically at any time. It is also possible at any time to dynamically assign a different Device ID profile to a system component - either automatically (e.g. as part of provisioning) or manually (e.g. by the user). For example, a system component currently supports OPC UA, but not (yet) the OPC UA Spec. Part 21 and the Product Instance URI defined in that part.
Deswegen kann diese Anlagenkomponente aktuell beispielsweise das Device ID Profil „Siemens SIMATIC CPU Device ID" oder „IEEE 802.1. AR Device ID" nutzen. Sobald jedoch die Unterstützung des Teil 21 umgesetzt ist, kann der Anlagenkomponente das Device ID Profil „OPC UA Part 21 Device ID" zugewiesen werden . In einer zweiten vorteilhaften Ausführungsform wird das Verzeichnis / Inventory der Anlage durch eine zusätzliche Spalte „Device ID Profile" erweitert, welche die neue Prüfungsregel angibt. Um die Zuweisung der Device ID Profile zu den Anla- 5 genkomponenten zu flexibilisieren und transparent zu veranschaulichen, welcher Anlagenkomponente welches Device ID Profil zugewiesen wird. Je nach Komponente bzw. nach den entsprechenden Zuweisungsregeln (engl. „Assignment Rules") können die Inhalte der Spalte änderbar durch den berechtigten 0 Benutzer oder nicht änderbar („Read Only") sein. Siehe dazu die exemplarische Darstellung in der nachfolgenden Tabelle, welche beispielhaft ein durch die Anzeige und Zuweisung der Device ID Profile erweitertes Verzeichnis / Inventory darstellt, basierend auf der Tabelle oben. 5 For this reason, this system component can currently use the device ID profile "Siemens SIMATIC CPU Device ID" or "IEEE 802.1. AR Device ID", for example. However, as soon as support for Part 21 has been implemented, the device ID profile "OPC UA Part 21 Device ID" can be assigned to the system component. In a second advantageous embodiment, the directory/inventory of the system is expanded by an additional column "Device ID Profile", which specifies the new test rule. To make the assignment of the Device ID Profile to the system components more flexible and to transparently illustrate which System component which Device ID profile is assigned. Depending on the component or the corresponding assignment rules, the contents of the column can be changed by the authorized user or not changeable ("Read Only"). See the Exemplary representation in the following table, which shows an example of a directory / inventory expanded by the display and assignment of the device ID profile, based on the table above
Im dem Fall, dass ein berechtigter Benutzer die Zuweisung von den vorkonfigurierten oder zur Laufzeit angelegten/ konfigu- rierten Prof ilen zu bestimmten Anlagenkomponenten vornehmen darf , bietet es sich programmtechnisch an, diese Auswahl in Form einer Dropdown- Liste dem Benutzer anzubieten . In the event that an authorized user changes the assignment of the preconfigured or runtime created/configured ated profiles for certain system components, it makes sense in terms of the program to offer this selection to the user in the form of a drop-down list.
Eine weitere vorteilhafte Ausführungsform, berücksichtigt die Registration Authority RA bei der Validierung der Zertif i katsanträge die oben erläuterten Device ID Prof ile , wobei sie zuerst anhand der oben eingeführten Zuordnungsregeln (Assignment Rules ) prüft , ob ein entsprechendes Prof il bereits konf iguriert wurde . Falls ein derartiges Prof il bereits exis tiert , nutzt die Registration Authority RA dieses Prof il sofort zur Bestimmung/Zusammensetzung der Device ID . Andernfalls wird der Benutzer dazu auf gefordert , die Frage zu beantworten, welches Device ID Prof il verwendet werden soll oder wie die Device ID bestimmt oder zusammengesetzt werden soll . Dieses Vorgehen ist auch im Ablauf diagramm der Figur 4 detailliert aufgezeigt . Dazu kann der Benutzer Vorschläge von der Registration Authority RA erhalten . In einer vorteilhaf ten Ausführungsform können Machine Learning- /KI -Methoden verwendet werden, um aus einzelnen Entscheidungen/Eingaben der zuständigen Benutzer Rückschlüsse auf die bestehenden oder neu anzulegenden Prüfungsregeln / Device ID Prof ile zu schließen . In a further advantageous embodiment, the Registration Authority RA takes into account the device ID profiles explained above when validating the certificate applications, whereby it first uses the assignment rules (assignment rules) introduced above to check whether a corresponding profile has already been configured. If such a profile already exists, the Registration Authority RA uses this profile immediately to determine/compose the device ID. Otherwise, the user is prompted to answer the question of which Device ID profile to use or how the Device ID should be determined or composed. This procedure is also shown in detail in the flowchart in FIG. To do this, the user can receive suggestions from the Registration Authority RA. In an advantageous embodiment, machine learning/AI methods can be used in order to draw conclusions about the existing test rules/device ID profiles or those to be newly created from individual decisions/entries by the responsible user.
Siehe dazu auch die beispielhafte Darstellung des Validierungsablauf s in Figur 4 , insbesondere in Vergleich zu dem oben diskutieren Ablauf in Figur 3 . See also the exemplary representation of the validation sequence in FIG. 4, in particular in comparison to the sequence in FIG. 3 discussed above.
Das auf beschriebene Art und Weise angelegte / aufgebaute Verzeichnis / Inventory wird im Anlagenkontext unter anderem von der Registration Authority RA bei der Validierung der eingehenden Zertif ikats - und Revokationsanträge benutzt . Ins besondere bei der initialen Beantragung der Kundenzertif ikate , signiert mit einem signing Certif icate , z . B . MDC 301 (engl . Customer Device Certif icates , CDC) , die die Anlagenkomponenten an die Anlage binden sollen und die Basis für die Beantragung weiterer applikationsspezif ischer Zertif ikate (Operational Certif icates , OC) bilden sollen, prüft die Re- gistration Authority RA, ob der eingehende Zertifikatsantrag von einer Komponente kommt, die im Verzeichnis / Inventory bereits enthalten ist und die somit bereits auf eine adäquate Art und Weise geprüft wurde und Zertifikate im Kontext der Anlage beantragen darf, 302. The directory/inventory created/structured in the manner described is used in the system context, among other things, by the Registration Authority RA when validating the incoming certificate and revocation applications. In particular when initially applying for the customer certif icate, signed with a signing certif icate, e.g. B. The Re- Registration Authority RA, whether the incoming certificate application comes from a component that is already contained in the register/inventory and which has therefore already been checked in an adequate manner and is allowed to apply for certificates in the context of the system, 302.
Zusätzlich validiert die Registration Authority RA die Signatur des Zertifikatsantrags unter Verwendung des zum Signieren verwendeten Signing Certificate, dessen Rolle bei der CDC- Beantragung in der Regel das zugehörige Manufacturer Device Certificate, MDC, spielt. Bei der Prüfung in Rücksprache mit dem Verzeichnis / Inventory berücksichtigt die Registration Authority RA insbesondere die sogenannte Device ID, die sowohl im entsprechenden Verzeichnis / Inventory-Eintrag als auch im Zertifikatseintrag und in dem zum Signieren des Eintrags verwendeten (und ebenfalls im Verzeichnis / Inventory- Eintrag enthaltenen) Zertifikats (z. B. des Manufacturer Device Certificate MDC) enthalten ist. In addition, the Registration Authority RA validates the signature of the certificate application using the Signing Certificate used for signing, the role of which in the CDC application is usually played by the associated Manufacturer Device Certificate, MDC. When checking in consultation with the directory / inventory, the Registration Authority RA takes into account in particular the so-called device ID, which is used both in the corresponding directory / inventory entry and in the certificate entry and in the one used to sign the entry (and also in the directory / inventory Entry included) certificate (e.g. the Manufacturer Device Certificate MDC) is included.
Wenn der Zertifikatsantrag nicht zum Signing Certificate (z. B. MDC) passt, 304, dann ist die Validierung fehlgeschlagen, 311. Soweit stimmt der Vorgang noch mit dem in Figur 3 beschriebenen Vorgehensweise überein. If the certificate request does not match the signing certificate (e.g. MDC), 304, then the validation has failed, 311. To this extent, the process still corresponds to the procedure described in FIG.
Anderenfalls, 305, wird anhand der bestehenden Assignments geprüft, (z. B. anhand Gerätename und Hersteller) , ob bereits ein Device ID Profil für diese Kombination konfiguriert ist, 401. Sofern ein passendes Device ID Profil gefunden wird (Device ID, Profil X) , 402, 403, wird die Device ID im Zertifikatsantrag / Signing Certificate gemäß dem ermittelten Device ID, Profil X bestimmt, 408. Otherwise, 305, it is checked on the basis of the existing assignments (e.g. using device name and manufacturer) whether a device ID profile is already configured for this combination, 401. If a suitable device ID profile is found (device ID, profile X ), 402, 403, the device ID is determined in the certificate application/signing certificate according to the determined device ID, profile X, 408.
Ein Beispiel wäre Device ID = Seriennummer I MLFB oder Device ID = Product Instance URI . An example would be Device ID = Serial Number I MLFB or Device ID = Product Instance URI .
Dann wird der Inventory Eintrag mit der ermittelnten Device ID gesucht, 409. Die Validierung ist erfolgreich, wenn der entsprechende Eintrag gefunden wurde, 307, 308. Anderenfalls, 309, ist die Validierung fehlgeschlagen. Then the inventory entry is searched for with the determined device ID, 409. The validation is successful if the corresponding entry was found, 307, 308. Otherwise, 309, the validation failed.
Wenn bei der Prüfung nach einem passenden Profil, 402, kein Profil ermittelt werden kann, 404, dann könnte ein passendes Profil ermittelt oder ein neues Profil erstellt werden, 405 über eine Benutzereingabe, 406. Diese Benutzereingabe wird dann einem bestehenden oder neu angelegten DevicelD Profil zugeordnet, ggf . auch erst nach einer bestimmten Anzahl von Eingaben oder unter Zuhilfenahme von Machine Learning, KI, 407. Sobald das neue Profil solcherart angelegt ist, kann dann zurück in das zurück in das Inventory gespeichert. If no profile can be determined, 404, when checking for a suitable profile, 402, then a suitable profile could be determined or a new profile could be created, 405 via user input, 406. This user input is then assigned to an existing or newly created DeviceID profile assigned, possibly only after a certain number of entries or with the help of machine learning, AI, 407. As soon as the new profile is created in this way, it can then be saved back to the inventory.
Durch das beschriebene Verfahren wird es ermöglicht, dass die Registration Authority RA in einer heterogenen Anlage - trotz der verschiedenen (sich ggf . dynamisch verändernder) Vorgaben / Festlegungen hinsichtlich der Device ID bei Anlagenkomponenten, die von verschiedenen Herstellern kommen können - alle eingehenden Zertifikatsanträge validieren kann. Die zu diesem Zweck eingeführten Zertifikatsprofile können dabei statisch / vorkonfigurierbar sein und / oder zur Laufzeit - basierend auf den Benutzereingaben/Entscheidungen und ML-/KI- Methoden - dynamisch konfigurierbar sein. The procedure described makes it possible for the Registration Authority RA in a heterogeneous system to be able to validate all incoming certificate applications - despite the different (possibly dynamically changing) specifications/definitions with regard to the device ID for system components that can come from different manufacturers . The certificate profiles introduced for this purpose can be static / preconfigurable and / or dynamically configurable at runtime - based on user inputs/decisions and ML/AI methods.
Daraus wird vorteilhaft ein fundierter Beitrag zur störungsfreien Aufrechterhaltung des Normalbetriebs und zur Schutz - Verbesserung verfahrenstechnischer Anlagen in deren Lebenszyklus geliefert. Denn die Registration Authority RA kann stets dynamisch durch neue Zuweisungsregeln und Prüfungs- Regeln / Device ID Profile erweitert werden, so dass sie stets in der Lage ist, Zertifikatsanträge zu validieren, ohne dass die Registration Authority RA-Software stets durch neue Fallunterscheidung ( „ if...then" ) aufwendig erweitert werden muss, um Ausnahmen vorzubeugen. This advantageously provides a well-founded contribution to the trouble-free maintenance of normal operation and to the protection and improvement of process engineering systems in their life cycle. Because the Registration Authority RA can always be dynamically expanded with new assignment rules and examination rules/device ID profiles, so that it is always able to validate certificate applications without the Registration Authority RA software always having to make new case distinctions ("if ...then" ) has to be laboriously expanded to prevent exceptions.
Eine Optimierung und Flexibilisierung des automatisierten Zertifikatsmanagements wird erreicht. Das vorgeschlagene Verfahren leistet einen wesentlichen Bei trag zur Erfüllung der PKI -bezogenen Anforderungen der IEC 62443 und damit auch zur besseren Interoperabilität und Usability, denn alle Anlagenkomponenten einer heterogenen (ggf . Brownf ield) Anlage können nun in das Zertif ikatsmanagement eingebunden werden . Es sollen lediglich die geeigneten Device ID Prof ile vorhanden sein oder dynamisch konf iguriert werden . An optimization and flexibilization of the automated certificate management is achieved. The proposed method makes a significant contribution to meeting the PKI-related requirements of IEC 62443 and thus also to better interoperability and usability, because all system components of a heterogeneous (possibly brownfield) system can now be integrated into the certificate management. Only the appropriate device ID profiles should be available or configured dynamically.
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP21207789.5A EP4181462A1 (en) | 2021-11-11 | 2021-11-11 | Method for a certificate management for heterogeneous systems, computer system and computer program product |
PCT/EP2022/080131 WO2023083625A1 (en) | 2021-11-11 | 2022-10-27 | Certificate management method for heterogeneous installations, computer system and computer program product |
Publications (1)
Publication Number | Publication Date |
---|---|
EP4406188A1 true EP4406188A1 (en) | 2024-07-31 |
Family
ID=78617189
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP21207789.5A Pending EP4181462A1 (en) | 2021-11-11 | 2021-11-11 | Method for a certificate management for heterogeneous systems, computer system and computer program product |
EP22808838.1A Pending EP4406188A1 (en) | 2021-11-11 | 2022-10-27 | Certificate management method for heterogeneous installations, computer system and computer program product |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP21207789.5A Pending EP4181462A1 (en) | 2021-11-11 | 2021-11-11 | Method for a certificate management for heterogeneous systems, computer system and computer program product |
Country Status (3)
Country | Link |
---|---|
EP (2) | EP4181462A1 (en) |
CN (1) | CN118216117A (en) |
WO (1) | WO2023083625A1 (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8572699B2 (en) * | 2010-11-18 | 2013-10-29 | Microsoft Corporation | Hardware-based credential distribution |
US12095725B2 (en) * | 2017-03-22 | 2024-09-17 | Amazon Technologies, Inc. | Device credentials management |
US10476679B2 (en) * | 2017-11-14 | 2019-11-12 | INTEGRITY Security Services, Inc. | Systems, methods, and devices for multi-stage provisioning and multi-tenant operation for a security credential management system |
-
2021
- 2021-11-11 EP EP21207789.5A patent/EP4181462A1/en active Pending
-
2022
- 2022-10-27 WO PCT/EP2022/080131 patent/WO2023083625A1/en active Application Filing
- 2022-10-27 EP EP22808838.1A patent/EP4406188A1/en active Pending
- 2022-10-27 CN CN202280075157.3A patent/CN118216117A/en active Pending
Also Published As
Publication number | Publication date |
---|---|
EP4181462A1 (en) | 2023-05-17 |
CN118216117A (en) | 2024-06-18 |
WO2023083625A1 (en) | 2023-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE602004010300T2 (en) | SYSTEM AND METHOD FOR PRODUCING A DIGITAL CERTIFICATE | |
EP2250598B1 (en) | Client/server system for communicating according to the standard protocol opc ua and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system | |
DE102011081804B4 (en) | Method and system for providing device-specific operator data, which are bound to an authentication credential, for an automation device of an automation system | |
DE69904893T2 (en) | A recording medium having a signed hypertext record and method and apparatus for creating and reviewing a signed hypertext record | |
EP3985532B1 (en) | Certificate management for technical systems | |
WO2022028975A1 (en) | System and method for verifying components of an industrial monitoring system | |
DE102012215167A1 (en) | Authentication of a first device by an exchange | |
DE102016200382A1 (en) | A method of verifying a security rating of a first device using a digital certificate, first and second devices, and a certificate issuing device | |
EP3058701B1 (en) | Method, management apparatus and device for certificate-based authentication of communication partners in a device | |
EP3993339B1 (en) | Certificate management in a technical system | |
EP3743844B1 (en) | Blockchain-based identity system | |
EP3762845B1 (en) | Project-related certificate management | |
EP3794769B1 (en) | Modifying the contents of a root certificate storage | |
WO2023083625A1 (en) | Certificate management method for heterogeneous installations, computer system and computer program product | |
WO2015043807A1 (en) | Adaptation of access rules for interchanging data between a first network and a second network | |
EP4113928A1 (en) | Control system for a technical installation and method for transmitting a certificate request of an installation component | |
EP2561460A1 (en) | Method for configuring an application for a terminal | |
EP3796107A1 (en) | Control system and method for certificate management | |
WO2020165041A1 (en) | Method for providing a proof of origin for a digital key pair | |
WO2014169938A1 (en) | Method and system for synchronizing program masks | |
EP4250146A1 (en) | Interaction of physical entities | |
EP4432602A1 (en) | Method for issuing a certificate and computer-implemented registration site | |
WO2022069247A1 (en) | Device and method for setting up a service-based authentication | |
EP3703312A1 (en) | Certificate management integrated into a system planning tool | |
DE102023211202A1 (en) | Method and device for changing a software configuration in a vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20240424 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) |