Method and system for secure data transmission with a VPN box

Abstract

A VPN box is connected upstream of a field device. The VPN box uses a secret cryptographic key of the field device for authentication when setting up a VPN tunnel and/or when setting up a cryptographically protected communication link.

Claims

1. A method for secure data transmission between a first communication device and a second communication device, the method which comprises: assigning a Virtual Private Network (VPN) box, for setting up and operating a Virtual Private Network (VPN) link between the first and second communication devices, to at least one assigned communication device selected from the group consisting of the first communication device and the second communication device, wherein the VPN box is located in the link between the first and second communication devices; obtaining, by the VPN box, a secret key of the assigned communication device during the setup of the VPN link, wherein the secret key is stored on the assigned communication device and is obtained and used by the box for the setup of the VPN link; and setting up, by the box, a session key for the VPN link based on the secret key, and securely transmitting data via the VPN link.

2. The method according to claim 1, which comprises reading the secret key via a physically protected communication link between the assigned communication device and the VPN box.

3. The method according to claim 1, which comprises: using the secret key by the box to decrypt a further key stored on the VPN box; and setting up the session key on the basis of the decrypted further key.

4. A method for secure data transmission between a first communication device and a second communication device, the method which comprises: assigning a Virtual Private Network (VPN) box, for setting up and operating a Virtual Private Network (VPN) link between the first and second communication devices, to at least one assigned communication device selected from the group consisting of the first communication device and the second communication device, wherein the VPN box is located in the link between the first and second communication devices; authenticating, with the VPN box, the assigned communication device; with the VPN box, obtaining a key assigned to the authenticated communication device; setting up, with the VPN box, a session key for the VPN link based on the assigned key, wherein the session key is stored on the assigned communication device and is obtained and used by the box for the setup of the VPN link; and securely transmitting data via the VPN link.

5. A system for secure data transmission, comprising: a first communication device and a second communication device forming communication partners for the secure data transmission; a Virtual Private Network (VPN) box including a storage memory, said VPN box assigned to at least one of said first and second communication devices, said VPN box for setting up and operating a Virtual Private Network (VPN) link between said first and second communication devices, said VPN box located in the link between said first and second communication devices; said VPN box being configured to obtain a secret key of the assigned communication device during a setup of the VPN link, wherein the secret key is stored on said assigned communication device and is obtained and used by said box for the setup of the VPN link; said VPN box being configured to set up a session key for the VPN link based on the secret key; wherein the data is securely transmitted via the VPN link.

6. A system for secure data transmission, comprising: a first communication device and a second communication device forming communication partners for the secure data transmission; a Virtual Private Network (VPN) box including a storage memory, said VPN box assigned to at least one of said first and second communication devices for setting up and operating a Virtual Private Network (VPN) link between said first and second communication devices, said VPN box located in the link between said first and second communication devices; said VPN box being configured to obtain a key, wherein the key is stored on said assigned communication device and is obtained and used by said box for the setup of the VPN link; said VPN box being configured to set up a session key for the VPN link based on the key; wherein the data is securely transmitted via the VPN link.

7. The system according to claim 6, further comprising a Certificate Authority integrated in said VPN box.

8. The system according to claim 6, further comprising a Certificate Authority integrated in a communication device selected from the group consisting of said first communication device and said second communication device.

9. The method according to claim 4, wherein a Certificate Authority is integrated in the VPN box.

10. The method according to claim 4, wherein a Certificate Authority is integrated in a communication device selected from the group consisting of the first communication device and the second communication device.

11. The method according to claim 1, which comprises: reading the secret key out of the assigned communication device while setting up the VPN link.

12. The method according to claim 4, which comprises: reading the key out of the assigned communication device.

13. The system according to claim 5, wherein: said box is configured to read the secret key out of the assigned communication device during the setup of the VPN link.

14. The system according to claim 6, wherein: said box is configured to read the key out of the assigned communication device.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

(1) FIG. 1 a schematic illustration of an exemplary embodiment of a VPN communication link,

(2) FIG. 2 a schematic illustration of a first exemplary embodiment of the inventive method,

(3) FIG. 3 a schematic illustration of a second exemplary embodiment of the inventive method.

DESCRIPTION OF THE INVENTION

(4) FIG. 1 shows an example of use of an inventive industrial VPN tunnel.

(5) Control messages 103 are exchanged between an activated mechanism 101 and a field device 102 (e.g. signal, diplexer, barrier). Communication is effected e.g. via an Ethernet network or an IP network. These control messages are transmitted via a network 104 which is potentially exposed to attacks (e.g. a public accessible network, the internet, WLAN, mobile radio network). A VPN box 105, 106 is therefore provided on both the activated mechanism and the field device, and cryptographically protects the control messages during transmission via the network. An IPsec, IKE, SSL, TLS, MACsec, L2TP, PPTP protocol can for example be used for this purpose.

(6) The bottom VPN box 106, which is connected upstream of the field device 102, uses a secret key of the field device 107 (FD key) when setting up the VPN link in order to install a session key SK to protect the control messages.

(7) Several variants are possible, which differ in the way in which the secret key of the field device is used:

(8) Field Device as a Security Token (No Key on VPN Box)

(9) Certificate and private key are stored on the field device itself and are read from there. The VPN box accesses a “chipcard functionality” of the field device in order to set up a VPN tunnel assigned to the field device.

(10) The communication channel between VPN box and field device can be physically protected, i.e. can be inaccessible to an outsider. This can be effected via the same physical interface as the control data communication or via a separate, second interface. Optionally communication can be encrypted on this interface.

(11) Field Device Authentication by VPN Box

(12) A key assigned to the field device on the VPN box is used or activated (released or decrypted for use) only if the VPN box can authenticate the assigned field device. This can also be effected by a human user by entering a PIN or a password during a VPN setup. A key stored on a security token (e.g. on a chipcard) cannot be used until the security token has been activated by entering the PIN.

(13) FIG. 2 shows a variant in which the VPN box 201 has a field device certification authority (CA). The VPN box can thus generate a digital certificate and key 202 assigned to the field device. This digital certificate contains a device ID of the field device. The VPN box thus contains an integrated CA functionality. This certificate is generated or used only if the VPN box can authenticate the corresponding field device.

(14) This digital certificate can be permanent or temporary. A temporary certificate is only valid for a single VPN session.

(15) FIG. 3 shows another variant, in which the field device 301 has an integrated CA. Thus the field device can issue a digital certificate for a VPN key stored or generated on the VPN box. This digital certificate is used by the VPN box during the setup of a VPN link 302 (certificate signing request (CSR)).

(16) The latter two variants in particular require little administration, because the generation of the key material and the certification can run autonomously, e.g. without any intervention by a service engineer. The VPN box can in both cases also be used to link several field devices. The corresponding key establishment must then be performed in pairs here between the VPN box and the respective connected field device.