METHOD FOR VERIFYING THE AUTHENTIC ORIGIN OF ELECTRONIC MODULES OF A MODULAR FIELD DEVICE IN AUTOMATION TECHNOLOGY

Abstract

The present disclosure relates to a method for verifying the origin of electronic modules of a field device. Each manufacturer of an electronic module classified as trustworthy is assigned a key pair. Public keys classified as trustworthy are stored in a list in the field device. Each electronic module contains the public key of the manufacturer and a manufacturer signature. The manufacturer signature confirms the public key as trustworthy. When an electronic module is exchanged or added, the field device checks whether that module has a key pair and a manufacturer signature, whether the public key of the manufacturer of the electronic module is listed in the list with the public keys of the manufacturers classified as trustworthy, whether the manufacturer signature matches the manufacturer and the electronic module, and whether the electronic module is in possession of a correct private key.

Claims

1. A method for verifying the authentic origin of electronic modules of a modular field device in automation technology, wherein each manufacturer of an electronic module of the field device classified as trustworthy is assigned a key pair consisting of a public key and a private key, and wherein the public keys of the manufacturers classified as trustworthy are stored in a list in the field device or in a unit communicating with the field device, wherein each electronic module of the field device contains, in addition to a suitable key pair characterizing the electronic module as trustworthy and consisting of a public key and a private key, the manufacturer's public key and a manufacturer signature, wherein the manufacturer signature confirms the public key of the electronic module as trustworthy, wherein the method has the following method steps: when an electronic module is exchanged or added, the field device or the unit communicating with the field device checks: whether the exchanged or added electronic module has a key pair and a manufacturer signature, whether the public key of the manufacturer of the electronic module is listed in the list with the public keys of the manufacturers classified as trustworthy, whether the manufacturer signature matches the manufacturer and the electronic module, whether the electronic module is in possession of the correct private key, a communication or interaction of the exchanged or added electronic module with the field device or another electronic module relating to the functionality of the field device is permitted if the check is concluded with a positive result.

2. The method according to claim 1, comprising the following method step: in order to check whether the manufacturer signature matches the manufacturer and the exchanged or added electronic module, the manufacturer signature, the manufacturer's public key and the public key of the electronic module are read out and checked.

3. The method according to claim 1, comprising the following method step: if the manufacturer signature of the exchanged or added electronic module can be decrypted with the manufacturer's public key, it is ensured that the public key of the electronic module originates from a trustworthy manufacturer.

4. The method according to claim 3, comprising the following method steps: checking whether the exchanged or added electronic module with which the field device or the unit communicates and the public key of the electronic module also actually belong together is performed via a challenge/response method.

5. The method according to claim 4, comprising the following method steps: from the field device or the unit communicating with the field device, an arbitrary message is sent as a challenge to the exchanged or added electronic module with the request for signature creation or encryption, the exchanged or added electronic module signs or encrypts the message with its private key and returns the signed message as a response to the field device or the unit, the field device or the unit decrypts the signed message using the public key of the exchanged or added electronic module and receives the message upon positive verification.

6. The method according to claim 1, comprising the following method step: if the check indicates that the exchanged or added electronic module has no manufacturer signature or no key pair, a check is made as to whether a manufacturer signature and/or a key pair can be generated or provided for the electronic module, wherein, in the event that the manufacturer signature and/or the key pair is provided or generated by another electronic module, the manufacturer signature and/or the key pair is transferred to the exchanged or added electronic module.

7. The method according to claim 6, comprising the following method step: in the event that the electronic module has no manufacturer signature and/or no suitable key pair or that no manufacturer signature and/or no suitable key pair can be generated for the electronic module, the electronic module remains excluded from the communication.

8. The method according to claim 1, comprising the following method steps: if the check indicates that the exchanged or added electronic module has the manufacturer signature and the appropriate key pair, but that the manufacturer's public key is not stored in the list, the manufacturer's public key is assigned to the list if an authorized person confirms the trustworthiness of the electronic module manufacturer.

9. The method according to claim 1, comprising the following method steps: if a manufacturer signature and suitable key pair can be generated for the electronic module, the data are assigned to the electronic module or stored in the electronic module.

10. The method according to claim 1, comprising the following method steps: the electronic modules are each provided with a suitable key pair by an authorized manufacturer, the original manufacturer or a third party authorized by the original manufacturer, during the production process or during a service visit, and the public keys of the authorized manufacturers are stored in the list.

11. The method according to claim 1, comprising the following method step: when an electronic module is exchanged, the public key of the authorized manufacturer is deleted from the list.

12. The method according to claim 1, comprising the following method step: the check is carried out during ongoing operation of the field device.

13. The method according to claim 1, comprising the following method step: instead of the public key of the authorized manufacturer, a derivation is used.

14. The method according to claim 1, comprising the following method steps: the manufacturer signature vm is calculated using an additional intermediate step: before encryption with the manufacturer's private key, a hash value is determined.

15. The method according to claim 1, wherein plug-in modules with circuit boards or sensors with a digital connection are used as the electronic modules.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0030] The present disclosure is explained in greater detail with reference to the following figures. The following is shown:

[0031] FIG. 1: a schematic representation of a field device with a plurality of modules and a list of module manufacturers classified as trustworthy,

[0032] FIG. 2: a schematic representation of a field device with a plurality of modules in which a module of an unknown manufacturer has been added,

[0033] FIG. 3: a schematic representation of a field device with a plurality of modules, in which the field device enables itself as the manufacturer as it were, and

[0034] FIG. 4 a flowchart visualizing the method according to the present disclosure and its embodiments.

DETAILED DESCRIPTION

[0035] FIG. 1 shows a schematic representation of a field device FG with a plurality of modules Mk with k=1, 2, 3 and a list PTL with public keys H, V1 of module manufacturers classified as trustworthy. Two of the electronic modules M1, M2 are manufactured by the original manufacturer; one module M3 originates from an authorized manufacturer (vendor 1) classified as trustworthy. Because both the original manufacturer and the module manufacturer(s) classified as trustworthy are authorized manufacturers, for the sake of simplicity the abbreviation Vm is used for the public keys of authorized module manufacturers in the patent claims and in the description of FIG. 4, and the abbreviation vm is used for the corresponding private keys, where m=1, 2, . . . I.

[0036] In addition to its own key pair (Q, q), the list PTL with the public keys H, V1 of the module manufacturers classified as trustworthy is stored in the field device FG. In addition to its own key pair (Pk, pk), each electronic module Mk contains the public key H, V1 of the corresponding module manufacturer and the public key h(P1), h(P2), v1(P3) of the electronic modules Mk encrypted with the corresponding private key h, v1 of the module manufacturer. The public keys h(P1), h(P2), v1(P3) of the electronic modules Mk encrypted with the corresponding private keys h, vm of the module manufacturer are also referred to as manufacturer signatures. The encryption itself is marked with the letter E in FIG. 1 to FIG. 3.

[0037] The key pair (Q, q) of the field device FG may serve to enable the field device FG to be configured with respect to other field devices as an authentic field device FG of the original manufacturer or an authorized manufacturer. However, for the recognition of whether or not an electronic module Mk originates from an authorized manufacturer and can thus be incorporated into the communication necessary for the operation of the field device, the key pair (Q, q) only has relevance in the case where a manufacturer signature q(Pk) for an electronic module Mk is to be generated. This is necessary because the electronic modules Mk themselves do not have any information about which manufacturer is trustworthy or untrustworthy. However, it is possible for the authorized manufacturer—as already mentioned above—to install a corresponding add vendor ticket directly onto the electronic module Mk.

[0038] FIG. 2 is a schematic representation of a field device FG having a plurality of modules Mk in which a module M4 of a manufacturer unknown to date has been added. The manufacturer has a public key V2 which, at the time of installation of the electronic module M4, has not yet been entered in the list PTL of the manufacturers classified as trustworthy. However, the manufacturer's public key V2 is signed by one of the manufacturers classified as trustworthy in the list, in this case by the original manufacturer's private key h. The public key of the manufacturer V2 is recorded in the list PTL of the manufacturers classified as trustworthy if, for example, an authorized person logs in at the field device FG and adds the new manufacturer's public key V2 to the list PTL.

[0039] Furthermore, the electronic module M4 has the manufacturer signature v2(P4) and the key pair (P4, p4) assigned to the electronic module M4.

[0040] FIG. 3 shows a schematic representation of a field device FG having a plurality of modules Mk. In this case, the case is visualized that the field device FG, as it were, enables itself as the manufacturer. The field device FG signs the added module M4—it thus encrypts the public key P4 of the electronic module M4 with its private key q—transfers the manufacturer signature q(P4) to the electronic module M4, so that the electronic module M4 can subsequently be identified with respect to the field device FG. Furthermore, the field device FG must add its public key Q to the list PTL of the manufacturers classified as trustworthy. With this procedure, the field device FG subsequently accepts all electronic modules Mk signed thereby.

[0041] An alternative to this would be that the field device FG, in addition to its list PTL with the manufacturers classified as trustworthy, has a list MTL with the electronic modules classified as trustworthy. In this case, the manufacturer signature q(P4) of the electronic module M4 can be omitted. A method for ensuring that only electronic modules Mk classified as trustworthy are used in a field device FG is in other respects described in detail in the applicant's patent application filed at the same time as this patent application.

[0042] FIG. 4 shows a flowchart that displays the method according to the present disclosure and its embodiments. During production or during ongoing operation of the field device FG, either an electronic module MK is exchanged at point 20 or a new module M4 (FIG. 2) is plugged in. Because the exchanged or added electronic module Mk, M4 is included in the communication required for the operation of the field device FG only if it is ensured that the electronic module Mk originates from an authorized manufacturer V1 and is authentic in this sense, the origin of the electronic module Mk must be verifiable.

[0043] Under program point 30, a check is made in a first step as to whether the exchanged or added electronic module Mk has the following data elements:

[0044] a) the manufacturer's public key Vm—this is requested by the field device FG in order to determine the identity of the manufacturer and to verify whether the manufacturer is classified as trustworthy,

[0045] b) the key pair Pk, pk assigned to the electronic module Mk—its cryptographic identity—consisting of public key Pk and private key pk,

[0046] c) the manufacturer signature vm(Pk)—that is to say the public key Pk of the electronic module Mk encrypted with the manufacturer's private key vm.

[0047] If the availability of the aforementioned data elements is affirmed at program point 30, a check is made at program point 40 as to whether the public key Vm of the manufacturer of the electronic module Mk is listed in the list PTL of the manufacturers classified as trustworthy that is assigned to the field device FG. Upon positive output of the verification, it appears that it is an electronic module Mk of a trustworthy manufacturer. This assumption is to be proven below.

[0048] The required measures for verification are named under program point 50: The field device FG requests the manufacturer signature vm(Pk) and the public key Pk of the electronic module Mk.

[0049] At program point 60, a check is made as to whether the signature vm(Pk) matches an authorized manufacturer of the module Mk. This check is positive if the public key Pk of the electronic module Mk signed by the manufacturer with its private key vm can be decrypted with the manufacturer's public key Vm. It can then be assumed that the one which has written the signature vm(Pk) into the module Mk has been in possession of the private key vm of an authorized manufacturer. Thus, in confidence that the private key vm is not/has not been compromised, the public key Pk of the electronic module Mk must have been signed by this authorized manufacturer.

[0050] At program point 70, a check is then made as to whether the electronic module MK is also in possession of the associated private key pk. This third step can ensure that the exchanged or added electronic module Mk and the public key Pk of the electronic module Mk also actually belong together. This last check is then carried out by means of the challenge/response method with or without hashing.

[0051] As a challenge, the exchanged or added module Mk encrypts a message m sent by the field device FG using its own private key pk and sends the signed message pk(m) as a response to the field device FG. The field device FG decrypts the signature pk(m) using the existing public key Pk of the electronic module Mk and expects as a result the unencrypted message m. If this is so, it can clearly be concluded that the electronic module Mk must be in possession of the private key pk. Consequently, the public key Pk must also belong to the private key pk of the electronic module Mk.

[0052] Only if a positive result is obtained in each case in the aforementioned checks is the electronic module Mk found to be authentic—its origin from a manufacturer classified as trustworthy is proven—and included in the communication required for the operation of the field device FG (program point 80); the program is terminated at point 90.

[0053] If the check at program point 30 indicates that the exchanged or added electronic module Mk does not have the following data elements: public key Vm of the manufacturer, the key pair Pk, pk assigned to the electronic module Mk and the manufacturer signature vm(Pk)—that is to say the public key Pk of the electronic module Mk that is encrypted with the manufacturer's private key vm—a check is made at program point 100 as to whether these data elements can possibly be generated or added. If the check at program point 100 indicates that no generation or addition of the data elements is possible, then at program point 110 the error message “Incomplete data” is output; subsequently, the check we terminated. If the data elements can be generated or added at program point 120, the check is continued at program point 40.

[0054] If the check at program point 40 indicates that the public key Vm of the module manufacturer is not entered in the list PTL of the manufacturers classified as trustworthy, an authorized user/a service technician can still confirm the trustworthiness of the module Mk at program point 130. Alternatively, an add vendor ticket may also be present in the field device FG or in the electronic module Mk. If this verification is made, the manufacturer's public key Vm is recorded in the list of the manufacturers classified as trustworthy (program point 140). If the trustworthiness is not verified at program point 130, the error message “Manufacturer not trustworthy” is generated at program point 150 and the check is ended.

[0055] If the checks at one of the program points 60, 70 indicate that the signature vm(Pk) does not match the manufacturer or the electronic module Mk or that the electronic module Mk is not in possession of the associated private key pk, then the error message: “Module is not authentic” is output (program point 160). A communication required for the operation of the field device is then ruled out.

METHOD FOR VERIFYING THE AUTHENTIC ORIGIN OF ELECTRONIC MODULES OF A MODULAR FIELD DEVICE IN AUTOMATION TECHNOLOGY

Inventors

Cpc classification

Classification Explorer

G05B19/0428

PHYSICS

Classification Explorer

H04L9/3236

ELECTRICITY

Classification Explorer

H04L9/0825

ELECTRICITY

Classification Explorer

G05B2219/2631

PHYSICS

Classification Explorer

G06F21/00

PHYSICS

Classification Explorer

G05B2219/14011

PHYSICS

Classification Explorer

G05B2219/25428

PHYSICS

Classification Explorer

H04L9/0866

ELECTRICITY

Classification Explorer

G06F21/44

PHYSICS

Classification Explorer

H04L9/3271

ELECTRICITY

Classification Explorer

G05B2219/24163

PHYSICS

Classification Explorer

H04L2209/26

ELECTRICITY

Classification Explorer

H04L9/3247

ELECTRICITY

Classification Explorer

G06F2221/2103

PHYSICS

Classification Explorer

H04L9/0894

ELECTRICITY

International classification

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Abstract

Claims

Description