WO2008084271A2 - Method and system for message integrity architecture for use in industrial control systems - Google Patents

Method and system for message integrity architecture for use in industrial control systems Download PDF

Info

Publication number
WO2008084271A2
WO2008084271A2 PCT/IB2006/003794 IB2006003794W WO2008084271A2 WO 2008084271 A2 WO2008084271 A2 WO 2008084271A2 IB 2006003794 W IB2006003794 W IB 2006003794W WO 2008084271 A2 WO2008084271 A2 WO 2008084271A2
Authority
WO
WIPO (PCT)
Prior art keywords
key
tag
message
sender
receiver
Prior art date
Application number
PCT/IB2006/003794
Other languages
French (fr)
Other versions
WO2008084271A3 (en
Inventor
Yadab Das Chandra
Kapaleeswaran Viswanathan
Original Assignee
Abb Research Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Research Limited filed Critical Abb Research Limited
Priority to PCT/IB2006/003794 priority Critical patent/WO2008084271A2/en
Publication of WO2008084271A2 publication Critical patent/WO2008084271A2/en
Publication of WO2008084271A3 publication Critical patent/WO2008084271A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction

Definitions

  • the present invention relates to a method to guarantee data integrity in a highly available manner in an industrial control systems setup.
  • MACs Message Authentication Codes
  • a sender typically generates a MAC by processing the message with a pre-determined MAC algorithm.
  • the receiver verifies a received message by generating its own MAC and checks to see if the received and generated MACs are the same.
  • the sender and the receiver have a shared secret key, in order to perform their checks. Verifying the data integrity and authenticity of a message is achieved by means of using message authentication codes. By using a cryptographic hash function over the message and the key, the computation is accelerated and the messages are rendered compact.
  • Cyclic Redundancy Codes are widely used for error detection and are a type of hash function used to produce a checksum. Message authentication using CRCs establishes any compromise in the data by parties other than the sender. A malicious intruder however can still compromise messages whose authenticity depends on the CRC-based methods, by modifying the contents of the message.
  • US Patent 5651069 discloses a Software Efficient Message Authentication wherein random hashing or bucket hashing is used as an alternative to using CRC functions.
  • a stream cipher is a symmetric cipher wherein the plaintext of a message is encrypted using unique, pseudorandom keys which are generated on the fly. These ciphers approximate the function of the one-time pad (OTP) wherein a key stream of random digits is used.
  • OTP one-time pad
  • One of the requirements for the security of the OTP is that the key stream be as long as the plaintext and also that it be entirely random. This makes the system extremely difficult to implement.
  • a stream cipher alternatively uses a smaller and more conveniently sized key, based on which the pseudorandom key stream is combined with the plaintext in a manner similar to the OTP. This presents the caveat where the proof of security associated with OTP is no longer valid.
  • Stream cipher systems do not implicitly assist in the task of message authentication to a great extent. The data could further be compromised even after encryption has taken place.
  • US Patent 5345507 discloses a Secure message Authentication for binary additive stream cipher which protects against changes in the message, the originating and destination addresses by a malicious attacker. In this invention, two keys are shared between the sender and the receiver. The tags are generated in one stage with the use of one-time keys.
  • Replay attacks involve the case wherein a valid data transmission is fraudulently repeated or delayed where the goal of the malicious party is to masquerade as someone else. Eavesdroppers often use these attacks in order to subvert the identity of authentic entities.
  • Authentication tags or session identifiers are a common class of solutions to this class of attacks.
  • WO 2005/078986 discloses a One Way Authentication design in which the receiver maintains a history of previously received bit patterns in an effort to prevent replay attacks. This work further uses a digital signature approach.
  • US 6976168 discloses a System and method for adaptive cryptographically synchronized authentication wherein a reversible function is used for the generation of tags, used in avoiding replay attacks.
  • DoS attacks are a class of attacks wherein a malicious attacker succeeds in rendering a service or some data unavailable to the intended uses of the system. These attacks are accomplished by either:
  • the method and system of the present invention place less demands on the resources of the receiver, thereby protecting the receiver from DoS and Distributed DoS attacks.
  • the components are protected against message replay attacks since the method of the present invention ensures a one-time use of the pseudorandomly generated keys.
  • the TAG computation is executed with greater speed than methods of the prior art due to the use of CRCs for message length compression and stream ciphers for pseudorandom key generation.
  • This invention provides a simple, self-synchronous, highly available, and efficient message authentication architecture that can use synchronous Message Authentication Code (MAC) algorithms such as stream-based MAC or block-based MAC algorithms. Further, this invention proposes a secure, stream-based, fast, and efficient method for verifying the authenticity of a message, incorporating the elements of a MAC algorithms and Cyclic Redundancy Check (CRC) algorithms. Accordingly, this invention provides a state-based architecture that is capable of preventing replay attacks wherein a state-based integrity verification method is used to provide data integrity verification. Protected auto-synchronization of the architecture affords strong protection against DoS attacks.
  • MAC Message Authentication Code
  • CRC Cyclic Redundancy Check
  • High speed The time taken to compute authentication tags for 1024 bytes of data must be less than 2 ms because the time taken by the controller to react to a request by sending a corresponding response must be of that order.
  • two entities the sender and the receiver, participate in the message authentication process.
  • a secret key is exchanged between the sender and the receiver.
  • the architecture in the present invention maintains state, with the sender and receiver being synchronized in order to achieve trust.
  • the sender works with a message and a pseudorandom secret key, to construct an authenticated message, which is sent to the receiver.
  • the pseudorandom key is mapped to a key stream and stored in a key buffer, using a fast stream cipher or block cipher configured as a stream cipher.
  • an instance key is generated wherein the internal state is updated such that the next key is output during the subsequent request cycles.
  • the instance key is composed of two portions such that the size of each of it is m bits with a total size of 2m for the key.
  • the tag is generated by using the instance key, the key index and the message, by performing the operations of message compression and transformation.
  • message compression involves a CRC function and transformation is achieved using an XOR operation.
  • the tag is assembled with some state information as simply as by concatenation, as in the preferred embodiment. Sending the message and the assembled TAG to the receiver as a unified MAC object follows this.
  • the key buffer is replenished asynchronously upon being emptied.
  • the receiver works with a message, a tag and a secret key while accepting or rejecting the message as a final output.
  • the receiver starts by going through the same step of generating all the key instances on demand by mapping the key to a key stream and further storing this in a key buffer (on the receiver's end). This step also uses a stream or block cipher algorithm.
  • the tag is disassembled into two parts, the assumed original tag and the state-based information (optionally concatenated) placed by the sender.
  • the subsequent step of generating the tag at the receivers end involves getting an instance key, performing message compression using a CRC algorithm and applying the XOR function to generate an analogous tag value, which can be checked against the disassembled tag, to prove authenticity of the sender.
  • the state is synchronized by updating the key buffer information or internal state such that the next key is output during the next request cycle.
  • the key buffer is replenished on the receivers end as well, upon being rendered empty.
  • the invention achieves the following properties in the message authentication architecture:
  • the architecture realizes a receiver that would reject messages with bad authentication tags, which may be because of lack of authentication tag, malformed authentication tag, or receipt of messages with old authentication tags (possibly due to replay attacks). 2.
  • the architecture provides a realization for an authentication server that is resilient to
  • DoS Denial-of-Service
  • the invention encompasses a secure, fast, and efficient MAC algorithm construction using a secure and keyed Pseudo Random Bit/Number generator along with any fixed- length compression function such as Cyclic Redundancy Check functions.
  • the architecture is communication protocol neutral, the architecture can be implemented using any communication protocol such as TCP/IP or HTTP.
  • every sender shares a secret key with the receiver.
  • the sender sends a message along with an authentication tag, for that particular message to the receiver.
  • the authentication tag is generated using the secret key.
  • At the receiver's end authentication is achieved by using the message in conjunction with the tag with the following constraints: 1. It should be intractable for any sender to generate an authentication tag without the possession of shared key;
  • the synchronization between the sender and the receiver must be point-to-point; 3.
  • the synchronization window which is the number of messages after which the sender and receiver shall synchronize, must be configurable at run time.
  • Efficient and high-performance Message Authentication Code (MAC) generation and verification algorithms are designed by preprocessing the shared secret key in order to map the shared secret key to a long pseudorandom secret key stream.
  • the transformation function may be a secure stream cipher or a block cipher.
  • a function f which is a compression function, maps arbitrary lengths of message string to fixed length string such as CRC functions or a function drawn from cryptographic hash family, can be used to hash the message.
  • the function/and the key-transform are used to compute the Authentication TAG. Similar to other architectures utilizing block cipher algorithms, the architecture of the present invention maintains some state. This implies that the sender and receiver will have a state, which needs to be synchronized when required. Both the state and the synchronization of the state are essential for achieving trust.
  • FIG. 1 shows the overall layout of the architecture of the present invention. This figure shows the interaction between a messaging partner I and an industrial controller II. Each of these entities have a modular design with distinct components to send and receive messages.
  • the messaging partner I is shown to typically have a Key_l 1 which is used by the integrity tag sender 6 which sends messages from the messaging partner.
  • a Key_2 2 which interacts with an integrity tag receiver 3 to receive messages for the messaging partner.
  • the industrial controller II has a similar distribution of functional components. Key_l 11 interacts with an integrity tag receiver 7 to receive messages sent to the industrial controller.
  • Key_2 12 interacts with an integrity tag sender
  • the processing of the message starts 13 by first synchronizing 16 to check if the key buffer (KB) is empty. If so, the generation of a key is started 17 which produces a key 18 which leads to the generation of an instance key set 19. An instance key buffer 20 is produced as a result. After the message processing has started 13, if no stop signal has been received 14 an instance key is retrieved 23 from the instance key buffer 20. This retrieval 23 yields an instance key 24 which is used in generating the tag. The generation of the tag 25 uses the instance key 24 and the message 26. The tag 27 is then assembled 28 by using a key index 22 which is retrieved 21 from the instance key buffer 20. The assembled tag 29 is sent 30, wherein the message and the tag 31 are transmitted together. This is followed by an update of state 32 which leads to possible revisiting the generation of the instance key set 19 after an update of the key buffer state 33.
  • the overall sequence of steps carried out by a receiver while processing the message sent to it is outlined in Figure 3.
  • the message is processed 35 initially by synchronizing 36 to see if the key buffer has usable entities. If not, the generation of the key starts 37 wherein an instance key set is generated 54 with the use of a key 55. If the stop signal has not been received 38 the assembled tag is received by the receiver 40.
  • the assembled tag 41 is disassembled 42 to produce a key index 43 and a TAG 56. This is followed by the process of getting an instance key 44 where an instance key 45 is retrieved from the instance key buffer 53.
  • a tag is generated 46 using the message 52 wherein the generated tag, TAGl 47 is compared with the previously obtained tag TAG 56 to check for equality. If they are equal, the message is accepted 49 and the instance key buffer state is updated 50 which leads to a synchronization step 54. If the comparison 48 yields that the tags are unequal, the message is rejected 51
  • the step of generating the tag 25 in the sender and 48 in the receiver is depicted in further detail in Figure 4.
  • the instance key 57 is used by an instance key splitter 58, which yields two parts of the key Kl 60 and K2 59.
  • the message 68 is concatenated 61 with the part Kl 60 of the key to produce a concatenated output 62.
  • This is compressed 63 to yield a compressed message 64.
  • This message 65 is XOR-ed 66 with the part of key K2 59, to result in a generated authentication tag 67.
  • the step of assembling the tag at the sender is shown in Figure 5.
  • the tag 70 is concatenated 71 with a key index 74 to produce the assembled tag 73.
  • Key instances are generated on demand wherein the input key K is cryptographically mapped to the key stream k h k j and stored in a buffer KB, using a fast stream cipher (or other block cipher algorithm can be also used to generate random bits). This key generation is carried out at the start the protocol and this is an on demand process.
  • the key instance if often of length 2m and each key is associated with a particular index i. They key instance is further arranged into two portions ki and k 2 such that each of the parts are equally sized at a length m, whose sum yields a length of 2m for the instance key.
  • Disassembling the tag proceeds to break it into two parts, one the assumed original TAG and some extra state or authentication or key index information.
  • the TAG is only assumed to be the original TAG because it could have potentially been compromised in its transmission over an insecure channel and needs to be authenticated before being accepted.
  • Tag generation involves the steps of message compression and using the compressed message to yield the final tag.
  • message compression a binary CRC polynomial p(x) of degree m is selected. Alternately, a hash function /of fixed length output of length m could also be chosen.
  • the portion k t of the key instance is used to randomize the message.
  • the concatenated message is compressed by dividing the message polynomial 12 ⁇ ...B 1 B 0 by p(x) (or by compressing it by using the function ⁇ ).
  • the compressed message CM CRC (B]Ik 1 ), where
  • the portion k 2 of the key instance is used to transform the compressed message to the final tag by applying the XOR operation.
  • the final tag is given by CM ⁇ k 2 , where ⁇ implies XOR operation.
  • this tag TAG further assembled by concatenating some key information i or some state information unique to the sender, optionally to the end of the tag.
  • the sender proceeds to send the tag to the receiver.
  • the final tag TAGl is used to compare against the tag, which the receiver gets from the sender, to verify whether the message received from that particular sender, is authentic.
  • the key buffer needs to be replenished, either at the sender or at the receiver, the key instances are once again generated on demand.
  • Figure 6 depicts the specifics of the entities affected by the method of the present invention alongside the steps where these entities are affected, for the sender.
  • a secret key K 75_I is cryptographically mapped to a key stream k t , k j and stored in a buffer KB 75_O.
  • the generate key step 76 pulls out an entry from the key buffer 76_I which happens to be a two-part key, with parts kl, and k2 which are both of length m 76_O.
  • the original key buffer 77_I comprising key stream entities ki, ki+1, ki+2... ki+n is updated to show that an entity has been utilized and that the key buffer now contains the key stream elements ki_l, ki+2...ki+n 77_O.
  • the generate tag stage 78 utilizes a key instance Jc, an index i and a message B 78_I.
  • the compressed message CM is produced by applying a CRC function to the message with the Id part of the key instance.
  • the TAG is produced by XOR-ing the compressed message and the k2 part of the key 78_O.
  • the tag is assembled 79 by concatenating the TAG and the index 79_I to produce the assembled tag 79_O, which is transmitted 80.
  • Figure 7 depicts the specifics of the entities affected by the method of the present invention alongside the steps where these entities are affected, for the receiver.
  • a secret key K 85_I is cryptographically mapped to a key stream k h k j and stored in a buffer KB 85_O.
  • the receive tag step 86 receives the tag and the compressed message 86_I.
  • the disassemble tag step 87 takes the concatenated TAG and information 87_I and separates them 87_O.
  • the generate key instance step 88 pulls out an entry from the key buffer 88_I which happens to be a two-part key, with parts kl, and k2 which are both of length m 88_O.
  • the generate tag stage 89 utilizes a key instance k, an index i and a message B 89_I.
  • the compressed message CM is produced by applying, a CRC function to the message with the kl part of the key instance.
  • the TAGl is produced by XOR-ing the compressed message and the k2 part of the key 89_O.
  • the tag obtained in 87 is compared 90 with the tag generated in 89 in order to authenticate the message. Upon a match, the message is accepted 91 and upon a mis-match, the message is rejected 92.
  • the original key buffer 93_I comprising key stream entities ki, ki+1, ki+2... ki+n is updated to show that an entity has been utilized and that the key buffer now contains the key stream elements ki 1, ki+2...ki+n 93 O.
  • the key buffer is manipulated using a producer- consumer model, as shown in Figure 8.
  • a circular queue of First In First Out (FIFO) buffers is used both by the producer and consumer of keys, hi one embodiment of the present invention, a shared-memory implementation would require the use of three or more FIFO buffers 106, 112, 120 referenced by circular queues 104, 105, 106.
  • This implementation would effectively decouple the operations of several methods used for manipulating the key buffer such as the Key Stream Generator method, the Key Getter method and the Next Key Getter method, hi the producer, a key stream generator 102 is the producer of key instances.
  • a putKey method 103 is used to populate the circular queue 104 and place the generated key in the next available FIFO buffer 106.
  • the contents of this circular queue 104 are instance keys, which are indexed.
  • the FIFO buffer 107 has an instance key with index 1
  • the FIFO buffer 108 has an instance key with index 2, etc.
  • the circular queue can have several elements 109,110.. 111.
  • the state diagram to manage the organization of buffers as proposed above, is detailed in Figure 9.
  • the key stream generation is handled by a putKey method and the consumption of key instances is asynchronously processed by the getKey method.
  • the semantics for the various operations in the state diagram in Figure 9 are given in Table 1.
  • the process is starts 141 with a setKey method which initializes the key stream generator. This renders the system initialized 142.
  • the process starts 143 and can proceed to any of the states AllBuffersEmpty 147, AbufferEmpty 146 or AllBuffersFull 144.
  • the state of AllBuffersEmpty 147 can move to either of the state of AbufferEmpty 146, when at least one buffer has been consumed 158 or the Stopped state 145 when the stopPutKey method 152 is carried out.
  • the state of AbufferEmpty 146 can move to any of the states of AllBuffersEmpty 147 when the getKey method is invoked 157, the state of AllBuffersFull 144 when the NoEmpty/stopPutKey 153 signal is encountered, or to the stopped state 145, when the stopPutKey method 159.
  • AllBuffersFull 144 can move to any of the states of AbufferEmpty 146 when the getKey or putKey method are carried out 154, or, to the stopped state 145 when the stop command has been issued 151.
  • the stopped state 145 can go back to the start state 143 when a start command has been issued.
  • Figure 10 shows the structure of a message in the architecture of the present invention.
  • the first four bytes 165, 166, 167, 168 of the message represent the message authentication code (MAC) 173.
  • the key instance used to generate this MAC shall be identified using the buffer 174 and key 175 indices placed in the fifth 169 and sixth 170 bytes of the message.
  • the Key Stream Generator synchronization data 176 can be packed at the end of the message from bytes seven 171 through n 172 and can vary in size.

Abstract

This invention discloses a method for authenticating messages in an industrial control system environment where several resource-constrained industrial controllers interact with various entities. Messages are authenticated by concatenating the original message with a tag, generated with the use of a shared secret key between the sender and receiver. This architecture achieves the goals of integrity and availability by using Message Authentication Codes, which are chosen keeping the metrics of speed and security in focus. Further, Replay attacks and Denial of Service attacks are circumvented by using the method and architecture of the present invention

Description

MESSAGE INTEGRITY ARCHITECTURE FOR USE IN INDUSTRIAL CONTROL
SYSTEMS
BACKGROUND FIELD OF THE INVENTION
The present invention relates to a method to guarantee data integrity in a highly available manner in an industrial control systems setup.
DISCUSSION OF PRIOR ART
Message authentication refers to a process of establishing the identity of the source of a message. Message Authentication Codes (MACs) are best interpreted as a checksum for data when the data (along with the checksum) is being passed through an insecure channel. A sender typically generates a MAC by processing the message with a pre-determined MAC algorithm. The receiver verifies a received message by generating its own MAC and checks to see if the received and generated MACs are the same. The sender and the receiver have a shared secret key, in order to perform their checks. Verifying the data integrity and authenticity of a message is achieved by means of using message authentication codes. By using a cryptographic hash function over the message and the key, the computation is accelerated and the messages are rendered compact.
Cyclic Redundancy Codes (CRCs) are widely used for error detection and are a type of hash function used to produce a checksum. Message authentication using CRCs establishes any compromise in the data by parties other than the sender. A malicious intruder however can still compromise messages whose authenticity depends on the CRC-based methods, by modifying the contents of the message. US Patent 5651069 discloses a Software Efficient Message Authentication wherein random hashing or bucket hashing is used as an alternative to using CRC functions.
A stream cipher is a symmetric cipher wherein the plaintext of a message is encrypted using unique, pseudorandom keys which are generated on the fly. These ciphers approximate the function of the one-time pad (OTP) wherein a key stream of random digits is used. One of the requirements for the security of the OTP is that the key stream be as long as the plaintext and also that it be entirely random. This makes the system extremely difficult to implement. A stream cipher alternatively uses a smaller and more conveniently sized key, based on which the pseudorandom key stream is combined with the plaintext in a manner similar to the OTP. This presents the caveat where the proof of security associated with OTP is no longer valid. Stream cipher systems do not implicitly assist in the task of message authentication to a great extent. The data could further be compromised even after encryption has taken place. US Patent 5345507 discloses a Secure message Authentication for binary additive stream cipher which protects against changes in the message, the originating and destination addresses by a malicious attacker. In this invention, two keys are shared between the sender and the receiver. The tags are generated in one stage with the use of one-time keys.
Replay attacks involve the case wherein a valid data transmission is fraudulently repeated or delayed where the goal of the malicious party is to masquerade as someone else. Eavesdroppers often use these attacks in order to subvert the identity of authentic entities. Authentication tags or session identifiers are a common class of solutions to this class of attacks. WO 2005/078986 discloses a One Way Authentication design in which the receiver maintains a history of previously received bit patterns in an effort to prevent replay attacks. This work further uses a digital signature approach. US 6976168 discloses a System and method for adaptive cryptographically synchronized authentication wherein a reversible function is used for the generation of tags, used in avoiding replay attacks.
Industrial control systems are organized by using several controllers in conjunction. These environments are typically limited in the computational resources available to them. The data integrity of the communications between the controllers and the field devices and other computational entities needs to be ensured.
Denial of Service (DoS) attacks are a class of attacks wherein a malicious attacker succeeds in rendering a service or some data unavailable to the intended uses of the system. These attacks are accomplished by either:
• Obstructing the communication between the intended users and the service or system on which the DoS attack is being launched; or,
• Maliciously engaging the computational resources of the service or system such that it is unable to respond to its authentic users.
In an industrial control setup this problem is exacerbated as the entities are computationally resource-constrained to begin with. A message authentication system in the realm of Industrial Control Systems needs to provide data integrity wherein the sender of a message is a valid entity, whose identity can be proved. Further, the system should provide availability in that authorized entities can always have access to the data and services made available by the system without being denied this capability by unauthorized or malicious entities. Another independent attribute of confidentiality is dealt with in WO 0105085 which discloses a Method and device for making secure data access and tranfers in a computer systems. This is also referred to in US 4638120 which discloses a Method and systems for transmission of confidential data.
The features of the present invention are listed below:
1. When compared with the available message authentication algorithms, the method and system of the present invention place less demands on the resources of the receiver, thereby protecting the receiver from DoS and Distributed DoS attacks. 2. The components are protected against message replay attacks since the method of the present invention ensures a one-time use of the pseudorandomly generated keys. 3. The TAG computation is executed with greater speed than methods of the prior art due to the use of CRCs for message length compression and stream ciphers for pseudorandom key generation.
SUMMARY OF THE INVENTION
This invention provides a simple, self-synchronous, highly available, and efficient message authentication architecture that can use synchronous Message Authentication Code (MAC) algorithms such as stream-based MAC or block-based MAC algorithms. Further, this invention proposes a secure, stream-based, fast, and efficient method for verifying the authenticity of a message, incorporating the elements of a MAC algorithms and Cyclic Redundancy Check (CRC) algorithms. Accordingly, this invention provides a state-based architecture that is capable of preventing replay attacks wherein a state-based integrity verification method is used to provide data integrity verification. Protected auto-synchronization of the architecture affords strong protection against DoS attacks. The use of a fast and efficient message authentication architecture wherein a state-based MAC is described based on a keyed pseudo-random bit or number generator and a compression function such as a Cyclic Redundancy Check (CRC) algorithm. The criterion for selecting a method to construct a MAC for Industrial Control System would essentially have the following two metrics:
1. High speed: The time taken to compute authentication tags for 1024 bytes of data must be less than 2 ms because the time taken by the controller to react to a request by sending a corresponding response must be of that order.
2. Security: Although it would be ideal to use a provably secure MAC construction, the requirement for high speed of operations would require a suitable security trade-off. Nevertheless, it would be ideal if a secret key with a length of at least 64-bits were used in the computation of the authentication tag. In addition to the above two metrics, there would also be metrics to determine the memory and computational loads by the MAC algorithm on the Controller.
In the method disclosed, two entities, the sender and the receiver, participate in the message authentication process. Initially, a secret key is exchanged between the sender and the receiver. Using a stream cipher or block cipher configured as a stream cipher algorithm and a special state-synchronization mechanism, the architecture in the present invention maintains state, with the sender and receiver being synchronized in order to achieve trust. The sender works with a message and a pseudorandom secret key, to construct an authenticated message, which is sent to the receiver. The pseudorandom key is mapped to a key stream and stored in a key buffer, using a fast stream cipher or block cipher configured as a stream cipher. Further, an instance key is generated wherein the internal state is updated such that the next key is output during the subsequent request cycles. In the preferred embodiment, the instance key is composed of two portions such that the size of each of it is m bits with a total size of 2m for the key. Following this, the tag is generated by using the instance key, the key index and the message, by performing the operations of message compression and transformation. In the preferred embodiment, message compression involves a CRC function and transformation is achieved using an XOR operation. Further, the tag is assembled with some state information as simply as by concatenation, as in the preferred embodiment. Sending the message and the assembled TAG to the receiver as a unified MAC object follows this. The key buffer is replenished asynchronously upon being emptied.
The receiver works with a message, a tag and a secret key while accepting or rejecting the message as a final output. The receiver starts by going through the same step of generating all the key instances on demand by mapping the key to a key stream and further storing this in a key buffer (on the receiver's end). This step also uses a stream or block cipher algorithm. As soon as the receiver receives the assembled tag and message from the sender, the tag is disassembled into two parts, the assumed original tag and the state-based information (optionally concatenated) placed by the sender. In the preferred embodiment, the subsequent step of generating the tag at the receivers end involves getting an instance key, performing message compression using a CRC algorithm and applying the XOR function to generate an analogous tag value, which can be checked against the disassembled tag, to prove authenticity of the sender. Upon verifying the two tags to be similar, the state is synchronized by updating the key buffer information or internal state such that the next key is output during the next request cycle. The key buffer is replenished on the receivers end as well, upon being rendered empty.
The invention achieves the following properties in the message authentication architecture:
1. The architecture realizes a receiver that would reject messages with bad authentication tags, which may be because of lack of authentication tag, malformed authentication tag, or receipt of messages with old authentication tags (possibly due to replay attacks). 2. The architecture provides a realization for an authentication server that is resilient to
Denial-of-Service (DoS) attacks because the inputs to the synchronization mechanism are cryptographically protected.
3. The invention encompasses a secure, fast, and efficient MAC algorithm construction using a secure and keyed Pseudo Random Bit/Number generator along with any fixed- length compression function such as Cyclic Redundancy Check functions.
4. Since the architecture is communication protocol neutral, the architecture can be implemented using any communication protocol such as TCP/IP or HTTP.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
In the present invention, every sender shares a secret key with the receiver. The sender sends a message along with an authentication tag, for that particular message to the receiver. The authentication tag is generated using the secret key. At the receiver's end authentication is achieved by using the message in conjunction with the tag with the following constraints: 1. It should be intractable for any sender to generate an authentication tag without the possession of shared key;
2. The synchronization between the sender and the receiver must be point-to-point; 3. The synchronization window, which is the number of messages after which the sender and receiver shall synchronize, must be configurable at run time.
Efficient and high-performance Message Authentication Code (MAC) generation and verification algorithms are designed by preprocessing the shared secret key in order to map the shared secret key to a long pseudorandom secret key stream. The transformation function may be a secure stream cipher or a block cipher. A function f, which is a compression function, maps arbitrary lengths of message string to fixed length string such as CRC functions or a function drawn from cryptographic hash family, can be used to hash the message. The function/and the key-transform are used to compute the Authentication TAG. Similar to other architectures utilizing block cipher algorithms, the architecture of the present invention maintains some state. This implies that the sender and receiver will have a state, which needs to be synchronized when required. Both the state and the synchronization of the state are essential for achieving trust.
Figure 1 shows the overall layout of the architecture of the present invention. This figure shows the interaction between a messaging partner I and an industrial controller II. Each of these entities have a modular design with distinct components to send and receive messages. The messaging partner I is shown to typically have a Key_l 1 which is used by the integrity tag sender 6 which sends messages from the messaging partner. There exists a control application 5 alongside a messaging service 4 which interacts with the instances of the integrity tag processing components 6, 3. Further, there exists a Key_2 2 which interacts with an integrity tag receiver 3 to receive messages for the messaging partner. The industrial controller II has a similar distribution of functional components. Key_l 11 interacts with an integrity tag receiver 7 to receive messages sent to the industrial controller. Key_2 12 interacts with an integrity tag sender
10 to send messages from the industrial controller. There also exists a messaging service 8 alongside a control application 9 which interacts with the instances of the integrity tag processing components 7, 10. Between senders and receivers, there is typically a message and an assembled tag which is exchanged, while authentication is being carried out. The message can be described
-.6-1 as B = B^1-B1B0 with the polynomial B(x) = ∑.=0$;*' .
The overall sequence of steps carried out by the sender while sending a message to be authenticated by a corresponding receiver is shown in Figure 2. The processing of the message starts 13 by first synchronizing 16 to check if the key buffer (KB) is empty. If so, the generation of a key is started 17 which produces a key 18 which leads to the generation of an instance key set 19. An instance key buffer 20 is produced as a result. After the message processing has started 13, if no stop signal has been received 14 an instance key is retrieved 23 from the instance key buffer 20. This retrieval 23 yields an instance key 24 which is used in generating the tag. The generation of the tag 25 uses the instance key 24 and the message 26. The tag 27 is then assembled 28 by using a key index 22 which is retrieved 21 from the instance key buffer 20. The assembled tag 29 is sent 30, wherein the message and the tag 31 are transmitted together. This is followed by an update of state 32 which leads to possible revisiting the generation of the instance key set 19 after an update of the key buffer state 33.
The overall sequence of steps carried out by a receiver while processing the message sent to it, is outlined in Figure 3. The message is processed 35 initially by synchronizing 36 to see if the key buffer has usable entities. If not, the generation of the key starts 37 wherein an instance key set is generated 54 with the use of a key 55. If the stop signal has not been received 38 the assembled tag is received by the receiver 40. The assembled tag 41 is disassembled 42 to produce a key index 43 and a TAG 56. This is followed by the process of getting an instance key 44 where an instance key 45 is retrieved from the instance key buffer 53. A tag is generated 46 using the message 52 wherein the generated tag, TAGl 47 is compared with the previously obtained tag TAG 56 to check for equality. If they are equal, the message is accepted 49 and the instance key buffer state is updated 50 which leads to a synchronization step 54. If the comparison 48 yields that the tags are unequal, the message is rejected 51
The step of generating the tag 25 in the sender and 48 in the receiver is depicted in further detail in Figure 4. The instance key 57 is used by an instance key splitter 58, which yields two parts of the key Kl 60 and K2 59. The message 68 is concatenated 61 with the part Kl 60 of the key to produce a concatenated output 62. This is compressed 63 to yield a compressed message 64. This message 65 is XOR-ed 66 with the part of key K2 59, to result in a generated authentication tag 67. The step of assembling the tag at the sender is shown in Figure 5. The tag 70 is concatenated 71 with a key index 74 to produce the assembled tag 73.
Key instances are generated on demand wherein the input key K is cryptographically mapped to the key stream kh kj and stored in a buffer KB, using a fast stream cipher (or other block cipher algorithm can be also used to generate random bits). This key generation is carried out at the start the protocol and this is an on demand process. The key instance if often of length 2m and each key is associated with a particular index i. They key instance is further arranged into two portions ki and k2 such that each of the parts are equally sized at a length m, whose sum yields a length of 2m for the instance key. Disassembling the tag proceeds to break it into two parts, one the assumed original TAG and some extra state or authentication or key index information. The TAG is only assumed to be the original TAG because it could have potentially been compromised in its transmission over an insecure channel and needs to be authenticated before being accepted.
Tag generation involves the steps of message compression and using the compressed message to yield the final tag. During message compression, a binary CRC polynomial p(x) of degree m is selected. Alternately, a hash function /of fixed length output of length m could also be chosen. The portion kt of the key instance is used to randomize the message. The concatenated message is compressed by dividing the message polynomial 12^...B1B0 by p(x) (or by compressing it by using the function^). The compressed message CM= CRC (B]Ik1), where || implies concatenation. The portion k2 of the key instance is used to transform the compressed message to the final tag by applying the XOR operation. The final tag is given by CM θ k2, where θ implies XOR operation. m the case of the sender, this tag TAG further assembled by concatenating some key information i or some state information unique to the sender, optionally to the end of the tag. Upon assembly, the sender proceeds to send the tag to the receiver. In the case of receiver, the final tag TAGl is used to compare against the tag, which the receiver gets from the sender, to verify whether the message received from that particular sender, is authentic. In the case where the key buffer needs to be replenished, either at the sender or at the receiver, the key instances are once again generated on demand.
Figure 6 depicts the specifics of the entities affected by the method of the present invention alongside the steps where these entities are affected, for the sender. During the step of generating tihe key instance 75, a secret key K 75_I is cryptographically mapped to a key stream kt, kj and stored in a buffer KB 75_O. The generate key step 76 pulls out an entry from the key buffer 76_I which happens to be a two-part key, with parts kl, and k2 which are both of length m 76_O.
During the updation of internal state 77, the original key buffer 77_I comprising key stream entities ki, ki+1, ki+2... ki+n is updated to show that an entity has been utilized and that the key buffer now contains the key stream elements ki_l, ki+2...ki+n 77_O. The generate tag stage 78 utilizes a key instance Jc, an index i and a message B 78_I. The compressed message CM is produced by applying a CRC function to the message with the Id part of the key instance. The TAG is produced by XOR-ing the compressed message and the k2 part of the key 78_O. The tag is assembled 79 by concatenating the TAG and the index 79_I to produce the assembled tag 79_O, which is transmitted 80.
Figure 7 depicts the specifics of the entities affected by the method of the present invention alongside the steps where these entities are affected, for the receiver. During the step of generating the key instance 85, a secret key K 85_I is cryptographically mapped to a key stream kh kj and stored in a buffer KB 85_O. The receive tag step 86 receives the tag and the compressed message 86_I. The disassemble tag step 87 takes the concatenated TAG and information 87_I and separates them 87_O. The generate key instance step 88 pulls out an entry from the key buffer 88_I which happens to be a two-part key, with parts kl, and k2 which are both of length m 88_O. The generate tag stage 89 utilizes a key instance k, an index i and a message B 89_I. The compressed message CM is produced by applying, a CRC function to the message with the kl part of the key instance. The TAGl is produced by XOR-ing the compressed message and the k2 part of the key 89_O. The tag obtained in 87 is compared 90 with the tag generated in 89 in order to authenticate the message. Upon a match, the message is accepted 91 and upon a mis-match, the message is rejected 92. During the updation of internal state 93, the original key buffer 93_I comprising key stream entities ki, ki+1, ki+2... ki+n is updated to show that an entity has been utilized and that the key buffer now contains the key stream elements ki 1, ki+2...ki+n 93 O.
hi the architecture of the present invention, the key buffer is manipulated using a producer- consumer model, as shown in Figure 8. A circular queue of First In First Out (FIFO) buffers is used both by the producer and consumer of keys, hi one embodiment of the present invention, a shared-memory implementation would require the use of three or more FIFO buffers 106, 112, 120 referenced by circular queues 104, 105, 106. This implementation would effectively decouple the operations of several methods used for manipulating the key buffer such as the Key Stream Generator method, the Key Getter method and the Next Key Getter method, hi the producer, a key stream generator 102 is the producer of key instances. A putKey method 103 is used to populate the circular queue 104 and place the generated key in the next available FIFO buffer 106. The contents of this circular queue 104 are instance keys, which are indexed. For example, the FIFO buffer 107 has an instance key with index 1, the FIFO buffer 108 has an instance key with index 2, etc. The circular queue can have several elements 109,110.. 111.
The state diagram to manage the organization of buffers as proposed above, is detailed in Figure 9. The key stream generation is handled by a putKey method and the consumption of key instances is asynchronously processed by the getKey method. The semantics for the various operations in the state diagram in Figure 9 are given in Table 1. The process is starts 141 with a setKey method which initializes the key stream generator. This renders the system initialized 142. The process starts 143 and can proceed to any of the states AllBuffersEmpty 147, AbufferEmpty 146 or AllBuffersFull 144. The state of AllBuffersEmpty 147 can move to either of the state of AbufferEmpty 146, when at least one buffer has been consumed 158 or the Stopped state 145 when the stopPutKey method 152 is carried out. The state of AbufferEmpty 146 can move to any of the states of AllBuffersEmpty 147 when the getKey method is invoked 157, the state of AllBuffersFull 144 when the NoEmpty/stopPutKey 153 signal is encountered, or to the stopped state 145, when the stopPutKey method 159. The state of AllBuffersFull 144 can move to any of the states of AbufferEmpty 146 when the getKey or putKey method are carried out 154, or, to the stopped state 145 when the stop command has been issued 151. The stopped state 145 can go back to the start state 143 when a start command has been issued.
Figure 10 shows the structure of a message in the architecture of the present invention. The first four bytes 165, 166, 167, 168 of the message represent the message authentication code (MAC) 173. The key instance used to generate this MAC shall be identified using the buffer 174 and key 175 indices placed in the fifth 169 and sixth 170 bytes of the message. The Key Stream Generator synchronization data 176 can be packed at the end of the message from bytes seven 171 through n 172 and can vary in size.

Claims

1. A method of verifying the authenticity of a message transmitted by a sender to a receiver, both of which share a secret key, comprising the steps of: a. For each message B to be transmitted by the sender, obtaining a key instance with a corresponding key index from a non-empty key buffer which is a repository of key instances; b. Generating a tag, at the sender, resulting from a two-part computation comprising the steps of: i. Compressing the message B, which is randomized before compression, using part of the key instance kl; and ii. Computing the TAG value by applying a function to the compressed message obtained from I and the second part of the key instance k2. which is followed by updating the state by the sender to conform to the generated key index. c. Assembling the tag, at the sender, generated in .b. by appending the key index / to the TAG; d. Transmitting the message B along with the assembled TAG generated in step .c. from the sender to the receiver; e. For each message, tag pair received by the receiver, disassembling the transmitted message, at the receiver, to yield the assumed original TAG and the key index; f. Obtaining a key instance corresponding to the received key index from a nonempty key buffer which is a repository of key instances; g. Generating a tag, at the receiver, resulting from a two-part computation comprising the steps of: i. Compressing the message B, which is randomized before compression, using part of the key instance kl ; and ii. Computing the TAG1 value by applying a function to the compressed message obtained from I and the second part of the key instance k2. h. Comparing the value of TAG, disassembled in step .e. with the value of TAG1, generated in step .g.; and i. Accepting the message if the comparison in step .h. yields an equality, j. Updating the state by the receiver so as to conform to the received key index, if the message is accepted in step (i).
2. A method of claim 1 wherein the step of obtaining the key instance and key index includes the step of checking whether the key buffer KlB, is empty wherein, if the key buffer is empty, the secret key K is cryptographically mapped into a key stream which is used to populate the key buffer;
3. A method of claim 2 wherein the cryptographic function used to map the secret key K to the key stream could he any of a stream cipher or a block cipher;
4. A method of claim 1 wherein the key instance has two parts kl and k2, of equal length m, one part being used to randomize the message and the second part being used to generate the tag;
5. A method of claim 1 wherein the message B is a polynomial B{x) = ∑._0BiX' I
6. A method of claim 1 wherein the step of compressing the message utilizes a CRC polynomial p(x) of degree m
7. A method of claim 1 wherein the step of compressing the message utilizes a hash function/ of fixed length output of length m;
8. A method of claim 1 wherein the process of assembling the tag at the sender, could use the concatenation function to append the key index /to the tag value TAG.
9. A method of claim 1 wherein the process of assembling the tag at the sender could use any state information, maintained at the sender, other than the key index i.
10. A system for authenticating a message transmitted between two communicating entities, each containing a sender to send messages, a receiver to receive messages from other entities, a control method to co-ordinate the actions at the sender and receiver, each of the sender and receiver having a shared key and a key buffer, comprising: a. Sending Means to send a message along with a tag value to prove the authenticity of the message, comprising the steps of: i. For each message B to he transmitted by the sender, obtaining a key instance with a corresponding key index from a non-empty key buffer which is a repository of key instances; ii. Generating a tag, at the sender,, resulting from a two-part computation comprising the steps of:
1. Compressing the message B, which is randomized before compression, using part of the key instance kl; and
2. Computing the TAG value by applying a function to the compressed message obtained from I and the second part of the key instance k2. iii. Assembling the tag, at the sender, generated in .b. by appending the key index 7 to the TAG; iv. Transmitting the message B along with the tag TAG generated in step .c. from the sender to the receiver; b. Receiving Means to receive and verify the authenticity of messages, comprising the steps of: i. For each message, tag pair received at the receiver, disassembling the transmitted message, at the receiver, to yield the assumed original TAG and the key index; ii. Obtaining a key instance with a corresponding key index from a nonempty key buffer which is a repository of key instances; iii. Generating a tag, at the receiver, resulting from a two-part computation comprising the steps of:
1. Compressing the message B, which is randomized before compression, using part of the key instance kl; and
2. Computing the TAG1 value by applying a function to the compressed message obtained from I and the second part of the key instance k2.
. iv. Comparing the value of TAG, disassembled in step .e. with the value of TAG1, generated in step .g.; and v. Accepting the message if the comparison in step .h. yields an equality. c. Key Generation Means comprising the steps of: i. Checking to establish whether the key buffer is empty; and ii. If the key buffer is empty, cryptographically mapping the secret key K to a key stream, which is used to populate the key buffer; and d. Transmission Means comprising means to transmit the tuple of the message and the tag value, generated at the sender, to the receiver.
11. A system of claim 10 wherein the key buffer is comprised of indexed entries, each entry being a key instance;
12. A system of claim 11 wherein the key buffer is implemented as a circular queue of first in first out (FIFO) buffers;
13. A system of claim 10 wherein the cryptographic function used by the key generation means to map the secret key K to the key stream could be any of a stream cipher or a block cipher;
14. A system of claim 10 wherein the key instance has two parts kl- and k2, of equal length m, one part being used to randomize the message and the second part being used to generate the tag;
15. A system of claim 10 wherein the message B is a polynomial B(x) =
Figure imgf000015_0001
I
16. A system of claim 10 wherein the step of compressing the message utilizes a CRC polynomial p(x) of degree m
Yl. A system of claim 10 wherein the step of compressing the message utilizes a hash function/of fixed length output of length m;
18. A system of claim 10 wherein the process of assembling the tag by the sending means, could use the concatenation function to append the key index / to the tag value TAG.
19. A system of claim 10 wherein the process of assembling the tag by the sending means could use any state information, maintained at the sender, other than the key index L
20. A system of claim 10 wherein the final message and tag which are transmitted from the sender to the receiver are expressed in a message authentication code object comprising: a. The Message Authentication Code (MAC); b. The Buffer Index; c. The Key Index; and d. The key stream generator synchronization data.
21. A system of claim 10 which can exist in any of the states of: a. Initial wherein the system is just beginning to operate; b. Initialized wherein the MAC object has been initialized with cryptographic keys and other attributes; c. Started wherein the MAC object has received a start signal from its environment and is ready to start key stream generation; d. AUBuffersEmpty wherein all the keys in the key buffer have been consumed; e. AbufferEmpty wherein all the keys in at least one but not all of the indexed entries in the key buffer have been consumed requiring the key generation means to operate continuously; f. AllBuffersFull wherein all the key instances are new and have not been consumed; g. Stopped wherein the MAC object has received a stop signal from the system; and h. Final wherein all the buffers are destroyed and the system stops operating.
22. A system of claim 14 wherein the system is capable of transitioniαg between the states a- f, upon the occurrence of events including transitioning between: a. Initial to Initialized when the system components such as the MAC object and the key generation means have been initialized; b. Initialized to Started when the system starts operating upon the reception of a start signal from the control algorithm; c. Started to AllBuffersEmpty when the key buffer has been found to be empty, as indicated by the AllEmpty signal; d. Started to AllBuffersFull when the key buffer has fresh keys which have been generated; e. Started to AbufferEmpty when all the keys in at least one but not all the FIFO buffers which act as placeholders for key instances have been consumed; f. AllBuffersEmpty to AbufferEmpty when all the keys in at least one but not all the FIFO buffers which act as placeholders for key instances have been consumed; g. AllBuffersEmpty to Stopped when a stop signal has been received from the control method; h. AbufferEmpty to AllBuffersEmpty when all the keys in the key buffer have been consumed; i. AbufferEmpty to AllBuffersFull when all the key instances are new and have not been consumed; j. AbufferEmpty to Stopped when a stop signal has been received from the control method; k. AllBuffersFull to AbufferEmpty when all the keys in at least one but not all the FIFO buffers which act as placeholders for key instances have been consumed;
1. AllBuffersFull to Stopped when a stop signal has been received from the control method; m. Stopped to Started when a start signal is received from the control method; and Stopped to Final when the system stops operating after all the keys and buffers have been destroyed.
PCT/IB2006/003794 2006-12-29 2006-12-29 Method and system for message integrity architecture for use in industrial control systems WO2008084271A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2006/003794 WO2008084271A2 (en) 2006-12-29 2006-12-29 Method and system for message integrity architecture for use in industrial control systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2006/003794 WO2008084271A2 (en) 2006-12-29 2006-12-29 Method and system for message integrity architecture for use in industrial control systems

Publications (2)

Publication Number Publication Date
WO2008084271A2 true WO2008084271A2 (en) 2008-07-17
WO2008084271A3 WO2008084271A3 (en) 2009-05-07

Family

ID=39609093

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/003794 WO2008084271A2 (en) 2006-12-29 2006-12-29 Method and system for message integrity architecture for use in industrial control systems

Country Status (1)

Country Link
WO (1) WO2008084271A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014201707A1 (en) * 2013-06-17 2014-12-24 华为技术有限公司 Encryption communication method and system, and related device
US9894084B2 (en) 2013-07-18 2018-02-13 Nxp Usa, Inc. Illegal message destroyer

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020051537A1 (en) * 2000-09-13 2002-05-02 Rogaway Phillip W. Method and apparatus for realizing a parallelizable variable-input-length pseudorandom function
EP1255372A1 (en) * 2001-05-03 2002-11-06 Telefonaktiebolaget L M Ericsson (Publ) Method and system for data integrity protection
EP1420316A1 (en) * 2002-11-18 2004-05-19 Rockwell Automation Technologies, Inc. Instant messaging for event notification and exchanging data in an industrial controller environment
US6976168B1 (en) * 1999-07-23 2005-12-13 Mcafee, Inc. System and method for adaptive cryptographically synchronized authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6976168B1 (en) * 1999-07-23 2005-12-13 Mcafee, Inc. System and method for adaptive cryptographically synchronized authentication
US20020051537A1 (en) * 2000-09-13 2002-05-02 Rogaway Phillip W. Method and apparatus for realizing a parallelizable variable-input-length pseudorandom function
EP1255372A1 (en) * 2001-05-03 2002-11-06 Telefonaktiebolaget L M Ericsson (Publ) Method and system for data integrity protection
EP1420316A1 (en) * 2002-11-18 2004-05-19 Rockwell Automation Technologies, Inc. Instant messaging for event notification and exchanging data in an industrial controller environment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014201707A1 (en) * 2013-06-17 2014-12-24 华为技术有限公司 Encryption communication method and system, and related device
US9894084B2 (en) 2013-07-18 2018-02-13 Nxp Usa, Inc. Illegal message destroyer

Also Published As

Publication number Publication date
WO2008084271A3 (en) 2009-05-07

Similar Documents

Publication Publication Date Title
Preneel et al. MDx-MAC and building fast MACs from hash functions
M'Raihi et al. Hotp: An hmac-based one-time password algorithm
US7673142B2 (en) Efficient method for providing secure remote access
US5673318A (en) Method and apparatus for data authentication in a data communication environment
Mironov Hash functions: Theory, attacks, and applications
US5664016A (en) Method of building fast MACS from hash functions
US11277406B2 (en) MTS-based mutual-authenticated remote attestation
WO2001056221A2 (en) Block encryption method and schemes for data confidentiality and integrity protection
Dierks et al. RFC 4346: The transport layer security (TLS) protocol version 1.1
M'Raihi et al. RFC 4226: HOTP: An HMAC-based one-time password algorithm
EP1615370A1 (en) Authentication of short messages
JP5414346B2 (en) Data processing device
WO2008084271A2 (en) Method and system for message integrity architecture for use in industrial control systems
Armour et al. Algorithm substitution attacks against receivers
Hwang et al. IAR‐CTR and IAR‐CFB: integrity aware real‐time based counter and cipher feedback modes
JP5932709B2 (en) Transmission side device and reception side device
KR100381710B1 (en) Method For Security In Internet Server Based Upon Membership Operating System And Server Systems Regarding It
US10608822B2 (en) Efficient calculation of message authentication codes for related data
Bäumer et al. Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation
Huang et al. Ultralightweight RFID Authentication Protocol Based on Permutation Matrix Encryption
Pandare et al. Enhanced Password Manager using Hybrid Approach
Ridha et al. Auth-Intg Security System for Communication Protocols
Bhatia Cryptography-The Hidden Message
Wu et al. Fundamentals of Cryptography
Rawat et al. An Enhanced Message Digest Hash Algorithm for Information Security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06842298

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06842298

Country of ref document: EP

Kind code of ref document: A2