Professional Documents
Culture Documents
Entity A
ACU
ACU
E(K* ,N )
B 2
E(K* ,K N a)
A G_a 1
A_Key_Response_{Low,High}
A_Group_Resync_Response_{Low, High}
Entity A
Entity B
A_Key_Response_{Low,High}
E(K*B ,K SB_AB N 2 A)
E(K*A ,KSB_AB N 1B) E(K* ,C N a)
A G_a 1
A_Auth_Connect_Request
E(K SB_AB ,N3 )
A_Auth_Connect_Reply Figure 6. Group key retrieval in EIBsec
E(K SB_AB ,N’3 N 4)
A_Auth_Connect_Response
EIBsec also allows to revoke a group key. To inform
E(K SB_AB ,N’4 )
all group members about the revocation of the group key,
the ACU sends an A Group Invalidate message. Af-
Figure 5. Session establishment in EIBsec terwards, it generates a new group base key. From it, the
ACU calculates the new group key and the new initial
group counter value. To resume the exchange of group
messages, each group member must rejoin the group using
6.3. Secure process data communication
the A Join Group Request service mentioned above.
To ensure the secure transmission of process data, This mechanism can also be used to limit the lifetime of
group messages are encrypted in counter mode. In con- group keys by the ACU periodically6 sending A Group
trast to SEIB, it is not necessary to distribute the group Invalidate requests.
keys at installation time. In EIBsec, each field device can
obtain the required group key from its corresponding ACU
at any time. Additionally, key revocation as well as a life-
7. Key management
time limitation are supported.
7.1. Node key distribution
Each communication group is assigned to one super-
The node key distribution must be performed in a se-
vising ACU. This ACU randomly generates the corre-
cure environment. It must be avoided that an unauthorized
sponding group base key. Using the equation shown in
user intercepts or modifies a node key during distribution.
Fig. 4, the ACU calculates the group key and the initial
Additionally, it must be prevented that an attacker uses the
group counter.
“key upload” mechanism to set a new key.
To perform an encryption of group messages in counter
As a key is 128 bits long and a standard KNX/EIB
mode, a device needs the group key and the current group
message can only contain 14 bytes of user data, EIBsec
counter value. To join a group, it has to retrieve them from
provides two primitives to upload a node key. A Set
its ACU (which may have to forward the request to the
SecretKey Low can be used to upload the low-order
group’s supervising ACU, cf. Section 7.2. The (super-
8 bytes of the key whereas A Set SecretKey High is
vising) ACU in turn must keep track of the group counter
used to send the high-order 8 bytes. To verify whether
values of its assigned groups.
The steps necessary to join a group G are illustrated in 6 As a first approach a lifetime of 1 day seems appropriate.
the remote user is allowed to change the node key, these To resolve these situations, the ACU consults its par-
messages must include a 6 byte password.7 ent ACU or one of its child ACUs. To communicate with
This explained mechanism has one drawback. The them in a secure manner, each ACU holds the node keys
messages mentioned above are transmitted in clear. Thus, of these ACUs. Fig. 7 illustrates a possible resolution of
a malicious user could simply intercept the key or the a node key miss. Suppose that entity A (address 1.1.1)
password. Therefore, EIBsec provides additional protec- wants to establish a session with entity B (address 1.2.2).
tion mechanisms. Depending on the required security To initiate a session, A sends a request to the correspond-
level, it is possible to choose one of the following three ing ACU S1.1.0 (message 1). Since B is located in a dif-
different modes separately for each field device: ferent network segment, S1.1.0 does not have the node
• Bus mode: The KNX/EIB bus medium can be used key of B. Thus, S1.1.0 is not able to distribute the gen-
to upload the key. Due to security reasons, the node erated session base key to B. By comparing the address
key distribution process must be performed in a se- of B and its own position in the hierarchy, S1.1.0 deter-
cure environment. Therefore, this mode should only mines that it has to ask its parent ACU (S1.0.0 ) for the
be chosen if it can be guaranteed that unauthorized node key of B using an A PrivateKey Request mes-
users are not able to access the bus medium during sage (message 2). S1.0.0 receives the request and verifies
node key distribution. One possible solution is to whether it has the requested key. As B is not located in
set up a minimal network containing only the device the Main Line 1 but in a subordinate line, S1.0.0 sends
and the management station. Additionally, physical another A PrivateKey Request message to its child
access to the particular device can also be required ACU S1.2.0 (message 3). S1.2.0 finally possesses the re-
(e.g., pressing a button). quested key and sends it back to S1.0.0 using an A Key
• Local mode: In this mode, the KNX/EIB bus Response Low and an A Key Response High mes-
medium cannot be used to upload a key. Instead, sage (message 4). S1.0.0 receives the key and transmits
the key upload is performed via a point-to-point con- it to S1.1.0 (message 5). After having received the node
nection. To establish such a direct connection, the key of B, S1.1.0 is able to distribute the generated session
standard local configuration interface for KNX/EIB base key to B (message 6) and to A (message 7). Af-
components must be used. Obviously, this mode is terwards, A can set up a secure channel to B using the
only applicable if the device provides this interface. second phase of the authentication protocol described in
The main benefit of this mode is that the node key is Section 6.2 (message 8).
never transmitted over the KNX/EIB network. Thus,
an eavesdropper is not able to intercept the key. Main Line 1
ACU 1.0.0
devices not supporting EIBsec are still able to route these A_Init_Connect_Response
6 7 8 ... 11 12 ... 17 18 ... 21
frames. TCF ACF Nonce 0 CRC signature
A_SessionKey_Request / A_PrivateKey_Request
unencrypted AES encrypted *) 6 7 8 ... 11 12 ... 15 16 17
0 1 2 3 4 5 6 7 ... 17 18 ... 22 TCF ACF Nonce Nonce Address
A_Key_Response_{Low,High}
Control Field
Hop Count +
Destination
Checksum
ACF
Signature
6 7 8 ... 15 16 17 18 ... 21
Address
Address
App. Data
Source
Length
CRC
TCF TCF ACF Key {Low, High} Address Nonce
ACF App. Data A_Auth_Connect_Request
6 7 8 ... 11 12 ... 17 18 ... 21
TCF ACF Nonce 0 CRC signature
A_Init_Connect_Request 11 0000001 A_Auth_Connect_Reply
A_Init_Connect_Response 11 0000010 6 7 8 ... 11 12 ... 15 16 17 18 ... 21
A_Auth_Connect_Request 11 0000011 TCF ACF Nonce -1 Nonce 0 CRC signature
*) unencrypted A_Auth_Connect_Response
6 7 8 ... 11 12 ... 17 18 ... 21
TCF ACF Nonce -1 0 CRC signature
Figure 8. EIBsec frame format A_Join_Group_Request / A_Group_Key_Request
6 7 8 ... 11 12 ... 15 16 17
TCF ACF Nonce Nonce Group
In Fig. 9, a detailed description of the particular EIBsec A_Join_Group_Response_{Low,High}
PDUs is given. Octets 0 to 5 (data link and network layer 6 7 8 ... 15 16 17 18 ... 21
TCF ACF Key {Low, High} Group Nonce
control fields) as well as the last octet (layer 2 checksum) A_Group_Resync_Request
are not shown since their format follows the KNX/EIB 6 7 8 ... 11 12 ... 15 16 17
TCF ACF Nonce Nonce Group
standard. Some EIBsec commands do not need to be en-
A_Group_Resync_Response_{Low,High}
crypted (shown with white background), but most of them 6 7 8 ... 15 16 17 18 ... 21
TCF ACF Cnt {Low,High} Group Nonce
are encrypted using AES (gray background). Since AES
A_Group_Invalidate
has a fixed block size of 128 bits, an encrypted frame al- 6 7 8 9 10 ... 17 18 ... 21
ways has to contain 14 octets application data. Together TCF ACF Group 0 CRC signature
A_Set_SecretKey_{Low,High}
with the transport and application control field, this re- 6 7 8 ... 15 16 ... 21
sults in 16 encrypted octets and a constant total length of TCF ACF Key {Low,High} Password
a freely available AES implementation ([23]) was ported knowledgment and required bus idle times.
[2] “Building Automation and Control Systems (BACS) –
Part 2: Hardware”, IS0 16484-2, 2004.
[3] P. Neumann, “Virtual Automation Network - Reality or
Dream”, in IEEE International Conference on Industrial
Technology, volume 2, 2003, pp. 994– 999.
[4] “Control Network Protocol Specification”,
ANSI/EIA/CEA 709.1, 1999.
[5] D. Loy, D. Dietrich, and H. Schweinzer, Open Control
Networks, Kluwer Academic Publishers, 2002.
[6] “BACnet – A Data Communication Protocol for Build-
ing Automation and Control Networks”, ANSI/ASHRAE
135, 2004.
Figure 10. KNXcalibur [7] “Building Automation and Control Systems (BACS) –
Part 5: Data Communication Protocol”, ISO 16484-5,
2003.
[8] “KNX Specification”, Version 1.1, 2004.
9. Conclusion and future work [9] W. Kastner and G. Neugschwandtner, “EIB: European In-
stallation Bus”, in The Industrial Communication Technol-
EIBsec extends KNX/EIB by mechanisms for secure ogy Handbook, volume 1, chapter 34. CRC Press, 2005.
communication over the network. Both point-to-point and [10] C. Schwaiger and A. Treytl, “Smart Card Based Secu-
group communication are protected, including authentica- rity for Fieldbus Systems”, in Proc. IEEE Conference on
tion of all communication partners. EIBsec is based on Emerging Technologies and Factory Automation (WFCS),
cryptographic algorithms and protocols which are com- volume 1, 2003, pp. 398–406.
monly accepted as being safe. Nevertheless the presented [11] A. D. Wood and J. A. Stankovic, “Denial of Service in
Sensor Networks”, IEEE Computer, vol. 35, no. 10, pp.
protocol benefits from further formal validation. Its de-
54–62, 2002.
sign takes the performance limitations of both network [12] D. G. Holmberg, “BACnet Wide Area Network Security
and nodes into account. Threat Assessment”, Technical report, National Institute
A prototype implementation is currently underway. It of Standards and Technology, 2003.
will also be used to conduct first performance tests. Since [13] J. Zachary, R. Brooks, and D. Thompson, “Secure Integra-
key functionality is concentrated in the ACUs – not even tion of Building Networks into the Global Internet”, Tech-
devices located in the same segment can communicate se- nical report, National Institute of Standards and Technol-
curely without them – devising an appropriate redundancy ogy, 2002.
[14] Electronic Frontier Foundation, Cracking DES: Secrets of
scheme will be one of the next steps. Another goal is to
Encryption Research, Wiretap Politics and Chip Design,
refine the mechanisms for distribution of the node keys. O’Reilly & Associates, 1998.
With secure management communication, EIBsec al- [15] W. Granzer, “Security in Networked Building Automation
ready provides the basis for a mechanism for the distribu- Systems”, Master’s thesis, Vienna University of Technol-
tion of system software updates. Still, further work is nec- ogy, Institute of Computer Aided Automation, 2005.
essary to create a scheme that properly addresses the vari- [16] G. Westermeir, Diversitäre Zugangs- und Sicher-
ations introduced by different node hardware platforms. heitsmechanismen angewendet in automatisierten
Further steps include the integration of intrusion de- Gebäuden, PhD thesis, TU Munich, 2004.
[17] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E.
tection mechanisms as well as detection and handling of Culler, “SPINS: Security Protocols for Sensor Networks”,
denial-of-service attacks, including the automated isola- in Proc. 7th Annual Intl. Conf. on Mobile Computing and
tion of segments under attack. Networking (MobiCom), 2001, pp. 189–199.
Since automation solutions based on radio communica- [18] N. Okabe, S. Sakane, K. Miyazawa, K. Kamada, A. In-
tion, including the KNX/EIB compatible KNX RF, rapidly oue, and M. Ishiyama, “Security Architecture for Control
rise in popularity, research regarding their security ap- Networks using IPsec and KINK”, in Proc. Symposium on
pears as another important topic. Applications and the Internet (SAINT), 2005, pp. 414–420.
[19] “Advanced Encryption Standard (AES)”, FIPS PUB 197,
National Institute of Standards and Technology, 2001.
Acknowledgements [20] A. S. Tanenbaum and M. van Steen, Distributed Systems:
Principles and Paradigms, Prentice Hall, 2002.
The authors are grateful to the anonymous reviewers for [21] F. Praus, W. Kastner, and O. Alt, “Yet Another All-purpose
their comments that both enhanced this paper and con- EIBNet/IP Gateway”, in Proc. Konnex Scientific Confer-
tributed valuable ideas. ence, 2004.
[22] F. Praus, “A versatile networked embedded platform for
KNX/EIB”, Master’s thesis, Vienna University of Tech-
References
nology, Institute of Computer Aided Automation, 2005.
[23] V. Rijmen, A. Bosselaers, and P. Barreto, “Optimised
[1] W. Kastner, G. Neugschwandtner, S. Soucek, and H. M. ANSI C code for the Rijndael cipher (now AES)”,
Newman, “Communication Systems for Building Au- http://www.iaik.tu-graz.ac.at/research/krypto/AES/, 2000,
tomation and Control”, Proceedings of the IEEE, vol. 93, version 3.0.
no. 6, pp. 1178–1203, 2005.