阅读说明：本技术 检查自动化技术中模块化现场设备电子模块真实性的方法 (Method for checking the authenticity of an electronic module of a modular field device in automation technology ) 是由 托马斯·阿尔伯 马库斯·基利安 阿克塞尔·保施曼 萨沙·比勒 西蒙·梅克林 于 2021-04-14 设计创作，主要内容包括：本发明涉及检查自动化技术中模块化现场设备电子模块真实性的方法。为现场设备的每个电子模块分配合适的密钥对,该合适的密钥对确认电子模块的身份,每个密钥对均由公钥和私钥构成,并且将合适的密钥对的公钥存储在列表中,将列表分配给现场设备或者与该现场设备通信的单元,该方法包括当更换或添加电子模块时,该现场设备或与该现场设备通信的单元检查：所更换或添加的电子模块是否具有密钥对,以及所更换或添加的电子模块的公钥是否列举在公钥的列表中,该电子模块是否拥有正确的私钥；如果检查的结论是肯定的,则允许所更换或添加的电子模块与现场设备或与该现场设备的功能有关的某个其它电子模块进行通信或交互。(The invention relates to a method for checking the authenticity of an electronic module of a modular field device in automation technology. Assigning to each electronic module of the field device an appropriate key pair, which confirms the identity of the electronic module, each key pair consisting of a public key and a private key, and storing the public keys of the appropriate key pairs in a list, the list being assigned to the field device or to a unit communicating with the field device, the method comprising, when replacing or adding an electronic module, checking by the field device or the unit communicating with the field device: whether the replaced or added electronic module has a key pair, and whether the public key of the replaced or added electronic module is listed in a list of public keys, whether the electronic module possesses the correct private key; if the conclusion of the check is positive, the replaced or added electronic module is allowed to communicate or interact with the field device or some other electronic module related to the function of the field device.)

1. A method for checking the authenticity of an electronic module (Mk) of a modular field device (FG) in automation technology,

wherein each electronics module (Mk) of the field device (FG) is assigned a suitable key pair (Pk, Pk) which confirms the identity of the electronics module (Mk), wherein each key pair (Pk, Pk) is formed by a public key (Pk) and a private key (Pk), and wherein the public keys (Pk) of the suitable key pairs (Pk, Pk) are stored in a list (MTL), wherein the list (MTL) is assigned to the field device (FG) or a unit (U) communicating with the field device (FG), wherein k 1, 2.

-when replacing or adding an electronic module (Mk), the field device (FG) or a unit (U) communicating with the field device (FG) checks:

-whether the replaced or added electronic module (Mk) has a key pair (Pk, Pk), and

-whether the public key (Pk) of the replaced or added electronic module is listed in the list (MTL) of said public keys (Pk),

-whether the electronic module (Mk) possesses the correct private key (pk);

-if the conclusion of the check is positive, allowing the replaced or added electronic module (Mk) to communicate or interact with the field device (FG) or some other electronic module (Mk) related to the function of the field device.

2. The method according to claim 1, comprising the method steps of:

in order to check whether the electronic module (Mk) possesses the public key (Pk) of the appropriate key pair (Pk, Pk), the field device (FG) or a unit (U) communicating with the field device (FG) requests the public key (Pk) of the replaced or added electronic module (Mk) and checks whether the public key (Pk) of the electronic module (Mk) is stored in the list (MTL).

3. The method according to claim 1 or 2, comprising the method steps of:

the test as to whether the electronic module (Mk) possesses the private key (Pk) of the appropriate key pair (Pk, Pk) is performed by a challenge/response method.

4. The method according to claim 3, comprising the method steps of:

-sending, in particular by the field device (FG), an arbitrary message (m) to the replaced or added electronic module (Mk) as a challenge to the request created using the signature of the private key (pk);

said electronic module (Mk) signs said message (m) with its private key (pk) and returns said signature as a response;

the signature is used to check whether the electronic module (Mk) possesses the private key (Pk) of the appropriate key pair (Pk, Pk).

5. Method according to one or more of claims 1 to 3, comprising the method steps of:

if the check shows that the replaced or added electronic module (Mk) does not have a key pair (Pk, Pk), checking whether the key pair (Pk, Pk) for the electronic module (Mk) can be generated or provided,

wherein the key pair (Pk, Pk) is transferred to the replaced or added electronic module (Mk) in case the key pair (Pk, Pk) is provided or generated by another electronic module (Mk).

6. The method according to claim 5, comprising the method steps of:

in case the electronic module (Mk) does not have a suitable key pair (Pk, Pk) or cannot generate a suitable key pair (Pk, Pk) for the electronic module (Mk), the electronic module (Mk) remains excluded from communication.

7. The method according to one or more of the preceding claims, comprising the method steps of:

if the check shows that the replaced or added electronic module (Mk) has a key pair (Pk, Pk) but the public key (Pk) of the key pair (Pk, Pk) is not stored in the list (MTL), the public key (Pk) of the generated key pair (Pk, Pk) is assigned to the list (MTL) if the trustworthiness of the electronic module (Mk) is confirmed by an authorized person (a).

8. The method according to one or more of the preceding claims, comprising the method steps of:

in case an appropriate key pair (Pk, Pk) can be generated for said electronic module (Mk), the public key (Pk) of said key pair (Pk, Pk) is stored in said list (MTL) if the trustworthiness of said electronic module (Mk) is confirmed by an authorized person (a).

9. The method according to one or more of the preceding claims, comprising the method steps of:

providing each of said electronic modules (Mk) with an appropriate key pair (Pk, Pk) by an initial manufacturer or by a third party authorized by said initial manufacturer during the production process or during the use of the service, and

storing the public key (Pk) of the appropriate key pair (Pk, Pk) in the list (MTL).

10. The method according to one or more of the preceding claims, comprising the method steps of:

when replacing an electronic module (Mk), the public key (Pk) of the replaced electronic module (Mk) is deleted from the list (MTL).

11. The method according to one or more of the preceding claims, comprising the method steps of:

the checking and the testing are performed during ongoing operation of the field device (FG).

12. The method according to one or more of the preceding claims, comprising the method steps of:

instead of the public key (Pk) of the electronic module (Mk), a derivative such as a hash value or some other independent and unique identification is used.

Technical Field

The invention relates to a method for checking the authenticity of an electronic module of a modular field device in automation technology.

Background

Field devices for detecting and/or influencing physical, chemical or biological process variables are often used in process automation as well as in manufacturing automation. Measurement devices are used to detect process variables. These measuring devices are used, for example, for pressure and temperature measurements, conductivity measurements, flow measurements, pH measurements, fill level measurements, etc., and detect corresponding process variables of pressure, temperature, conductivity, pH value, fill level, flow, etc. An actuator system is used to affect a process variable. Examples of actuators are pumps or valves, which can influence the flow of fluid in a pipe or the level of fluid in a tank. In addition to the aforementioned measurement devices and actuators, a field device should also be understood to include remote I/O, radio adapters, or generally devices disposed at the field level. In connection with the present invention, all such devices are referred to as field devices, which are used in the vicinity of a process or plant and provide or process information related to the process or plant.

The corresponding field devices are usually formed from a plurality of electronic modules, for example plug-in modules with circuit boards, sensors with digital connections, etc. If an electronic module is replaced or added, it is currently not checked whether the electronic module is authentic. Currently, electronic modules are typically visually inspected and only after a positive visual inspection are the electronic modules considered authentic.

The above procedure brings considerable safety risks: in principle, since it is not possible to detect any type of electronic module that may have been tampered with, in the installation of automation technology there is a risk that an electronic module that may have been tampered with will be installed. For example, if an electronic module does not meet the requirements for use in a potentially explosive area, but is used in such an area, it is absolutely life-threatening.

Disclosure of Invention

The present patent application describes a method for ensuring the authenticity of a module: whether or not the module is actually the module it pretends to be. The main consideration here is to check whether a particular module is present, where the identity is checked and modules of the same design are not automatically accepted. In the applicant's patent application filed concurrently with the present patent application, the authenticity of the manufacturer, i.e. whether the electronic module originates from the original manufacturer or from a trusted third party or supplier, is checked. Of course, both methods can also be used for checking the electronic modules simultaneously or in succession.

The object of the invention is to automatically detect non-authentic electronic modules.

This object is achieved by a method for checking the authenticity of electronic modules of a modular field device in automation technology, wherein each electronic module of the field device is assigned a suitable key pair for validating the identity of the electronic module, wherein each key pair is formed by a public key Pk and a private key Pk, and wherein the public keys of the suitable key pairs are stored in a list, wherein the list is assigned to the field device or a unit communicating with the field device, wherein the method comprises the following method steps:

when replacing or adding an electronics module, the field device or the unit communicating with the field device checks:

whether the replaced or added electronic module has a key pair, and

-whether the public key of the replaced or added electronic module is listed in the list of public keys,

-whether the electronic module possesses the correct private key;

-if the conclusion of the check is positive, allowing the replaced or added electronic module to communicate or interact with the field device or some other electronic module related to the function of the field device.

Thus, it is checked whether there are those individual modules that should exist according to the module trust list. If an electronic module is replaced or added, the method according to the invention is used for the detection. If the electronic module cannot prove its authenticity, integration into the operation is refused.

According to the invention, before the field device includes the replaced or added electronic module in the communication required for operating the field device, the field device checks whether the public key of the electronic module is contained in the list of electronic modules identified as trustworthy. The authenticity of the electronic module is usually checked during the operating time of the field device.

The key pair assigned to each electronic module is also referred to as the cryptographic identity of the electronic module. Symmetric encryption and asymmetric encryption are known in principle. In the case of symmetric encryption, encryption and decryption occur using the same key, while in the case of asymmetric encryption, encryption and decryption occur using two different keys.

In asymmetric encryption, RSA-based key pairs are typically used, which may vary in key length. Currently, RSA keys of length 2048 bits have been considered necessary; people requiring higher security use a key length of 3072 or even 4096 bits. However, the increased key length not only has a negative impact on the required memory space, but also the performance, i.e. in the case of asymmetric encryption and decryption, in particular in terms of key pair generation. Significantly more efficient than the RSA encryption system based on prime numbers are those systems that use elliptic curves. Some ECs (elliptic curves) have already been established. One of which is curve 25519.

Preferably, an asymmetric key pair is used in connection with the present invention. Asymmetric encryption methods are considered to be extremely secure, since two keys are used that cannot be derived from each other: a public key for encryption and a private key for decryption, and vice versa. The private key is always kept in the generator of the key. Encrypted using a private key and decrypted using a public key, or vice versa.

Furthermore, the following method steps are proposed:

in order to check whether the electronic module possesses the public key of the appropriate key pair, the field device or a unit communicating with the field device requests the public key of the replaced or added electronic module and checks whether the public key of the electronic module is stored in a list of public keys classified as trustworthy.

Furthermore, a test is performed as to whether the electronic module possesses the private key of the appropriate key pair. A challenge/response method is preferably used for this test. The fact that the electronic module transmits a trustworthy public key has not proven that the public key is also the public key associated with the electronic module. Eventually, the electronic module may also be a counterfeit module using an illegally obtained public key. It must therefore be checked whether the electronic module is authentic, i.e. whether the supplied public key actually also belongs to the electronic module, whether the electronic module has supplied the correct public key associated with it, and whether this can also be proven. As mentioned above, a challenge/response method is preferably used for this proof.

To this end, the field device or the electronic component sends any message to the replaced or added electronic module with a request for signature creation ("challenge"). The module signs the message and then sends the signature ("response") back to the field device or back to the requesting electronic module. Now, the field device or the requesting electronic module can check, based on the signature, whether the electronic module possesses the correct private key.

The signature is created, for example, by: module k applies a hash method to message m and encrypts the obtained hash value with its private key. The field device decrypts the obtained signature using the public key of the module and compares it to the self-calculated hash value of the transmitted message. Ideally, the two hash values are the same, which proves that: a) the module is verified as having sent the correct public key, and b) this can also be verified as having the associated private key. By providing this proof, the replaced or added electronic module is considered authentic. Special algorithms (DSA ECDSA, etc.) have also been known for signature creation, however, eventually these can also be used with asymmetric key pairs.

If the electronic module now does not have a suitable key pair, or only one key pair based on a different curve or on a different cryptographic system, the electronic module cannot participate in the challenge/response method. A remedy is possible if the electronic module has a generator by which such a suitable key pair can be generated; alternatively, the electronic module must have a corresponding interface and key memory, so that an externally generated key pair can subsequently be written into the electronic module. In both cases, however, the module must be aware of the applicable/associated operations, e.g., encryption with a private key.

In summary, any message is sent, in particular from the field device, to the replaced or added electronic module as a challenge to the request created using the signature of the private key. The electronic module signs the message using its private key and returns the signature as a response. The signature is used to check whether the electronic module possesses the private key of the appropriate key pair. In the case of asymmetric encryption, any key pair is considered suitable. RSA-based or EC-based key pairs are common. The key pair is a tool. Such a key pair is now used by the field device to determine the authenticity of the electronic module.

In certain cases, further restrictions may be placed on "suitable" as: both the field device and the electronics module must know the corresponding operation (encryption, decryption) with the key pair. For example, if the field device only knows, for example, EC and only module RSA, the invention will not work. If the electronic module has no asymmetric encryption at all, there is no appropriate key pair.

Some special cases are described below: if the check shows that the replaced or added electronic module does not have a key pair, it is checked whether a key pair for the electronic module can be generated or provided,

wherein the key pair is transferred to the replaced or added electronic module in case the key pair is provided or generated by another electronic module.

Furthermore, in connection with the present invention it is proposed that replaced or added electronic modules for which no suitable key pair or for which a suitable key pair cannot be generated are still excluded from communication.

If the check shows that the replaced or added electronic module has a key pair, but the public key of the key pair is not stored in the list even if the electronic module appears to be authentic, the public key of the generated key pair is assigned to the list of electronic modules classified as trustworthy once the trustworthiness of the electronic module has been confirmed by an authorized person.

In the case where an appropriate key pair can be generated for an electronic module, if an authorized person confirms the trustworthiness of the electronic module, the public key of the key pair is also stored in the list of electronic modules classified as trustworthy. In this way, the list may be large and contain the public keys of a plurality of electronic modules. Of course, when a module is replaced, it is convenient to delete the public key of the replaced module from the module trust list.

If the electronic module does not have a suitable key pair, or only one key pair based on another curve or on another cryptographic system, the electronic module cannot participate in the challenge/response method. In order to generate a suitable key pair, the electronic module must either have a generator by means of which such a (suitable) key pair can be generated, or the electronic module must have an interface and a key memory, so that an externally generated key pair can be written into the electronic module. In both cases, however, the electronic module must be aware of the applicable/associated prerequisites and operations (e.g., encryption with a private key).

Providing that each electronic module is provided with an appropriate key pair by the original manufacturer or a third party authorized by the original manufacturer during the production process or during service use; furthermore, the public key of the appropriate key pair is stored at the corresponding point in time in a list of electronic modules classified as trustworthy. During or after the production process, the trusted person may inform the field device that the replaced or added electronic module has been deemed trustworthy as the module is being replaced or added. In this case, the field device incorporates the public key of the electronic module into its module trust list MTL.

When an electronic module is replaced, the public key of the replaced electronic module is deleted from the list of electronic modules classified as trustworthy.

As already mentioned above, a check or test as to whether the electronics module is authentic may be performed during ongoing operation of the field device.

It has also been mentioned that in connection with the invention, instead of the public key of the electronic module, a derivative (e.g. a hash value) or some other independent and unique identification may be used.

Drawings

The invention is explained in more detail with reference to the following figures. Shown in the attached drawings:

FIG. 1 is a schematic illustration of a field device suitable for carrying out the method according to the invention and having a plurality of electronic modules, an

Fig. 2 is a flow chart depicting a method according to the invention with different developments.

Detailed Description

Fig. 1 is a schematic illustration of a field device FG which has a plurality of electronic modules Mk and is suitable for carrying out the method according to the invention. In the case shown, the field device FG has three electronic modules Mk, where k is 1, 2, 3. Each electronics module Mk of the field device FG is assigned a suitable key pair Pk, where k is 1, 2, 3. Such a suitable key pair Pk, Pk is a prerequisite for the associated electronic module Mk to be able to confirm its authenticity. Each key pair Pk, Pk consists of a public key Pk and a private key Pk. Furthermore, the public key Pk of the appropriate key pair Pk, Pk is stored in a list MTL, wherein the list MTL is assigned to the field device FG or to the unit U communicating with the field device FG. MTL is an abbreviation for module trust list. This list contains the public keys Pk of the electronic modules Mk classified as trustworthy. Only when the checking step of the method according to the invention and/or of its further embodiments is positively evaluated is the replaced or newly added electronic module Mk functionally integrated into the field device FG.

A separate key pair Q, Q, consisting of a public key Q and a private key Q, is also assigned to the field device. The field device FG can send a public key Q to one or more electronic modules Mk if necessary, in order to determine, for example, a secret consensus between the field device FG and the electronic module Mk and use it (or a derivative thereof) as a symmetric key for the encrypted communication (key: "Diffie Hellman", exchange of public keys). Furthermore, it is possible that not only must the electronics module Mk prove its identity to the field device FG, but also that the field device FG must prove its identity to the electronics module Mk. For example, if the electronics module Mk has stored a lot of sensitive (secret) data, the electronics module should possibly be able to pass these data only to one field device or only to a specific field device FG. For this purpose, each electronic module Mk will have to have a stored field device trust list in which the public keys classified as trusted field devices FGk are listed.

Fig. 2 shows a flow chart depicting a method according to the invention with different developments.

For example, below program point 10, a new electronic module Mk (for example Mod3new) is inserted, replacing electronic module Mod 3; instead, a new module Mk, for example an electronic module Mod4, is newly added. At the program point 20 it is checked whether the new electronic module Mk has the appropriate key pair Pk, Pk. If there is a suitable key pair, it is checked at the program point 30 whether the public key Pk of the replaced or added electronic module Mk is listed in the MTL list of public keys Pk. If the test result is positive, it is checked at program point 40 whether the new electronic module Mk possesses the correct private key pk. If the result of this check is positive, the replaced or added electronics module Mk is allowed to communicate or interact with the field device FG or with some other electronics module Mk of the field device FG (relating to the function of the field device FG). The check terminates at program point 60. The check may also be performed by a separate unit. This is not separately shown in fig. 2.

In order to check whether the electronic module Mk possesses the public key Pk of the appropriate key pair Pk, Pk determined at the program point 30, the field device FG or the unit U communicating with the field device FG requests the public key Pk of the replaced or added electronic module Mk and checks whether the public key Pk of the electronic module Mk is stored in the list MTL.

The check (program point 40) as to whether the electronic module Mk also possesses the correct private key Pk of the appropriate key pair Pk, Pk is performed by a challenge/response method. For this purpose, in particular, any message m is sent by the field device FG to the replaced or added electronic module Mk as a challenge to the request created using the signature of the existing private key pk. The electronic module Mk signs the message m with its private key pk and returns the signature as a response. This signature is used to check whether the electronic module Mk possesses the correct private key Pk of the appropriate key pair Pk, Pk. This is the case if the encrypted and decrypted message m is again message m.

Now consider what may happen if the result of the check at program point 20, 30 or 40 is negative.

If the check at the program point 20 shows that the electronic module Mk does not have the appropriate key pair Pk, a check is made as to whether the key pair Pk, Pk can be generated or provided for the electronic module Mk (program point 70). If the key pair Pk, Pk can be provided or generated by the field device FG or by another electronic module Mk (program point 80), the key pair Pk, Pk is passed to the replaced or added electronic module Mk. The replaced or added module Mk may itself generate the appropriate key pair Pk, Pk. For this purpose, appropriate technical prerequisites must be present. Once the trustworthiness of the electronic module Mk has been confirmed by an authorized person, the public key Pk is stored in the list MTL.

In case the electronic module Mk does not have or cannot generate a suitable key pair Pk, Pk for the electronic module Mk (program point 70), then the electronic module Mk remains excluded from communication. Optionally, an error message is generated, i.e. the electronic module Mk does not have the appropriate key pair Pk, Pk (program point 90).

If the public key Pk of the replaced or added module Mk is not contained in the list MTL (program point 30) and the trustworthiness of the electronic module Mk is not confirmed by an authorized user, an error message is sent indicating that the electronic module Mk is not trustworthy (program point 120). The field device FG does not integrate the replaced or added module into the communication.

If the challenge/response test at the program point 40 shows that the electronic module does not possess the correct private key pk, an error message is generated at the program point 130 indicating that the electronic module Mk is not authentic.

The method according to the invention makes it possible to reliably prove the correct identity of the electronic module Mk. The counterfeit module can be disposed of.