Security
Document No. D109-010
Page 77 of 108
Revision 1.15
6.
SECURITY
DNP3 offers Secure Authentication for links at risk of being attacked. There are various Key
Change methods, Message Authentication Code (MAC) algorithms, and Authentication
methods provided in the DNP3 protocol specification.
Various keys are used in DNP3 Secure Authentication. Session keys are used most frequently
as it is used for Authentication of the requests. These keys are updated by the DNP3 master
at a certain interval or every time there has been a message failure. The DNP3 master encrypts
these keys before sending them across the wire using the Key Wrap Algorithm selected and
the Update key. The Update Key can be updated in numerous ways (including sending it
across the wire with another set of Keys encrypting that message).
The DNP3 Router supports DNP3 Secure Authentication 5, but currently only supports the
Pre-Shared Key method for Key Changes. Thus the Update Key needs to be entered into each
device by means outside of the DNP3 protocol.
In Slate the user can write the Update Key into the DNP3 Router module using the Key tab in
the Online Status window. The key entered must match the Key Wrap Algorithm selected.
Thus if AES-128 Key Wrap was selected the Update Key must be 128-bit (16 bytes) long. If
AES-256 Key Wrap was selected the Update Key must be 256-bit (32 bytes) long. The user can
either enter a predetermined hexadecimal code of create a new code in Slate as shown below.
This key is encrypted and sent to the DNP3 Router where it is saved into the NV memory of
the module.
NOTE
: The Key update method in Slate is a
write-only
function. Thus once the
key has been downloaded the user will not be able to view the key again. Thus
the user must make provision to document or save the key in a secure manner.
NOTE
: The other DNP3 device that is going to be communicated to must have
the same Update Key as that of the DNP3 Router. Failing to do this will result
in failed data exchange for critical messages.