Secure Authentication
DNP3 secure authentication is based on the following concepts:
- A challenge and response protocol
- A keyed-Hash Message Authentication Code (HMAC) that both the slaves and masters calculate based on each Application Service Data Unit (ASDU), or protocol message, which is to be authenticated.An HMAC algorithm is a mathematical calculation that takes a protocol message as input and generates a smaller piece of data as output.
Setting | Description |
|---|---|
Enable secure authentication | Turns the DNP3 secure authentication mode on or off. |
Secure authentication version | Specifies the secure authentication version. The default version is 5. |
Enable aggressive mode | Determines whether to turn on the aggressive mode for secure authentication. The aggressive mode reduces the bandwidth by removing the challenge and reply to messages. The HMAC value is transmitted within the protected ASDU. The aggressive mode is less secured. |
Expected session key change interval | Specifies the expected session key change interval in minutes. The master periodically changes the session key that is used to calculate the HMAC. The value is from 1 through 120. The default value is 15. |
Expected session key change count | Specifies the number of ASDU transmissions after which the master changes the session key. The master changes the session key if a certain number of ASDUs have been transmitted since the last key change. The value is from 1 through 10000. The default value is 1000. |
Reply timeout | Specifies the reply timeout in 100 milliseconds. The value is from 1 through 1200, with each unit increment representing 100 milliseconds. The default value is 20. |
Maximum error count | Specifies the maximum number of error messages that a device sends after encountering an error. This helps prevent denial-of-service attacks. The value is from 0 through 10. The default value is 2. |
HMAC algorithm | Specifies the HMAC Algorithm to be used. Options are as follows:
|
Key wrap algorithm | Specifies the key wrap algorithm. The algorithm encrypts the sessions keys and challenge data during a session key change. Options are as follows:
Controllers that use DNP3 secure authentication must support the Advanced Encryption Standard (AES) - 128 algorithm. |
Update key change method | Specifies how one-time session keys are generated for encryption and authentication, and how the server authentication is done. The setting is available when Secure authentication version is set to 5 . Options are as follows:
|
Configure update key | Opens the Update key configuration dialog to specify the users who will retrieve the update keys during DNP3 secure authentication.The update key periodically changes the session keys. The same update key is configured in the master and slaves. An update key comprises 16 bytes and must be entered as 32 hexadecimal digits. To add an update key:
|
Configure certificate authority key | Opens the Certificate authority key configuration dialog to specify the symmetric key or the public key, which comes from a Privacy Enhanced Mail (PEM) file. You can open the PEM file with the text editor and copy all the content to the box. |
Enable secure statistics | Determines whether to turn on secure statistics. You can configure the secure statistics class and secure statistics threshold when this checkbox is selected. The setting is available when Secure authentication version is set to 5 . |
Secure statistics class | Selects Class1, 2, or 3. |
Configure secure statistics threshold | Opens the Secure statistics event threshold settings dialog to specify the secure statistics event thresholds. The value of each threshold is from 1 through 65535. |
Critical function codes | Sets certain function codes to Critical or Non-critical .Hover over the function code buttons to see the names of the function codes. |
Provide Feedback