ASE2000 V2 Communication Test Set User Manual 179
• Each user requires a DSA key pair, the master uses the private key and each RTU needs the
public key.
• The test set requires the appropriate private or public RSA and DSA keys depending on the
test set operation mode. If the appropriate keys are not available to the test set, the messages
will be agged as an error.
– Master mode: User private key and outstation public key.
– RTU mode: Outstation private key and user public key.
– Monitor mode: Outstation private key and user public key.
• In general asymmetric key pairs are created by a third party certicate authority which may be
imported by the test set. However the test set does provide some rudimentary key management
that may be useful in a lab environment only.
• New Private /Public key pairs may be created by the test set.
• Private /Public key pairs may be imported.
– PKCS#12 certicate les using the PFX or P12 format.
– XML le according to RFC 3275.
• Public keys may be imported.
– X509 certicate les using the CRT/CER/DER/PEM format.
– PKCS#7 data les using the P7S/P7M/P7B format.
– XML le according to RFC 3275.
• Public key of a private/public key pair may be exported. This is a self-signed certicate.
– X509 certicate les using the CRT/CER/DER/PEM format.
– PKCS#7 data les using the P7S/P7M/P7B format.
– XML le according to RFC 3275.
• Private keys may not be exported.
• Please note that the following discussion regarding AES-GMAC also pertains to asymmetric
update key methods that utilize AES-GMAC.
26.9.5. AES-GMAC MAC Algorithm
AES-GMAC is a new optional MAC algorithm for SAv5. This implementation requires Windows
Vista SP1 or better. The MAC Algorithm selection will not display these options for the incorrect
Windows version.
However GMAC use comes with some caveats. These caveats are probably not unique to the
Test Set; you will probably îš¿nd them in any implementation.
AES-GMAC requires a dynamic initialization vector. This means that the values used for this
vector may change each time a MAC calculation is performed. Supposedly the master and
outstation are in agreement on these values at all times. This is mostly true, but not always. The
problem components are identiîš¿ed here.
• User Number. The value for the user number is not generally known for the User Status Change
variation. It may be best not to use GMAC if users need to be dynamically maintained. The
Test Set makes the following assumptions based on the operation.
– Delete – the user number test set option.
– Change – the user number test set option.
– Add – zero
• Key Change Sequence Number. If GMAC is used the specication requires that the KSQ
number is persistent. The Test Set doesn’t do this, but in any case the specication provides no
mechanism to synchronize the KSQ explicitly. However the KSQ number can be synchronized
if the master performs a Key Status Request, the response will contain the outstation’s KSQ.
• Challenge Sequence Number. Basically the same problem, the specication provides no
explicit mechanism to synchronize the CSQ number on startup or whenever they get out of
To Next Page
Loading...
Need help?
General
