EP3603012A1 - Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle - Google Patents

Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle

Info

Publication number
EP3603012A1
EP3603012A1 EP18727176.2A EP18727176A EP3603012A1 EP 3603012 A1 EP3603012 A1 EP 3603012A1 EP 18727176 A EP18727176 A EP 18727176A EP 3603012 A1 EP3603012 A1 EP 3603012A1
Authority
EP
European Patent Office
Prior art keywords
communication
communication device
data
function
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP18727176.2A
Other languages
German (de)
English (en)
Inventor
Kai Fischer
Daniela FRIEDRICH
Markus Heintel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of EP3603012A1 publication Critical patent/EP3603012A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Definitions

  • the present invention relates to a method nikationsan extract a communication, a network element and a Kommunikati ⁇ ons worn for protecting a communication between at least a first communication device and at least a second communication device within a preferably real-time communication network, and in particular in the field of industrial production and / or Automation, wherein the communication network has at least one network element, are passed over the zugehö ⁇ r communication for communication, and an associated computer ⁇ program (product).
  • safety refers mainly to the security, confidentiality and / or integrity of data so ⁇ as their transfer and security, confidentiality and / or integrity in accessing relevant data.
  • the authentication in data transfers or data access belongs the term "security”.
  • Under a cryptographic functionality is generally understood, for example, a function for encryption, to protect the confidentiality, integrity protection and / or authentication of data (eg user data, control data, configuration data or administrative data).
  • the cryptographic protection functionality since ⁇ include, for example at one or more of the following set ⁇ led functionalities:
  • the enumerated cryptographic functionalities can in each case be carried out again with other / further methods or combinations of these methods.
  • the data interface can be designed and set up as a serial or parallel data interface.
  • the communication between the components is not limited to a point-to-point (peer) communication. Group communication, broadcast messages or publish / subscribe communication patterns are also conceivable.
  • Communication (end) facilities may include field devices, industrial controllers, industrial PCs, handheld computer systems, pocket PC devices, mobile phones, smart phones,
  • Tablets and other communication devices that can handle computer-aided processing, processors and other electronic computing devices.
  • a measure to protect industrial components and machines is to divide them into different zones according to their trustworthiness and their protection requirements (zone model). There will usually be no more within such a zone
  • the zones are usually so decor with dark ⁇ tet that the communication between the components takes place within the zone and only conditionally possible to communicate with components au ⁇ ßer Halb its own zone.
  • the halt or the nodes or components within the Zo ⁇ ne are protected and there are dedicated transfer points to other zones.
  • Such cell protection concepts are no longer suitable because communication is increasingly being conducted across the zone boundaries.
  • Such transition points ⁇ often delay the data flow and thus affect the real-time behavior.
  • the components should be more flexible in such scenarios. Thus, static / physical solutions are no longer practicable.
  • TLS Transport Layer Security
  • IPSec in ⁇ ternet Protocol Security
  • Transport layer and IPSec (on plane or layer 3 Ver ⁇ mediate layer) of the communication technology ver Liste- th OSI reference model or a similar network models, such as TCP / IP stack defined.
  • Level 4 protocols tend to be ineligible for group communication.
  • Logical communication paths are not yet protected by cryptographic measures.
  • a logical Kommunikati ⁇ onsweg between communication (end) facilities can be realized by an identifier in data packets.
  • Ethernet-based protocols are used at level 2 of the OSI reference model.
  • the so-called backup ⁇ layer (Layer 2) provides generally for an error-free DA Transmission and possibly for a data flow control on Sen ⁇ der- and receiver side.
  • MACSec which 802. IX is be ⁇ wrote in IEEE standard 802.1AE or IEEE is working on level 2 and allows standard ⁇ default only a point-to-point security / encryption. To secure a group communication, all the individual point-to-point connections between the network elements would have to be configured. If MACSEC for
  • the invention claims a method for protecting a communication between at least a first communication device and at least a second communication device within a communications network, insbeson ⁇ particular in the environment of an industrial manufacturing and / or automation mation, wherein the communication network comprises at least one network element are routed through the communication zugehö ⁇ membered data, comprising the steps of: - protecting the data by means of a first cryptic tographischen protection function, which are transmitted from at least a first communication device to at least one second communication device .
  • Communication device are passed to the at least second communication device and containing the data, - Providing a verification function by the at least one network element, which checks the authenticity and / or integrity of the messages based on the second protection function,
  • the invention is not limited to point-to-point communication within the group, but can also be a
  • the advantage of the invention lies in the detection and defense against attacks in which an unauthorized attacker wants to gain access to works or devices.
  • Network elements can monitor the authenticity and / or integrity of messages.
  • a further advantage of the invention lies in the fact that the invention is not limited to an initially explained zone, but can optionally be used over several transition points.
  • a development of the invention provides that the second protective function encloses the first protective function and is cryptographically independent of the first protective function.
  • a further development of the invention provides that, in order to continue the communication, the messages which contain data which remain protected by means of the first protective function are conducted protected by the second protective function to the at least second communication device.
  • a development of the invention provides that the communication between the mentioned communication devices takes place via a virtually logically formed communication network.
  • a development of the invention provides that a communication protocol on level 2 of the OSI reference model or comparable network model used in communication technology is used for communication between the communication devices.
  • a development of the invention envisages that is set for communication between the communication devices, a communication protocol on level 3, also network layer ge ⁇ Nannt, the OSI reference model used in the communication technology or equivalent network model ⁇ is.
  • a development of the invention provides that the first protective function uses a first key, in particular a first group key.
  • a development of the invention provides that the second protective function uses a second key, in particular a second group key.
  • a development of the invention provides that the first key is derived from the second key.
  • a development of the invention provides that in the
  • Key derivation function is a belonging to the communication facilities secret, in particular a group secret ⁇ nis received.
  • a development of the invention provides that the data (D) can be supplemented with further data (D x ) before the provision of the second cryptographic protection function. These additional or other data may then by authorized network elements on the communication modifi ed ⁇ or added and are protected by the second protective function.
  • a further aspect of the invention provides a communication ⁇ arrangement for protecting a communication between at least a first communication device and at least a second communication device within a communications network before, especially in the environment of a converted ⁇ len manufacturing and / or automation, wherein the communication network comprises at least one network element, are routed through the data associated with communication, comprising:
  • Means for protecting the data using a first cryptographic protection function which are transmitted from at least a first Kommunikati ⁇ ons worn to at least one second communication device,
  • Means for providing a second cryptographic protection function which messages protects between a communication device and a network element, which are conducted via the at least one network element of the ers ⁇ th communication device for the at least second communication device and which contain the data
  • a development of the invention provides that the data (D) can be supplemented with further data (D x ) before the provision of the second cryptographic protection function. These additional or other data may then by authorized network elements on the communication modifi ed ⁇ or added and are protected by the second protective function.
  • a further aspect of the invention provides a network element suitable for supporting a protected communication between at least a first communication device and at least one second communication device within a communications network before, in particular in order ⁇ field of industrial production and / or automation, wherein via the network element to communicate data associated with to be directed, comprising:
  • Means for reading cryptographically protected data from cryptographically protected messages which are routed via the network element from the first communication device to the at least second communication device,
  • a development of the invention provides that the data (D) can be supplemented with further data (D x ) before the provision of the second cryptographic protection function. These additional or other data may then through our authorized network elements on the communication modifi ed ⁇ or added and are protected by the second protective function.
  • a further aspect of the invention provides a communication device for protecting a communication with at least one other communication device within a communications network before, especially in the environment of a indust ⁇ -material manufacturing and / or automation, wherein the communication network comprises at least one network element, via the associated communication Data can be routed, comprising:
  • Means for protecting the data by means of a first cryptographic protection function which are transmitted from the communication device to at least one second communication device,
  • Network element protected via the network elements are conducted to the at least second Kommunikati ⁇ ons founded and include Since ⁇ th, wherein, depending thentizticians- from a result of Au and / or integrity check of the protected messages, at a continuation of the communication, the data to be protected by the first protection function , remain protected until their receipt by the at least second communication device by means of the first protective function.
  • a development of the invention provides that the data (D) can be supplemented with further data (D x ) before the provision of the second cryptographic protective function. These additional or other data may then by authorized network elements on the communication modifi ed ⁇ or added and are protected by the second protective function.
  • the assembly device and network element may entspre ⁇ accordingly Removing of the embodiments / developments of the above-mentioned process or be further formed.
  • the above-mentioned units or means can be used in
  • Another aspect of the invention may be a computer program or a computer program product with at least one Compu ⁇ terprogramm with means for carrying out the method and its referred embodiments when the computer program (product) and the at least one computer program divides comparable within the communication apparatus according to above described type is carried out for execution.
  • the above devices, arrangements and, where appropriate, the computer program (product) can be developed or developed substantially analogously to the method and its embodiments or further developments.
  • FIGS. 1 and 2 show the procedure according to the invention for checking the authenticity and / or integrity of a logical communication connection between two communication devices, the messages containing the data being routed via one or more network elements.
  • Figures 1 and 2 each show an attack scenario in ⁇ nerrenz a communication network, for example a mentioned virtual logical network (VLN), in which an attacker A tries an attack on a network element NE of possible multiple network elements of a communications network.
  • VLN virtual logical network
  • the attacker A wants to disrupt the communication between the communication devices PLC1 and PLC2.
  • These communication devices can be ICS components (Industrial Control System).
  • the network element NE checks the authentication information, for example MAC, to determine whether they are messages from an authenticated group subscriber of the communication network. If this is not the case, eg because the attacker feeds in messages without being able to generate the correct authentication information.
  • NEN the affected data packets are discarded and not forwarded by the network element.
  • the data is protected twice on the end-to-end or on the point-to-point transport path (dashed and rectangular rectangle).
  • MAC Message Authentication Code
  • HMAC Home MAC
  • OMAC Open Mobile communications
  • CBC-MAC CBC-MAC
  • K_D_VLNx is used for confidentiality protection
  • Step 1 The data D (solid rectangle) to be sent is provided with a first protection function, e.g. protected by a group key K_D_VLNx from a first communication device PLC1 (confidentiality / authenticity / integrity protection). It arises
  • K_D_VLNx is only the regular group members of the communication network VLNx and not the network elements e.g. NE known.
  • Step 2 The data packet ⁇ [D]> is replaced by a second one
  • additional data D x can be modified or supplemented by authorized network elements, eg PLC1, on the communication path, and by the second
  • Step 3 The network element NE receives the data packet ⁇ [D]>> and extracts or reads the authentication information of the second protection function from the message.
  • the outer protection can be removed.
  • the outer protection is not usually removed, but remains as well as the protection of the data obtained by the first protection function.
  • Step 4 Second protection check to see if the message is authentic or integer. This means that the dashed box is checked, which either contains only D and can also contain D x .
  • Step 5 If the message is not authentic / integer, the data packets are discarded, thus stopping the communication.
  • Step 6 If the message is authentic, then received in step 3 message ⁇ [D]>> or ⁇ D X ⁇ D>> (dashed-rectangle rectangle) over the Kommunikati ⁇ onsnetz to the second communication device PLC2 (continue ). This protects the data in the dashed rectangle until it reaches the receiver. If the external protection has been removed in step 3, the message is again protected with a second cryptographic protection function, whereby the same authentication key K_NE_VLNx is usefully used for protection.
  • step 7 The communication device PLC2 receives the data packet ⁇ [D]>> or ⁇ D X ⁇ D>> (dashed rectangle) and checks and removes the K_NE_VLNx authenticity / integrity protected part of the data packet.
  • step 8 By decoding the data and checking the first protection function with K_D_VLNx, the communication device PLC 2 receives the actual (useful) data (solid rectangle) and can be sure that the message containing the data comes from a group member.
  • the network elements NE for example, check the capacity Authenti ⁇ / integrity of the data packets before the data packets by they are forwarded.
  • the network element NE can not read the data of the message itself or no data
  • An advantageous embodiment of the invention is that, in addition to the data of the communication device within the spliced rectangle, additional data needed for the network infrastructure elements
  • K_D_VLNx is transmitted via a key derivation function e.g. KDF (S_G,
  • K_NE_VLNx K_NE_VLNx depending on K_NE_VLNx.
  • the secret S_D is distributed once initially to the communication facilities of the regular group members. S_D does not necessarily have to be selected VLNx specific or group-specific, because a common S_D can be used for all VLNx / groups without the property of a group-specific one
  • K_D_VLNx lose.
  • the diversity of the K_D_VLNx arises from the distribution of the group-specific K_NE_VLNx to the authorized group members.
  • K_D_VLNx loses.
  • the diversity of the K_D_VLNx arises from the distribution of the group-specific K_NE_VLNx to the authorized group members.
  • Processor or bound to specific execution schemes can be performed by software, firmware, microcode, hardware, Prozes ⁇ sensors, integrated circuits, etc. in stand-alone mode or in any combination.
  • Various processing strategies can be used, for example serial processing by a single processor or multiprocessing or multitasking or parallel processing, etc.
  • the instructions can be stored in local memories, but it is also possible to store the instructions on a remote system and then via Network access.
  • processor central signal processing
  • Control unit or “data evaluation means” as here USAGE ⁇ det, processing means includes in the broad sense, that is, for example, servers, general purpose processors, Gardnerluxo ⁇ ren, digital signal processors, application specific inte ⁇ grated circuits (ASICs), programmable logic circuits, such as FPGAs, discrete analog or digital circuits and be ⁇ undesirables combinations thereof, and any other processing means known in the art or developed in the future.
  • Processors can be one or more Devices or devices or units exist. If a processor consists of several devices, these can be designed or configured for the parallel or sequential processing or execution of instructions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

La présente invention concerne un procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle. Le réseau de communication comporte au moins un élément de réseau (NE), par l'intermédiaire duquel des données relevant de la communication sont acheminées. Le procédé comporte des étapes qui suivent consistant à : protéger les données (D) a moyen d'une première fonction de protection cryptographique, lesquelles sont transmises par au moins un premier dispositif de communication (PLC1) à au moins un deuxième dispositif de communication (PLC2) ; fournir une deuxième fonction de protection cryptographique, laquelle protège des messages entre un dispositif de communication et un élément de réseau, lesquels sont acheminés par l'intermédiaire de l'élément ou des éléments de réseau depuis le premier dispositif de communication au moins au deuxième dispositif de communication et qui contiennent les données ; fournir une fonction de surveillance par l'élément ou les éléments de réseau qui surveillent l'authenticité et/ou l'intégrité des messages à l'aide de la deuxième fonction de protection ; poursuivre (6) ou arrêter (5) la communication en fonction du résultat de la surveillance (4) par la fonction de surveillance, les données restant protégées au moyen de la première fonction de protection en cas de poursuite de la communication jusqu'à leur réception par le deuxième ou les deuxièmes dispositifs de communication.
EP18727176.2A 2017-05-23 2018-05-09 Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle Withdrawn EP3603012A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017208735.8A DE102017208735A1 (de) 2017-05-23 2017-05-23 Verfahren und Vorrichtung zum Schutz einer Kommunikation zwischen mindestens einer ersten Kommunikationseinrichtung und wenigstens einer zweiten Kommunikationseinrichtung insbesondere innerhalb eines Kommunikationsnetzwerkes einer industriellen Fertigung und/oder Automatisierung
PCT/EP2018/061970 WO2018215209A1 (fr) 2017-05-23 2018-05-09 Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle

Publications (1)

Publication Number Publication Date
EP3603012A1 true EP3603012A1 (fr) 2020-02-05

Family

ID=62245233

Family Applications (1)

Application Number Title Priority Date Filing Date
EP18727176.2A Withdrawn EP3603012A1 (fr) 2017-05-23 2018-05-09 Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle

Country Status (5)

Country Link
US (1) US11336657B2 (fr)
EP (1) EP3603012A1 (fr)
CN (1) CN110679129B (fr)
DE (1) DE102017208735A1 (fr)
WO (1) WO2018215209A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210092103A1 (en) * 2018-10-02 2021-03-25 Arista Networks, Inc. In-line encryption of network data
EP4211871A1 (fr) 2020-09-07 2023-07-19 Hirschmann Automation and Control GmbH Procédé pour faire fonctionner un réseau

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826616B2 (en) * 1998-10-30 2004-11-30 Science Applications International Corp. Method for establishing secure communication link between computers of virtual private network
US7389529B1 (en) 2003-05-30 2008-06-17 Cisco Technology, Inc. Method and apparatus for generating and using nested encapsulation data
US8127366B2 (en) * 2003-09-30 2012-02-28 Guardian Data Storage, Llc Method and apparatus for transitioning between states of security policies used to secure electronic documents
DE102005027232A1 (de) * 2005-06-13 2006-12-14 Siemens Ag Verfahren und Anordnung zum sicheren Übertragen von Daten in einem ein Mehrsprungverfahren nutzenden Kommunikationssystem
US8607051B2 (en) 2006-04-11 2013-12-10 Qualcomm Incorporated Method and apparatus for binding multiple authentications
US8776166B1 (en) * 2006-07-17 2014-07-08 Juniper Networks, Inc. Plug-in based policy evaluation
EP2304918B1 (fr) * 2008-06-16 2014-04-09 Telefonaktiebolaget L M Ericsson (PUBL) Envoi de données multimédias par l'intermédiaire d'un n ud intermédiaire
DE102009051383A1 (de) 2009-10-30 2011-05-12 Siemens Aktiengesellschaft Verfahren und Vorrichtung zum sicheren Übertragen von Daten
DE102009051201B4 (de) * 2009-10-29 2012-12-20 Siemens Aktiengesellschaft Authentifikation und Datenintegritätschutz eines Tokens
DE102010043102A1 (de) * 2010-10-29 2012-05-03 Siemens Aktiengesellschaft Verfahren zur manipulationsgesicherten Schlüsselverwaltung
US8935533B2 (en) * 2011-12-20 2015-01-13 Alcatel Lucent Method and apparatus for a scalable and secure transport protocol for sensor data collection
US9348049B2 (en) 2012-01-05 2016-05-24 Cgg Services Sa Simultaneous joint estimation of the P-P and P-S residual statics
JP2016513944A (ja) 2013-03-14 2016-05-16 フィデリス サイバーセキュリティー インコーポレイテッド ネットワーク通信分析のためにメタデータを抽出及び保持するシステム及び方法
US9374340B2 (en) 2014-04-21 2016-06-21 Cisco Technology, Inc. Nested independent virtual private networks with shared rekey and consistency services
CN104539573B (zh) * 2014-10-30 2018-07-27 北京科技大学 一种基于嵌入式系统的工业安全网关的通信方法及装置
US10362011B2 (en) * 2015-07-12 2019-07-23 Qualcomm Incorporated Network security architecture

Also Published As

Publication number Publication date
DE102017208735A1 (de) 2018-11-29
US11336657B2 (en) 2022-05-17
CN110679129A (zh) 2020-01-10
US20210218752A1 (en) 2021-07-15
WO2018215209A1 (fr) 2018-11-29
CN110679129B (zh) 2022-10-21

Similar Documents

Publication Publication Date Title
EP3501154B1 (fr) Établissement d'une communication sécurisée à l'intérieur d'un réseau de communication en temps réel
DE102014224694B4 (de) Netzwerkgerät und Netzwerksystem
EP2954498B1 (fr) Procédé et dispositif de raccordement d'un appareil de diagnostic à une unité de commande montée dans un véhicule à moteur
DE102015200279A1 (de) Einwegübertragungseinrichtung, Vorrichtung undVerfahren zum rückwirkungsfreien Erfassen von Daten
WO2019063256A1 (fr) Système, en particulier système d'authentification
DE102015220038A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder Schlüssels in einem Netzwerk
EP3603012A1 (fr) Procédé et dispositif de protection d'une communication entre au moins un premier dispositif de communication et au moins un deuxième dispositif de communication, en particulier dans un réseau de communication d'une production et/ou automatisation industrielle
EP3759958A1 (fr) Procédés, appareils et produit-programme informatique pour surveiller une liaison chiffrée dans un réseau
EP2448182B1 (fr) Procédé de communication dans un système d'automatisation
WO2012139902A1 (fr) Procédé et dispositif de communication pour la protection cryptographique d'une communication de données d'un appareil de terrain
DE102017212474A1 (de) Verfahren und Kommunikationssystem zur Überprüfung von Verbindungsparametern einer kryptographisch geschützten Kommunikationsverbindung während des Verbindungsaufbaus
DE102012210327A1 (de) Verfahren zum Übertragen von Nachrichten in einem Kommunikationssystem, insbesondere eines Fahrzeugs
WO2013174578A1 (fr) Procédé et dispositif de génération de paquets de données redondants protégés par cryptographie
EP3556071B1 (fr) Procédé, dispositif et moyen de stockage lisible par ordinateur comprenant des instructions pour la signature de valeurs de mesure d'un capteur
DE102016208451A1 (de) Verfahren zur Erzeugung eines Geheimnisses oder eines Schlüssels in einem Netzwerk
EP2446599B1 (fr) Transmission securisee contre la manipulation de donnees entre des appareils d'automatisation
WO2014206451A1 (fr) Procédé et dispositif permettant la transmission sécurisée de données de signaux dans une installation
EP1496666A1 (fr) Système et appareil, dit tunnel-proxy, pour sécuriser l'accès à des données
EP4014424B1 (fr) Procédé de traitement de télégrammes dans un réseau d'automatisation, réseau d'automatisation, abonné maître et abonné esclave
WO2017148559A1 (fr) Procédé et module d'analyse pour vérifier des transmissions de données chiffrées
EP1496665B1 (fr) Procédé de configuration de sécurité dans un réseau d'automatisation
EP3713187A1 (fr) Procédé de transmission des paquets de données
EP4283925A1 (fr) Procédé de transmission sécurisée des données à temps critique dans un système de communication et système de communication
DE102020124909A1 (de) Verfahren zur Erlangung eines Notfall-Gerätezugriffs bei Feldgeräten
WO2021197822A1 (fr) Procédé pour traiter une anomalie de données, en particulier dans un véhicule automobile

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20191023

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20201120

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20230624