WO2022090816A1 - System and method of debugging a network device - Google Patents

System and method of debugging a network device Download PDF

Info

Publication number
WO2022090816A1
WO2022090816A1 PCT/IB2021/056903 IB2021056903W WO2022090816A1 WO 2022090816 A1 WO2022090816 A1 WO 2022090816A1 IB 2021056903 W IB2021056903 W IB 2021056903W WO 2022090816 A1 WO2022090816 A1 WO 2022090816A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
network
troubleshooting
debugging
key
Prior art date
Application number
PCT/IB2021/056903
Other languages
French (fr)
Inventor
T T Mini
Original Assignee
Abb Schweiz Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Schweiz Ag filed Critical Abb Schweiz Ag
Publication of WO2022090816A1 publication Critical patent/WO2022090816A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3648Software debugging using additional hardware
    • G06F11/3656Software debugging using additional hardware using a specific debug interface
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the current invention relates in general to monitoring a communication network and more particularly for debugging a network device connected to the communication network.
  • an industrial automation system is configured to perform as a control system for an industrial plant.
  • the industrial automation system is used in the chemical industry, petrochemical industry, power generation industry, metallurgical industry, food and beverage industries, and the like.
  • the industrial automation system generally includes a plurality of field devices that measure various parameters in the industrial plant.
  • the field devices in general, refer to all devices which are process-oriented and which supply or process, process-relevant information associated with the industrial control system.
  • the field devices for example includes a sensor, actuators, valves, valve positioners, switches, transmitters, and the like.
  • the field devices communicate with other field devices or a process control system via a bus system using a communication protocol.
  • the bus system may include a wired interface and/or a wireless interface.
  • the field devices communicate with the other field devices or a process control system which are the trusted communication partners or devices.
  • the field devices make use of premaster secret or private keys associated with a communication protocol for securely communicating via the bus system.
  • the messages between the field devices and the control system are encrypted and only the intended recipient of the message can decrypt and understand the message.
  • the device used for troubleshooting may not be a trusted communication partner of the field devices.
  • the pre-master secret or the private keys are not available with the device used for troubleshooting.
  • the existing solutions modify the existing communication protocol of the field device to use an insecure version of the communication protocol.
  • the insecure version of the protocol does not use the pre-master secret or private keys for encrypting the messages or the network traffic.
  • modifying the existing communication protocol of the field device requires modification of the communication protocol in all the communication partners or devices of the field device.
  • the present invention relates to a method for debugging a network device connected to a communication network using a troubleshooting device, wherein the network device communicates encrypted network traffic with one or more remote devices connected to the communication network based on a communication protocol, wherein authentication details associated with the one or more remote devices are included in a list of trusted devices stored in the network device, wherein the debugging of the network device comprises establishing a connection with the network device.
  • the method comprises activating a test mode in the network device that enables the network device to access, based on the communication protocol, one of a private key or a pre-master secret stored in a crypto-processor associated with the network device, wherein the network device securely establishes a debugging session with the troubleshooting device using one of the private key or the pre-master secret. Further, the method comprises capturing the encrypted network traffic associated with the network device during the debugging session. Finally, the method comprises analyzing the encrypted network traffic for debugging the network device.
  • the present invention discloses a system for debugging a network device connected to a communication network.
  • the network device communicates encrypted network traffic with one or more remote devices connected to the communication network based on a communication protocol.
  • authentication details associated with the one or more remote devices are included in a list of trusted devices stored in the network device.
  • the system comprises a network device configured to access, based on the communication protocol, one of a private key or a pre-master secret stored in a cryptoprocessor associated with the network device upon activating a test mode in the network device , wherein the network device securely establishes a debugging session with a troubleshooting device using one of the private key or the pre-master secret.
  • the system comprises the troubleshooting device configured to establish a connection with the network device.
  • the troubleshooting device Upon establishing the connection with the network device, the troubleshooting device is configured to activate the test mode in the network device for establishing the debugging session. Further, the troubleshooting device is configured to capture the encrypted network traffic associated with the network device during the debugging session. Finally, the troubleshooting device is configured to analyze the encrypted network traffic for debugging the network device.
  • Figure 1 shows an exemplary environment for debugging a network device in an industrial plant, in accordance with an embodiment of the present disclosure
  • Figure 2 shows an exemplary flow chart for debugging a network device in an industrial plant, in accordance with an embodiment of the present disclosure
  • Figure 3A shows an exemplary list of trusted devices stored in a network device, in accordance with an embodiment of the present disclosure
  • Figure 3B shows an exemplary establishment of a debugging session between a network device and a troubleshooting device using a private key, in accordance with an embodiment of the present disclosure.
  • Figure 3C shows an exemplary establishment of a debugging session between a network device and a troubleshooting device using a pre-master secret, in accordance with an embodiment of the present disclosure.
  • FIG. 1 shows an exemplary environment for debugging a network device (101) in an industrial plant.
  • the industrial plant may include the network device (101) connected to a communication network (104) via at least one of a wired interface and a wireless interface.
  • the network device (101) is a field device or a field instrument used in the industrial plant.
  • the field devices include sensors, actuators, transmitters, Field Communication Group Next Generation devices, Open Platform Communications Unified Architecture (OPC-UA) field devices, and the like.
  • OPC-UA Open Platform Communications Unified Architecture
  • the field devices may combine sensors, actuators, intelligent signal processing, and robust communications to capture and interpret data. Further, the data is communicated to a server or a control system.
  • the server or the control system and the other field devices in the industrial plant are denoted as one or more remote devices (102A, 102B, ..., 102N, collectively denoted as 102).
  • the network device (101) and the one or more remote devices (102) are interconnected via a communication network (104) using at least one of a wired interface and a wireless interface.
  • the communication network (104) may include, for example, a direct interconnection, enterprise network, a Peer to Peer (P2P) network, Local Area Network (LAN), Wide Area Network (WAN), wireless network (e.g., using Wireless Application Protocol (WAP)), the Internet, Wireless Fidelity (Wi-Fi), cellular network, and the like.
  • network device (101) and the one or more remote devices (102) communicate with each other using a communication protocol such as a Transport Layer security protocol, wherein the Transport Layer Security (TLS) protocol comprises one of a TLS 1.2, TLS 1.2 with Diffie-Hellman and TLS 1.3.
  • the communication protocol may include HyperText Transfer Protocol (HTTP), OPCUA model, PROFINET, HART IP, and the like.
  • HTTP HyperText Transfer Protocol
  • OPCUA model OPCUA model
  • PROFINET PROFINET
  • HART IP HART IP
  • the industrial plant is referred to as a system (100) herein.
  • the word industrial plant and the word system (100) may be used interchangeably in the present disclosure.
  • the system (100) may include the network device (101), the one or more remote devices (102), and a troubleshooting device (103) connected via the communication network (104).
  • the system (100) may include a crypto-processor (105) associated with the network device (101) as shown in FIGURE 1.
  • the network device (101) stores a list of trusted devices or trusted communication partners from the one or more remote devices (102).
  • the network device (101) communicates with the trusted devices by encrypting the messages or the network traffic using one of a pre-master secret or a private key.
  • the network device (101) communicating with the trusted devices using the encrypted network traffic is denoted as the normal mode of operation of the network device (101).
  • the pre-master secret or the private key used for encrypting the messages or the network traffic is stored in the crypto-processor (105) associated with the network device (101).
  • the crypto-processor (105) includes Hardware Security Module (HSM), Trusted Platform Module (TPM), and the like.
  • the crypto-processor (105) may be present inside the network device (101).
  • the crypto-processor (105) may be present outside the network device (101) and communicably connected to the network device (101).
  • the pre-master secret or the private key cannot be exported or accessed from the crypto-processor (105) to the network device (101). Further, the pre-master secret or the private key cannot be shared with other devices.
  • the network device (101) for troubleshooting one or more problems in the network device (101) and the one or more remote devices (102). The troubleshooting of the one or more problems is performed by capturing the network traffic and analyzing the network traffic.
  • the one or more problems may be related to device configuration, network configuration, and the like.
  • the troubleshooting device (103) is used for debugging the network device (101).
  • the troubleshooting device (103) may be a part of the system (100) as shown in FIGURE 1.
  • the troubleshooting device (103) may be implemented outside the system (100).
  • the troubleshooting device (103) may be a standalone device as shown in FIGURE 1.
  • the troubleshooting device (103) may be implemented as hardware within the network device (101), one or more remote devices (102), and the like.
  • the troubleshooting device (103) may be implemented as a software application in at least one of the network device (101), one or more remote devices (102), and the like.
  • the troubleshooting device (103) establishes a connection with the network device (101) via the communication network (104).
  • the troubleshooting device (103) establishes the connection by sending a request for the connection to the network device (101) based on the communication protocol used between the troubleshooting device (103) and the network device (101).
  • the network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices.
  • the authentication details may include a digital certificate associated with the troubleshooting device (103).
  • the troubleshooting device (103) If the troubleshooting device (103) is present in a list of trusted devices and the authentication details are verified, then the troubleshooting device (103) is provided with one of a session key or a temporary key for establishing a debugging session, capturing, and analyzing the encrypted network traffic associated with the network device (101). The troubleshooting device decrypts the captured encrypted network traffic using the session key or the private key.
  • the network device (101) in response to the request for connection, if the troubleshooting device (103) is absent in the list of trusted devices, then the network device (101) requests user credentials for authenticating and authorizing a user associated with the troubleshooting device (103).
  • the user credentials may include identity data associated with the user associated with the troubleshooting device (103).
  • the user credentials may include at least one of a username, password, digital certificate, a secret key, and the like.
  • the network device (101) authenticates and authorizes the user based on the user credentials and establishing the connection with the troubleshooting device (103). In an embodiment, authenticating and authorizing the user is performed using any other authentication and authorization techniques known to a person skilled in the art.
  • the troubleshooting device (103) activates a test mode in the network device (101).
  • the test mode is activated by modifying a flag value associated with the network device (101).
  • the flag value may be stored in a storage medium (not shown in the figure) associated with the network device (101) and the flag value may be modified based on a command received from the troubleshooting device (103) after the connection establishment.
  • the test mode enables the network device (101) to access one of the private key or the pre-master secret stored in a crypto-processor (105) associated with the network device (101) based on the communication protocol, after the connection establishment.
  • the test mode enables the network device (101) to access the private key or the pre-master secret stored in the crypto-processor (105).
  • the network device (101) establishes a debugging session with the troubleshooting device (103).
  • the network device (101) generates the temporary key or the session key using the private key or the pre-master secret, respectively.
  • the network device (101) stores the temporary key or the session key in the storage medium associated with the network device (101).
  • the network device (101) securely establishes the debugging session with the troubleshooting device (103) using one of the temporary key or the session key.
  • TLS 1.2 TLS 1.2 with Diffie-Hellman
  • TLS 1.3 communication protocols to establish the debugging session between the troubleshooting device (103) and the network device (101) using one of the private key or the pre-master secret.
  • the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101).
  • the person skilled in the art appreciates the use of one or more network analyzing tools such as Wireshark® for capturing the encrypted network traffic. Further, the encrypted network traffic is decrypted using the session key or the temporary key derived from the pre-master secret or the private key, respectively.
  • the troubleshooting device (103) analyses one or more data packets present in the captured encrypted network traffic for identifying network problems, resolving network connectivity issues, identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101).
  • the troubleshooting device (103) may include a central processing unit (“CPU” or “processor”) (103 A).
  • the processor (103A) may include specialized processing units such as integrated system (bus) controllers, memory management control units, floatingpoint units, graphics processing units, digital signal processing units, and the like.
  • the processor (103 A) may be disposed in communication with the network device (101) via I/O interface (103C).
  • the troubleshooting device (103) may include a memory (103B) communicatively coupled with the processor (103A).
  • the memory (103B) may store a collection of program or database components, including, without limitation, user interface, an operating system, web server, and the like.
  • the memory (103B) may store data including, the communication protocol used to communicate with the network device (101), one or more network monitoring tools, encryption, and decryption techniques, and the like.
  • the troubleshooting device (103) may be a laptop, a desktop computer, a remote server, a smartphone, and the like.
  • Figure 2 illustrates an exemplary flow chart for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103).
  • the troubleshooting device (103) establishes the connection with the network device (101).
  • the troubleshooting device (103) sends the request for the connection based on the communication protocol used between the troubleshooting device (103) and the network device (101).
  • the communication protocol is a Transport Layer security protocol, wherein the Transport Layer Security (TLS) protocol comprises one of a TLS 1.2, TLS 1.2 with Diffie-Hellman, and TLS 1.3.
  • TLS Transport Layer Security
  • the request for the connection may include a “client hello” message comprising information such as supported protocols, supported cipher-suites, a digital certificate associated with the troubleshooting device (103), a random value or random byte string, and the like.
  • the network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices (301) as shown in FIGURE 3 A.
  • the verification of the authentication details includes verification of the digital certificate associated with the troubleshooting device (103) and checking if the troubleshooting device (103) is present in the list of trusted devices (301). If the troubleshooting device (103) is present in the list of trusted devices (301), the network device (101) establishes the connection with the troubleshooting device (103) using one of the pre-master secret or the private key. Alternatively, if the troubleshooting device (103) is absent in the list of trusted device, the network device (101) sends a response to the troubleshooting device (103) to provide the user credentials.
  • the troubleshooting device (103) Upon receiving the response to the request, the troubleshooting device (103) provides the user credentials to the network device (101) for authenticating and authorizing the user associated with the troubleshooting device (103).
  • the user credentials include at least one of an identity data associated with the user such as the username, the password, the secret key, a digital certificate, and the like.
  • the network device (101) authenticates and authorizes the user associated with the troubleshooting device (103) based on the user credentials.
  • the connection is established between the troubleshooting device (103) and the network device (101) after the authentication and authorization of the user.
  • the troubleshooting device (103) activates the test mode in the network device (101).
  • the test mode enables the network device (101) to access, based on the communication protocol, one of the private key or the pre-master secret stored in the crypto-processor (105) associated with the network device (101). Further, the network device (101) securely establishes a debugging session with the troubleshooting device (103) using one of the private key or the pre-master secret.
  • the troubleshooting device (103) activates the test mode in the network device (101) by modifying the flag value associated with the network device (101).
  • activating the test mode may be initiated based on the user input.
  • activating the test mode may be implemented as a default action in the troubleshooting device.
  • the person skilled in the art appreciates the implementation of the flag for activating the test mode based on the communication protocol used between the troubleshooting device (103) and the network device (101).
  • the network device (101) is operating in the test mode, one of the private key or the pre-master secret stored in the cryptoprocessor (105) is accessible to the network device (101).
  • the network device (101) establishes the debugging session using one of the private key or the pre-master secret.
  • the modified flag value indicates to the one or more remote devices (102) to use the encrypted network traffic originating from the network device (101) for diagnosing one or more issues associated with at least one of the network device (101) and the one or more remote devices (102), since the network device (101) is operating in the test mode.
  • the one or more remote devices (102) will not perform any action, for example, monitoring and controlling, based on the encrypted network traffic received from the network device (101), when the network device (101) is operating in the test mode.
  • the test mode enables the network device (101) to access the private key or the pre-master secret stored in the crypto-processor (105). In the test mode, the network device (101) establishes a debugging session with the troubleshooting device (103).
  • the troubleshooting device (103) securely establishes the debugging session with the network device (101) based on the private key (302) after receiving securely, from the network device (101), the temporary key (303) generated using the private key (302) as shown in FIGURE 3B.
  • the network device (101) fetches the private key (302) from the crypto-processor (105) for generating the temporary key (303) based on the private key (302) using one or more cryptographic key generation techniques.
  • the person skilled in the art appreciates the use of one or more key generation and exchange techniques such as RSA, Diffie-Hellman, TLS-pre-shared key, and the like for securely sharing the temporary key (303) with the troubleshooting device (103).
  • the communication protocol used for communication between the network device (101) and the troubleshooting device (103) is TLS 1.2
  • the private key (302) with RSA is used to share the temporary key (303) with the troubleshooting device (103).
  • the troubleshooting device (103) securely establishes the debugging session with the network device (101) based on the pre-master secret (304) after receiving securely, from the network device (101), the session key (305) generated using the pre-master secret (304) as shown in FIGURE 3C.
  • the network device (101) fetches the premaster secret (304) from the crypto-processor (105) for generating the session key (305) based on the pre-master secret (304) using one or more cryptographic key generation techniques.
  • key generation and exchange techniques such as RSA, Diffie-Hellman, TLS-pre-shared key, and the like for securely sharing the session key (305) with the troubleshooting device (103).
  • the pre-master secret (304) with Diffie-Hellman is used to share the session key (305) with the troubleshooting device (103).
  • the debugging session is established between the network device (101) and the troubleshooting device (103).
  • the temporary key (303) or the session key (305) is stored in the storage medium associated with the network device (101).
  • the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101) during the debugging session.
  • the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101) using the one or more network analyzing tools such as Wireshark®.
  • the encrypted network traffic includes one or more data packets sent and/or received by the network device (101). Further, the encrypted network traffic is decrypted using one of the temporary key (303) or the session key (305) based on the cryptographic techniques.
  • the troubleshooting device (103) analyzes the encrypted network traffic for debugging the network device (101).
  • the troubleshooting device (103) analyzes the one or more data packets for identifying network problems, resolving network connectivity issues with one or more remote devices (102), identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101), identifying and resolving network device (101) configuration problem and the like.
  • the troubleshooting device (103) sends an exit request to the network device (101) after the completion of the debugging session.
  • the network device (101) disables the test mode and operates in the normal mode upon receipt of the exit request.
  • the network device (101) disables the test mode automatically after completing a predefined time period in the test mode.
  • the predefined time period may be 15 minutes, 2 hours, 5 hours, 24 hours, and the like. In one embodiment, the predefined time period may be preconfigured.
  • the network device (101) is configured to delete one of a temporary key (303) or a session key (305) from the storage medium associated with the network device (101).
  • the method for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103) activates the test mode for troubleshooting the network device (101) by capturing and analyzing the encrypted network traffic.
  • the activation of the test mode is independent of a handshake technique used in the communication protocol.
  • the troubleshooting is performed in a secure way by establishing the debugging session.
  • the debugging may be performed securely from a remote location using one or more network analyzing tools.
  • the debugging enables troubleshooting the problems during the integration of a new field device (i.e. network device (101)) in the industrial plant.
  • the deletion of the temporary key (303) or the session key (305) after the debugging session and the generation of a new temporary key or a new session key makes the debugging session secure.
  • the authentication and authorization of the user associated with the troubleshooting device (103) prevents unauthorized access of the user and the unauthorized troubleshooting device (103) from connecting to the network device (101).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to a method for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103). The method includes establishing a connection with the network device (101). Further, activating a test mode in the network device (101) that enables the network device (101) to access, based on the communication protocol, one of a private key (302) or a pre-master secret (304) stored in a crypto-processor (105) associated with the network device (101). The network device (101) securely establishes a debugging session with the troubleshooting device (103) using one of the private key (302) or the pre-master secret (304). Furthermore, capturing the encrypted network traffic associated with the network device (101) during the debugging session. Finally, analyzing the encrypted network traffic for debugging the network device (101).

Description

“SYSTEM AND METHOD OF DEBUGGING A NETWORK DEVICE”
Technical Field
[0001] The current invention relates in general to monitoring a communication network and more particularly for debugging a network device connected to the communication network.
Background
[0002] Generally, an industrial automation system is configured to perform as a control system for an industrial plant. The industrial automation system is used in the chemical industry, petrochemical industry, power generation industry, metallurgical industry, food and beverage industries, and the like. The industrial automation system generally includes a plurality of field devices that measure various parameters in the industrial plant. The field devices, in general, refer to all devices which are process-oriented and which supply or process, process-relevant information associated with the industrial control system. The field devices for example includes a sensor, actuators, valves, valve positioners, switches, transmitters, and the like. Further, the field devices communicate with other field devices or a process control system via a bus system using a communication protocol. The bus system may include a wired interface and/or a wireless interface.
[0003] The field devices communicate with the other field devices or a process control system which are the trusted communication partners or devices. The field devices make use of premaster secret or private keys associated with a communication protocol for securely communicating via the bus system. The messages between the field devices and the control system are encrypted and only the intended recipient of the message can decrypt and understand the message. Further, when troubleshooting of the field devices is to be performed, there is a need to capture the messages or the network traffic associated with the field devices for rectifying and maintaining the field devices. The device used for troubleshooting may not be a trusted communication partner of the field devices. The pre-master secret or the private keys are not available with the device used for troubleshooting. Therefore, there is a need for a mechanism to enable the device used for troubleshooting to establish a secure connection with the field device for capturing the messages or the network traffic. [0004] The existing solutions modify the existing communication protocol of the field device to use an insecure version of the communication protocol. The insecure version of the protocol does not use the pre-master secret or private keys for encrypting the messages or the network traffic. Further, modifying the existing communication protocol of the field device requires modification of the communication protocol in all the communication partners or devices of the field device.
[0005] In view of the above, there is a need to address at least one of the abovementioned limitations and propose a method and system to overcome the abovementioned problems.
Summary of the Invention
[0006] In an embodiment, the present invention relates to a method for debugging a network device connected to a communication network using a troubleshooting device, wherein the network device communicates encrypted network traffic with one or more remote devices connected to the communication network based on a communication protocol, wherein authentication details associated with the one or more remote devices are included in a list of trusted devices stored in the network device, wherein the debugging of the network device comprises establishing a connection with the network device. Upon establishing the connection with the network device, the method comprises activating a test mode in the network device that enables the network device to access, based on the communication protocol, one of a private key or a pre-master secret stored in a crypto-processor associated with the network device, wherein the network device securely establishes a debugging session with the troubleshooting device using one of the private key or the pre-master secret. Further, the method comprises capturing the encrypted network traffic associated with the network device during the debugging session. Finally, the method comprises analyzing the encrypted network traffic for debugging the network device.
[0007] In an embodiment, the present invention discloses a system for debugging a network device connected to a communication network. Where the network device communicates encrypted network traffic with one or more remote devices connected to the communication network based on a communication protocol. Where authentication details associated with the one or more remote devices are included in a list of trusted devices stored in the network device. The system comprises a network device configured to access, based on the communication protocol, one of a private key or a pre-master secret stored in a cryptoprocessor associated with the network device upon activating a test mode in the network device , wherein the network device securely establishes a debugging session with a troubleshooting device using one of the private key or the pre-master secret. Further, the system comprises the troubleshooting device configured to establish a connection with the network device. Upon establishing the connection with the network device, the troubleshooting device is configured to activate the test mode in the network device for establishing the debugging session. Further, the troubleshooting device is configured to capture the encrypted network traffic associated with the network device during the debugging session. Finally, the troubleshooting device is configured to analyze the encrypted network traffic for debugging the network device.
[0008] Systems of varying scope are described herein. In addition to the aspects and advantages described in this summary, further aspects and advantages will become apparent by reference to the drawings and with reference to the detailed description that follows.
Brief Description of the Drawings
[0009] The subject matter of the invention will be explained in more detail in the following text with reference to preferred exemplary embodiments which are illustrated in the drawings, in which:
[0010] Figure 1 shows an exemplary environment for debugging a network device in an industrial plant, in accordance with an embodiment of the present disclosure;
[0011] Figure 2 shows an exemplary flow chart for debugging a network device in an industrial plant, in accordance with an embodiment of the present disclosure;
[0012] Figure 3A shows an exemplary list of trusted devices stored in a network device, in accordance with an embodiment of the present disclosure;
[0013] Figure 3B shows an exemplary establishment of a debugging session between a network device and a troubleshooting device using a private key, in accordance with an embodiment of the present disclosure; and
[0014] Figure 3C shows an exemplary establishment of a debugging session between a network device and a troubleshooting device using a pre-master secret, in accordance with an embodiment of the present disclosure.
Detailed Description:
[0015] The present invention discloses a system and method for debugging a network device. [0016] Figure 1 shows an exemplary environment for debugging a network device (101) in an industrial plant. The industrial plant may include the network device (101) connected to a communication network (104) via at least one of a wired interface and a wireless interface. The network device (101) is a field device or a field instrument used in the industrial plant. The field devices include sensors, actuators, transmitters, Field Communication Group Next Generation devices, Open Platform Communications Unified Architecture (OPC-UA) field devices, and the like. In an embodiment, the field devices may combine sensors, actuators, intelligent signal processing, and robust communications to capture and interpret data. Further, the data is communicated to a server or a control system. The server or the control system and the other field devices in the industrial plant are denoted as one or more remote devices (102A, 102B, ..., 102N, collectively denoted as 102). The network device (101) and the one or more remote devices (102) are interconnected via a communication network (104) using at least one of a wired interface and a wireless interface. The communication network (104) may include, for example, a direct interconnection, enterprise network, a Peer to Peer (P2P) network, Local Area Network (LAN), Wide Area Network (WAN), wireless network (e.g., using Wireless Application Protocol (WAP)), the Internet, Wireless Fidelity (Wi-Fi), cellular network, and the like. Further, network device (101) and the one or more remote devices (102) communicate with each other using a communication protocol such as a Transport Layer security protocol, wherein the Transport Layer Security (TLS) protocol comprises one of a TLS 1.2, TLS 1.2 with Diffie-Hellman and TLS 1.3. Further, the communication protocol may include HyperText Transfer Protocol (HTTP), OPCUA model, PROFINET, HART IP, and the like. The industrial plant is referred to as a system (100) herein. The word industrial plant and the word system (100) may be used interchangeably in the present disclosure. In one embodiment, the system (100) may include the network device (101), the one or more remote devices (102), and a troubleshooting device (103) connected via the communication network (104). Further, the system (100) may include a crypto-processor (105) associated with the network device (101) as shown in FIGURE 1.
[0017] In an embodiment, the network device (101) stores a list of trusted devices or trusted communication partners from the one or more remote devices (102). The network device (101) communicates with the trusted devices by encrypting the messages or the network traffic using one of a pre-master secret or a private key. The network device (101) communicating with the trusted devices using the encrypted network traffic is denoted as the normal mode of operation of the network device (101). Further, the pre-master secret or the private key used for encrypting the messages or the network traffic is stored in the crypto-processor (105) associated with the network device (101). For example, the crypto-processor (105) includes Hardware Security Module (HSM), Trusted Platform Module (TPM), and the like. In an embodiment, the crypto-processor (105) may be present inside the network device (101). In another embodiment, the crypto-processor (105) may be present outside the network device (101) and communicably connected to the network device (101). In the normal mode of operation, the pre-master secret or the private key cannot be exported or accessed from the crypto-processor (105) to the network device (101). Further, the pre-master secret or the private key cannot be shared with other devices. Furthermore, during the maintenance of the field devices in the industrial plant it is necessary to debug the network device (101) for troubleshooting one or more problems in the network device (101) and the one or more remote devices (102). The troubleshooting of the one or more problems is performed by capturing the network traffic and analyzing the network traffic. The one or more problems may be related to device configuration, network configuration, and the like.
[0018] In an embodiment, the troubleshooting device (103) is used for debugging the network device (101). In a first embodiment, the troubleshooting device (103) may be a part of the system (100) as shown in FIGURE 1. In a second embodiment, the troubleshooting device (103) may be implemented outside the system (100). In one embodiment, the troubleshooting device (103) may be a standalone device as shown in FIGURE 1. In another embodiment, the troubleshooting device (103) may be implemented as hardware within the network device (101), one or more remote devices (102), and the like. In yet another embodiment, the troubleshooting device (103) may be implemented as a software application in at least one of the network device (101), one or more remote devices (102), and the like. The troubleshooting device (103) establishes a connection with the network device (101) via the communication network (104). The troubleshooting device (103) establishes the connection by sending a request for the connection to the network device (101) based on the communication protocol used between the troubleshooting device (103) and the network device (101). The network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices. The authentication details may include a digital certificate associated with the troubleshooting device (103). If the troubleshooting device (103) is present in a list of trusted devices and the authentication details are verified, then the troubleshooting device (103) is provided with one of a session key or a temporary key for establishing a debugging session, capturing, and analyzing the encrypted network traffic associated with the network device (101). The troubleshooting device decrypts the captured encrypted network traffic using the session key or the private key.
[0019] In an embodiment, in response to the request for connection, if the troubleshooting device (103) is absent in the list of trusted devices, then the network device (101) requests user credentials for authenticating and authorizing a user associated with the troubleshooting device (103). The user credentials may include identity data associated with the user associated with the troubleshooting device (103). For example, the user credentials may include at least one of a username, password, digital certificate, a secret key, and the like. Further, the network device (101) authenticates and authorizes the user based on the user credentials and establishing the connection with the troubleshooting device (103). In an embodiment, authenticating and authorizing the user is performed using any other authentication and authorization techniques known to a person skilled in the art.
[0020] In an embodiment, after the connection establishment, the troubleshooting device (103) activates a test mode in the network device (101). The test mode is activated by modifying a flag value associated with the network device (101). In one embodiment, the flag value may be stored in a storage medium (not shown in the figure) associated with the network device (101) and the flag value may be modified based on a command received from the troubleshooting device (103) after the connection establishment. The test mode enables the network device (101) to access one of the private key or the pre-master secret stored in a crypto-processor (105) associated with the network device (101) based on the communication protocol, after the connection establishment. The test mode enables the network device (101) to access the private key or the pre-master secret stored in the crypto-processor (105). In the test mode, the network device (101) establishes a debugging session with the troubleshooting device (103). The network device (101) generates the temporary key or the session key using the private key or the pre-master secret, respectively. Further, the network device (101) stores the temporary key or the session key in the storage medium associated with the network device (101). The network device (101) securely establishes the debugging session with the troubleshooting device (103) using one of the temporary key or the session key. The person skilled in the art appreciates the use of TLS 1.2, TLS 1.2 with Diffie-Hellman, and TLS 1.3 communication protocols to establish the debugging session between the troubleshooting device (103) and the network device (101) using one of the private key or the pre-master secret. [0021] In an embodiment, during the debugging session, the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101). The person skilled in the art appreciates the use of one or more network analyzing tools such as Wireshark® for capturing the encrypted network traffic. Further, the encrypted network traffic is decrypted using the session key or the temporary key derived from the pre-master secret or the private key, respectively. The troubleshooting device (103) analyses one or more data packets present in the captured encrypted network traffic for identifying network problems, resolving network connectivity issues, identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101).
[0022] In an embodiment, the troubleshooting device (103) may include a central processing unit (“CPU” or “processor”) (103 A). The processor (103A) may include specialized processing units such as integrated system (bus) controllers, memory management control units, floatingpoint units, graphics processing units, digital signal processing units, and the like. The processor (103 A) may be disposed in communication with the network device (101) via I/O interface (103C). Further, the troubleshooting device (103) may include a memory (103B) communicatively coupled with the processor (103A). The memory (103B) may store a collection of program or database components, including, without limitation, user interface, an operating system, web server, and the like. Further, the memory (103B) may store data including, the communication protocol used to communicate with the network device (101), one or more network monitoring tools, encryption, and decryption techniques, and the like. In an embodiment, the troubleshooting device (103) may be a laptop, a desktop computer, a remote server, a smartphone, and the like.
[0023] Figure 2 illustrates an exemplary flow chart for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103).
[0024] At the step 201, the troubleshooting device (103) establishes the connection with the network device (101).
[0025] In an embodiment, for establishing the connection with the network device (101), the troubleshooting device (103) sends the request for the connection based on the communication protocol used between the troubleshooting device (103) and the network device (101). The communication protocol is a Transport Layer security protocol, wherein the Transport Layer Security (TLS) protocol comprises one of a TLS 1.2, TLS 1.2 with Diffie-Hellman, and TLS 1.3. For example, in TLS 1.2, the request for the connection may include a “client hello” message comprising information such as supported protocols, supported cipher-suites, a digital certificate associated with the troubleshooting device (103), a random value or random byte string, and the like.
[0026] In an embodiment, the network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices (301) as shown in FIGURE 3 A. The verification of the authentication details includes verification of the digital certificate associated with the troubleshooting device (103) and checking if the troubleshooting device (103) is present in the list of trusted devices (301). If the troubleshooting device (103) is present in the list of trusted devices (301), the network device (101) establishes the connection with the troubleshooting device (103) using one of the pre-master secret or the private key. Alternatively, if the troubleshooting device (103) is absent in the list of trusted device, the network device (101) sends a response to the troubleshooting device (103) to provide the user credentials.
[0027] Upon receiving the response to the request, the troubleshooting device (103) provides the user credentials to the network device (101) for authenticating and authorizing the user associated with the troubleshooting device (103). The user credentials include at least one of an identity data associated with the user such as the username, the password, the secret key, a digital certificate, and the like. The network device (101) authenticates and authorizes the user associated with the troubleshooting device (103) based on the user credentials. The connection is established between the troubleshooting device (103) and the network device (101) after the authentication and authorization of the user.
[0028] At the step 202, after the connection establishment, the troubleshooting device (103) activates the test mode in the network device (101). The test mode enables the network device (101) to access, based on the communication protocol, one of the private key or the pre-master secret stored in the crypto-processor (105) associated with the network device (101). Further, the network device (101) securely establishes a debugging session with the troubleshooting device (103) using one of the private key or the pre-master secret.
[0029] In an embodiment, the troubleshooting device (103) activates the test mode in the network device (101) by modifying the flag value associated with the network device (101). In one embodiment, activating the test mode may be initiated based on the user input. In another embodiment, activating the test mode may be implemented as a default action in the troubleshooting device. The person skilled in the art appreciates the implementation of the flag for activating the test mode based on the communication protocol used between the troubleshooting device (103) and the network device (101). When the network device (101) is operating in the test mode, one of the private key or the pre-master secret stored in the cryptoprocessor (105) is accessible to the network device (101). Further, the network device (101) establishes the debugging session using one of the private key or the pre-master secret. In an embodiment, the modified flag value indicates to the one or more remote devices (102) to use the encrypted network traffic originating from the network device (101) for diagnosing one or more issues associated with at least one of the network device (101) and the one or more remote devices (102), since the network device (101) is operating in the test mode. The one or more remote devices (102) will not perform any action, for example, monitoring and controlling, based on the encrypted network traffic received from the network device (101), when the network device (101) is operating in the test mode. The test mode enables the network device (101) to access the private key or the pre-master secret stored in the crypto-processor (105). In the test mode, the network device (101) establishes a debugging session with the troubleshooting device (103).
[0030] In an embodiment, the troubleshooting device (103) securely establishes the debugging session with the network device (101) based on the private key (302) after receiving securely, from the network device (101), the temporary key (303) generated using the private key (302) as shown in FIGURE 3B. The network device (101) fetches the private key (302) from the crypto-processor (105) for generating the temporary key (303) based on the private key (302) using one or more cryptographic key generation techniques. The person skilled in the art appreciates the use of one or more key generation and exchange techniques such as RSA, Diffie-Hellman, TLS-pre-shared key, and the like for securely sharing the temporary key (303) with the troubleshooting device (103). For example, when the communication protocol used for communication between the network device (101) and the troubleshooting device (103) is TLS 1.2, the private key (302) with RSA is used to share the temporary key (303) with the troubleshooting device (103).
[0031] In another embodiment, the troubleshooting device (103) securely establishes the debugging session with the network device (101) based on the pre-master secret (304) after receiving securely, from the network device (101), the session key (305) generated using the pre-master secret (304) as shown in FIGURE 3C. The network device (101) fetches the premaster secret (304) from the crypto-processor (105) for generating the session key (305) based on the pre-master secret (304) using one or more cryptographic key generation techniques. The person skilled in the art appreciates the use of one or more key generation and exchange techniques such as RSA, Diffie-Hellman, TLS-pre-shared key, and the like for securely sharing the session key (305) with the troubleshooting device (103). For example, when the communication protocol used for communication between the network device (101) and the troubleshooting device (103) is TLS 1.3, the pre-master secret (304) with Diffie-Hellman is used to share the session key (305) with the troubleshooting device (103).
[0032] In an embodiment, after providing one of the temporary key (303) or the session key (305) to the troubleshooting device (103), the debugging session is established between the network device (101) and the troubleshooting device (103). The temporary key (303) or the session key (305) is stored in the storage medium associated with the network device (101).
[0033] At the step 203, the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101) during the debugging session.
[0034] In an embodiment, the troubleshooting device (103) captures the encrypted network traffic associated with the network device (101) using the one or more network analyzing tools such as Wireshark®. The encrypted network traffic includes one or more data packets sent and/or received by the network device (101). Further, the encrypted network traffic is decrypted using one of the temporary key (303) or the session key (305) based on the cryptographic techniques.
[0035] At the step 204, the troubleshooting device (103) analyzes the encrypted network traffic for debugging the network device (101).
[0036] In an embodiment, the troubleshooting device (103) analyzes the one or more data packets for identifying network problems, resolving network connectivity issues with one or more remote devices (102), identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101), identifying and resolving network device (101) configuration problem and the like.
[0037] In an embodiment, the troubleshooting device (103) sends an exit request to the network device (101) after the completion of the debugging session. The network device (101) disables the test mode and operates in the normal mode upon receipt of the exit request. [0038] In another embodiment, the network device (101) disables the test mode automatically after completing a predefined time period in the test mode. The predefined time period may be 15 minutes, 2 hours, 5 hours, 24 hours, and the like. In one embodiment, the predefined time period may be preconfigured.
[0039] In an embodiment, after disabling the test mode, the network device (101) is configured to delete one of a temporary key (303) or a session key (305) from the storage medium associated with the network device (101).
[0040] The method for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103) activates the test mode for troubleshooting the network device (101) by capturing and analyzing the encrypted network traffic. The activation of the test mode is independent of a handshake technique used in the communication protocol. The troubleshooting is performed in a secure way by establishing the debugging session. The debugging may be performed securely from a remote location using one or more network analyzing tools. The debugging enables troubleshooting the problems during the integration of a new field device (i.e. network device (101)) in the industrial plant. The deletion of the temporary key (303) or the session key (305) after the debugging session and the generation of a new temporary key or a new session key makes the debugging session secure. The authentication and authorization of the user associated with the troubleshooting device (103) prevents unauthorized access of the user and the unauthorized troubleshooting device (103) from connecting to the network device (101).
[0041] This written description uses examples to describe the subject matter herein, including the best mode, and also to enable any person skilled in the art to make and use the subject matter. The patentable scope of the subject matter is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.
Referral Numerals:
100 - System
101 - Network device;
102 - One or more remote devices; 103 - Troubleshooting device;
103 A - Processor;
103B - Memory;
103C - I/O Interface; 104 - Communication Network;
105 - Crypto-processor;
301 - List of trusted devices;
302 - Private key;
303 - Temporary key; 304 - Pre-master secret; and
305 - Session Key.

Claims

Claims:
1. A method for debugging a network device (101) connected to a communication network (104) using a troubleshooting device (103), wherein the network device (101) communicates encrypted network traffic with one or more remote devices (102) connected to the communication network (104) based on a communication protocol, wherein authentication details associated with the one or more remote devices (102) are included in a list of trusted devices (301) stored in the network device (101), wherein the debugging of the network device (101) comprises: establishing, by the troubleshooting device (103), a connection with the network device (101); upon establishing the connection with the network device (101), activating, by the troubleshooting device (103), a test mode in the network device (101) that enables the network device (101) to access, based on the communication protocol, one of a private key (302) or a pre-master secret (304) stored in a crypto-processor (105) associated with the network device (101), wherein the network device (101) securely establishes a debugging session with the troubleshooting device (103) using one of the private key (302) or the pre-master secret (304); capturing, by the troubleshooting device (103), the encrypted network traffic associated with the network device (101) during the debugging session; and analyzing, by the troubleshooting device (103), the encrypted network traffic for debugging the network device (101).
2. The method as claimed in claim 1, wherein establishing the connection with the network device (101) comprises: sending a request for the connection based on the communication protocol used between the troubleshooting device (103) and the network device (101), wherein the network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices (301); and upon receiving a response to the request, providing a user credentials to the network device (101) for authenticating and authorizing a user associated with the troubleshooting devices. 3. The method as claimed in claim 1, wherein the communication protocol is a Transport Layer security protocol, wherein the Transport Layer Security (TLS) protocol comprises one of a TLS 1.2, TLS 1.2 with Diffie-Hellman and TLS 1.
3.
4. The method as claimed in claim 1, wherein activating the test mode in the network device (101) comprises: modifying a flag value associated with the network device (101), wherein the modified flag value indicates the one or more remote devices (102) to use the encrypted network traffic originating from the network device (101) for diagnosing one or more issues associated with at least one of the network device (101) and the one or more remote devices (102).
5. The method as claimed in claim 1, wherein securely establishing the debugging session with the troubleshooting device (103) using the private key (302) comprises: receiving securely, by the troubleshooting device (103), a temporary key (303) from the network device (101), wherein the network device (101) fetches the private key (302) from the crypto-processor (105) for generating the temporary key (303) based on the private key (302) using one or more cryptographic key generation techniques.
6. The method as claimed in claim 1, wherein securely establishing the debugging session with the troubleshooting device (103) using the pre-master secret (304) comprises: receiving securely, by the troubleshooting device (103), a session key (305) from the network device (101), wherein the network device (101) fetches the pre-master secret (304) from the crypto-processor (105) for generating the session key (305) based on the pre-master secret (304) using one or more cryptographic key generation techniques.
7. The method as claimed in claim 1, wherein debugging the network device (101) comprises: capturing one or more data packets associated with the network device (101) using a network analyzing tool; and analyzing the one or more data packets for identifying network problems, resolving network connectivity issues, identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101).
8. The method as claimed in claim 1 , further comprises disabling, by the troubleshooting device (103), the test mode in the network device (101) after at least one of: 15 sending an exit request to the network device (101); or completing a predefined time period in the test mode; wherein the network device (101) is configured to delete, upon disabling the test mode, one of a temporary key (303) or a session key (305) from a storage medium associated with the network device (101).
9. A system (100) for debugging a network device (101) connected to a communication network (104), wherein the network device (101) communicates encrypted network traffic with one or more remote devices (102) connected to the communication network (104) based on a communication protocol, wherein authentication details associated with the one or more remote devices (102) are included in a list of trusted devices (301) stored in the network device (101), wherein the system (100) comprises: a network device (101) configured to: access, based on the communication protocol, one of a private key (302) or a pre-master secret (304) stored in a crypto-processor (105) associated with the network device (101) upon activating a test mode in the network device (101), wherein the network device (101) securely establishes a debugging session with a troubleshooting device (103) using one of the private key (302) or the pre-master secret (304); and the troubleshooting device (103) configured to: establish a connection with the network device (101); upon establishing the connection with the network device (101), activate the test mode in the network device (101) for establishing the debugging session; capture the encrypted network traffic associated with the network device (101) during the debugging session; and analyze the encrypted network traffic for debugging the network device (101).
10. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to establish the connection with the network device (101) comprises: sending a request for the connection based on the communication protocol used between the troubleshooting device (103) and the network device (101), wherein the communication protocol is a Transport Layer security protocol, wherein the network device (101) verifies the authentication details associated with the troubleshooting device (103) by mapping with the list of trusted devices (301); and 16 upon receiving a response to the request, providing a user credentials to the network device (101) for authenticating and authorizing a user associated with the troubleshooting device (103).
11. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to activate the test mode in the network device (101) comprises: modifying a flag value associated with the network device (101), wherein the modified flag value indicates the one or more remote devices (102) to use the encrypted network traffic originating from the network device (101) diagnosing one or more issues associated with at least one of the network device (101) and the one or more remote devices (102).
12. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to securely establish the debugging session with the network device (101) using the private key (302) comprises: receiving securely from the network device (101) a temporary key (303), wherein the network device (101) fetches the private key (302) from the crypto-processor (105) for generating the temporary key (303) based on the private key (302) using one or more cryptographic key generation techniques.
13. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to securely establish the debugging session with the troubleshooting device (103) using the pre-master secret (304) comprises: receiving securely from the network device (101) a session key (305), wherein the network device (101) fetches the pre-master secret (304) from the crypto-processor (105) for generating the session key (305) based on the pre-master secret (304) using one or more cryptographic key generation techniques.
14. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to debug the network device (101) comprises: capturing one or more data packets associated with the network device (101) using a network analyzer tool; and analyzing the one or more data packets for identifying network problems, resolving network connectivity issues, identifying performance problems associated with one or more applications in the network device (101), modifying one or more configuration parameters associated with the network device (101). 17
15. The system (100) as claimed in claim 9, wherein the troubleshooting device (103) is configured to disable the test mode in the network device (101) after at least one of: send an exit request to the network device (101); or completion of a predefined time period in the test mode; wherein the network device (101) is configured to delete, upon disabling the test mode, one of a temporary key (303) or a session key (305) from a storage medium associated with the network device (101).
PCT/IB2021/056903 2020-10-26 2021-07-29 System and method of debugging a network device WO2022090816A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202041046658 2020-10-26
IN202041046658 2020-10-26

Publications (1)

Publication Number Publication Date
WO2022090816A1 true WO2022090816A1 (en) 2022-05-05

Family

ID=77431324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2021/056903 WO2022090816A1 (en) 2020-10-26 2021-07-29 System and method of debugging a network device

Country Status (1)

Country Link
WO (1) WO2022090816A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150341341A1 (en) * 2014-05-20 2015-11-26 Motorola Solutions, Inc Apparatus and method for securing a debugging session
US20180062854A1 (en) * 2015-08-27 2018-03-01 Cavium, Inc. Systems and methods for perfect forward secrecy (pfs) traffic monitoring via a hardware security module
WO2019083555A1 (en) * 2017-10-25 2019-05-02 Extrahop Networks, Inc. Inline secret sharing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150341341A1 (en) * 2014-05-20 2015-11-26 Motorola Solutions, Inc Apparatus and method for securing a debugging session
US20180062854A1 (en) * 2015-08-27 2018-03-01 Cavium, Inc. Systems and methods for perfect forward secrecy (pfs) traffic monitoring via a hardware security module
WO2019083555A1 (en) * 2017-10-25 2019-05-02 Extrahop Networks, Inc. Inline secret sharing

Similar Documents

Publication Publication Date Title
US9772623B2 (en) Securing devices to process control systems
US20200328885A1 (en) Enhanced monitoring and protection of enterprise data
US10749692B2 (en) Automated certificate enrollment for devices in industrial control systems or other systems
US7562211B2 (en) Inspecting encrypted communications with end-to-end integrity
EP1730925B1 (en) Method and apparatus for providing transaction-level security
US9485245B2 (en) Industrial protocol system authentication and firewall
CN111819824A (en) Decrypting transport layer security traffic without a broker
US20160269363A1 (en) Restricting communications in industrial control
US10505984B2 (en) Exchange of control information between secure socket layer gateways
US20070206797A1 (en) Seamless rfid tag security system
Chen et al. A full lifecycle authentication scheme for large-scale smart IoT applications
Toutsop et al. A comparative analyses of current IoT middleware platforms
US11368485B2 (en) Method, apparatuses and computer program product for monitoring an encrypted connection in a network
CN110855561A (en) Intelligent gateway of Internet of things
CN110892695A (en) Method, device and computer program product for checking connection parameters of a password-protected communication connection during the establishment of a connection
CN105577657A (en) SSL/TLS algorithm suite expansion method
US11250167B2 (en) Secure external SoC debugging
WO2022090816A1 (en) System and method of debugging a network device
Matsuda et al. Cyber security risks of technical components in industry 4.0
US20170289195A1 (en) Communication control device, communication control method, recording medium having communication control program stored thereon, and information system
EP1977402A2 (en) Seamless rfid tag security system
CN110022247B (en) APP data encryption transmission test method
CN117201112B (en) Data access processing method and system based on all-node zero-trust gateway
Biham et al. K7: A Protected Protocol for Industrial Control Systems that Fits Large Organizations
Gilles et al. Securing Communication in the Field: Protecting Geo-distributed Computing in an Untrusted Environment.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21758438

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21758438

Country of ref document: EP

Kind code of ref document: A1