Control System Data Integrity using a Variable-round Message Authentication Code with an Elliptic Curve Key Exchange Protocol

摘要

The challenge of securing industrial control systems is significant and previous work provided solutions to a number of these challenges including performing mathematical operations on BigIntegers; generating and distributing keys; generating cryptographically secure hash values; implementing random number generation; and ensuring that the operations can be performed without impacting normal operation / scan times. In previous works the Variable-round Message Authentication Code (VMAC) algorithm was introduced for per-message data authentication, and a scheme was presented for two nodes to exchange a symmetric key for VMAC. This work expands upon previous work by introducing the Key Exchange Protocol (KEP), which allows for generation and distribution of symmetric keys for use in multicast implementations of VMAC. KEP is capable of being configured into multiple tree configurations to increase the efficiency of key distribution, but also provides for redundancy in case the root node is taken offline. This work also provides additional VMAC proof of security and VMAC implementation details. A proof of concept for VMA C and KEP was then created and tested using four 1756-L83 Rockwell Automation processors. KEP was show to have an average scan time impact of 10ms during a key exchange with a minimum impact of less than 1ms when IDLE and a maximum impact of 20 ms if verifying and creating digital signed messages at the same time.