ISSUE OF A COMMON, CRYPTOGHRICALLY PROTECTED DEVICE CONFIGURATION INFORMATION
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Patents
- Current Assignee / Owner
- SIEMENS AG
- Filing Date
- 2022-04-14
- Publication Date
- 2026-06-11
AI Technical Summary
Current technology does not allow for statements regarding the integrity and authenticity of the correct device configuration when devices are built from multiple subcomponents, particularly over extended periods of use.
A method for securely combining cryptographically protected information from various security elements within a device into a comprehensive statement about the integrity of the entire device, where a designated security element represents the device externally, allowing flexible selection based on user input, topological position, functionality, or cryptographic strength.
Enhances device security by enabling flexible use of strong cryptographic elements, improving long-term suitability and adaptability, ensuring secure operation of devices like industrial control units.
Description
BACKGROUND OF THE INVENTION Field of invention
[0001] The present invention relates to a method for outputting common, cryptographically protected device configuration information from at least one first component of a device and at least one second component of the device. The invention also relates to a device for carrying out the method. Description of the state of the art
[0002] Protecting the integrity and authenticity of components, especially automation devices, control units or IoT devices, is a key objective, particularly when components are used in mission-critical cyber-physical systems or automation systems.
[0003] To protect the integrity of an individual component, methods such as Secure Boot are known, which can be supported by hardware-based security elements, also called Secure Elements, such as a Trusted Platform Module (TPM). A TPM provides a special API for constructing hash chains. This API allows a series of checksums (especially fingerprints of software or firmware that are executed) to be sequentially accumulated in a Platform Control Register (PCR). This is done via a so-called PCR extend function. PCR _ value _ new = hash _ func PCR _ value _ old digest
[0004] The PCR value can be used, firstly, to unlock local privileges (in particular, the use of a secret key). This local privilege is only available if the correct code has been executed, i.e., if the measurements of the executed code have resulted in a valid accumulated PCR value. Secondly, the PCR value can be authenticated to a third party by means of a signature using a key stored in the Secure Element. The third party can then verify that the device is in a trustworthy operating state, especially before sensitive data is transmitted to the device.
[0005] However, current technology does not allow for any statement regarding the integrity and authenticity of the correct device configuration if a device is built from multiple subcomponents, once subcomponents of the device have been replaced. This is particularly problematic over extended periods of use.
[0006] The object of the invention is to provide a device design for improved long-term suitability.
[0007] The patent applications EP 3 599 567 A1, WO 2020 / 185568 A1 and EP 3 591 559 A1 also describe relevant prior art. SUMMARY OF THE INVENTION
[0008] The invention is defined by the features of the independent claims. Advantageous further developments and embodiments are the subject of the dependent claims. Embodiments, possible applications, and advantages of the invention will become apparent from the following description and the drawings.
[0009] The invention relates to a method for outputting common, cryptographically protected device configuration information from at least one first component of a device and at least one second component of the device, wherein the first component has a first configuration and the second component has a second configuration.
[0010] The procedure involves the following steps: Receiving a second configuration information by the at least one first component, wherein the second configuration information has a cryptographic signature and describes the second configuration; verifying the cryptographic signature by a first security element of the at least one first component; creating a common cryptographically protected device configuration information incorporating the second configuration information and a first configuration information by the first security element depending on a result of the cryptographic signature verification, wherein the first configuration information describes the first configuration; and outputting the common cryptographically protected device configuration information by the first security element.
[0011] One aspect of the invention is therefore to securely combine cryptographically protected information from various security elements of the components or subcomponents within the device into a comprehensive statement about the integrity of the entire device. In this process, a plurality of second configuration information pieces can be received and verified by the first security element of the first component, and a common cryptographically protected device configuration information piece can be created by the first security element, incorporating the plurality of second configuration information pieces from the plurality of second components, and then cryptographically protected and output.
[0012] The basic idea of the invention is therefore that, depending on the current configuration of the device's components, one of the several security elements of the components is designated as the security element that represents the device to the outside world.
[0013] Representation to the outside world means, in particular, that the defined security element provides cryptographically protected device configuration information externally, also referred to as attestation, whereby the cryptographically protected device configuration information is determined depending on signed device configuration information of the individual components, which are managed by several security elements of the device.
[0014] The security element, also known as the secure element, is a hardware-based or hardware-bound security device.
[0015] In a further development of the invention, the method includes the following step: Defining at least one first component of the device.
[0016] This defines which component of the majority of the device's components, and thus its security element, represents the device externally and outputs the common, cryptographically protected device configuration information.
[0017] In a further embodiment of the invention, the at least one first component is defined by a user input.
[0018] According to this training, a user, particularly during engineering, commissioning, or device maintenance, can define which component the device represents to the outside world. This means that a user can specify, i.e., define, which of the security elements, also known as secure elements, represents the device as its primary external security element, specifically through a cryptographically protected attestation formed by this security element. This attestation is based on configuration information managed by the second security element of at least one other component of the device (especially managed in a Platform Configuration Register, PCR).
[0019] This allows, in particular, a replaceable communication module of the device (especially a communication processor) to include a security element, or Secure Element, which represents the device as a whole externally as the first security element. This Secure Element can, in particular, support current strong cryptographic algorithms for attestation, e.g., RSA with 4096-bit or 8192-bit key lengths or a PO signature scheme (especially CRYSTALS-DILITHIUM, FALCON, Rainbow). In contrast, another subordinate Secure Element supports, in particular, only RSA with 2048-bit or 1024-bit key lengths.
[0020] The invention enables a user to flexibly use a cryptographically strong Secure Element, which is implemented or contained in a communication processor, instead of a Secure Element contained in another device component, by means of an interchangeable subcomponent, i.e. to define it as the first security element.
[0021] In one variant, a user can define this via a configurable device configuration, i.e., define the first security element via a configurable device configuration. This means that the user can define, via a configurable device configuration, which of the majority of the device's security elements represents the first external security element. Other security elements of the device are then used as the second security element.
[0022] In a further embodiment of the invention, the at least one first component is replaced by whose topological position within the device or an address of the first component is defined.
[0023] In this further variant, the user can implicitly define the first component and thus define its safety element as the first safety element, in particular by specifying the topological position (especially the socket used and / or the order of several plugged-in subcomponents) or an assigned address of a subcomponent.
[0024] In a further embodiment of the invention, the at least one first component is defined randomly or pseudorandomly.
[0025] In this further variant, the first component, and thus the first security element representing the device to the outside world, is selected randomly or pseudo-randomly. A leader selection protocol can be used for this purpose. Furthermore, it is possible to determine the first component, and thus the first security element, based on an ordering criterion of the respective component or security element. For example, the component or security element with the highest or lowest ordering criterion can be automatically defined as the first component or security element. The ordering criterion could be, for example, the serial number or a public-key hash value of the component or security element.
[0026] In a further development of the invention, the at least one first component is defined depending on its functionality and / or a predetermined level of protection.
[0027] In this embodiment, it is possible to automatically select a security element, based on its functionality and supported cryptographic strength, or the strength of a physical tamper protection mechanism, and define it as the primary security element. This allows the strongest and most suitable cryptographic security element to be automatically determined. Furthermore, in the event of a failure or defect of a single security element, another security element can be automatically selected and defined as the primary security element that represents the device to the outside world.
[0028] In a further embodiment of the invention, the at least one first component is defined during operation of the device. This has the advantage that the first component can be dynamically defined and changed, thus making the device adaptable to the operating conditions. The automatic definition can be triggered, for example, during device startup or when a device configuration is changed.
[0029] In another variant, at least one initial component is dynamically determined by an external recipient of an attestation, for example, as part of an implemented attestation protocol. This has the advantage that the recipient can select a security element that best meets their trustworthiness requirements.
[0030] In a further embodiment of the invention, the at least one first component and / or the at least one second component is: a Programmable Logic Controller (PLC) and / or a Smart Actuator and / or a Smart Sensor and / or an Expansion Module and / or an IO Module and / or an AI Module and / or a Communication Processor.
[0031] In a further embodiment of the invention, the at least one second component has a second security element. This has the advantage that, during operation, the second component, and thus the second security element, can also be selected as the one that outputs the common, cryptographically protected device configuration information. Specifically, it is possible for each component of the device, or only some of the components, to have its own security element.
[0032] In a further development of the invention, the cryptographic signature of the second configuration information is based on a cryptographic key pair, and a public key of the key pair is provided to the first component.
[0033] The invention further comprises a device having at least one first component and at least one second component, wherein the first component is configured to carry out the method according to the invention.
[0034] In a further development of the invention, the first component of the device has a first configuration and the second component has a second configuration, wherein the first component has: a receiving unit trained to receive a second configuration information, wherein the second configuration information has a cryptographic signature and describes the second configuration; a first security element trained to verify the cryptographic signature and further trained to create a common cryptographically protected device configuration information incorporating the second configuration information and a first configuration information depending on a result of verifying the cryptographic signature, wherein the first configuration information describes the first configuration; and an output unit trained to output a common cryptographically protected device configuration information, wherein the common cryptographically protected device configuration information relates to the at least one first component of the device and the at least one second component of the device.
[0035] The invention further comprises a computer program product comprising a computer program, wherein the computer program is loadable into a storage device of a computing unit, wherein the steps of a method according to the invention are carried out with the computer program when the computer program is executed on the computing unit.
[0036] The invention further comprises a computer-readable medium on which a computer program is stored, wherein the computer program can be loaded into a storage device of a computing unit, wherein the steps of a method according to the invention are carried out with the computer program when the computer program is executed on the computing unit.
[0037] In summary, the invention offers the advantage of increased flexibility, as different secure elements of a device can be used flexibly, which in turn improves long-term suitability. This allows a user to securely use a device, particularly an industrial control unit or an industrial monitoring device, over a long period, since even the hardware-based device security functionality can be updated. BRIEF DESCRIPTION OF THE DRAWINGS
[0038] The special features and advantages of the invention will become apparent from the following explanations of several exemplary embodiments based on the schematic drawings.
[0039] They show Fig. 1 is a flowchart of the method according to the invention and Fig. 2 is a schematic representation of a device according to the invention. DETAILED DESCRIPTION OF THE INVENTION
[0040] Fig. 1 shows a flowchart of the inventive method for outputting common, cryptographically protected device configuration information from at least one first component 1 (see Fig. 2 ) of a device 3 (see Fig. 2 ) and at least one second component 2 (see Fig. 2 ) of device 3, wherein the first component 1 has a first configuration and the second component 2 has a second configuration.
[0041] From the perspective of the first component, the process comprises the following steps: Step S1: Receiving a second configuration information by the at least one first component 1, wherein the second configuration information has a cryptographic signature and describes the second configuration; Step S2: Checking the cryptographic signature by a first security element 11 of the at least one first component 1; Step S3: Creating a common cryptographically protected device configuration information by the first security element 11, incorporating the second configuration information and a first configuration information, depending on the result of the cryptographic signature check, wherein the first configuration information describes the first configuration; and Step S4: Outputting the common cryptographically protected device configuration information by the first security element 11.
[0042] The second component can generate the second configuration information beforehand. This is a step from the perspective of the second component.
[0043] Fig. 2 A device 3 comprising at least one first component 1 and at least one second component 2, wherein the first component is configured, demonstrates a method as shown in Fig. 1 to be performed as shown.
[0044] The first component 1 has a first configuration, and the second component 2 has a second configuration. The first component has the following units: a receiving unit, configured to receive a second configuration information, wherein the second configuration information has a cryptographic signature and describes the second configuration; a first security element 11, configured to verify the cryptographic signature, and further configured to create a common cryptographically protected device configuration information incorporating the second configuration information and a first configuration information depending on a result of verifying the cryptographic signature, wherein the first configuration information describes the first configuration; and an output unit, configured to output a common cryptographically protected device configuration information, wherein the common cryptographically protected device configuration information relates to the at least one first component 1 of the device 3 and the at least one second component 2 of the device 3.
[0045] Fig. 2 Specifically, it shows a device 3, which consists of two components, d.h.The device 3 is composed of two subcomponents, 1, 2 (generally consisting of several subcomponents), in particular a PLC (Programmable Logic Controller) and a smart actuator or smart sensor or an expansion module, in particular an I / O module, an AI module, or a communication processor. Preferably, each subcomponent has a secure element 11, 22, which is used in particular for or during the protection of the boot process of the respective subcomponent 1, 2. In the example, subcomponent 1 represents the device externally and outputs the common, cryptographically protected device configuration information. The components 1, 2 of the device 3 can be permanently or detachably connected to the device 3. The security element 11 of component 1 is preferably permanently connected to or integrated into component 1.Accordingly, the security element 22 of component 2 is preferably permanently connected to or integrated into component 2. The public key of the second security element 22 is stored on the first security element 11, enabling the first security element 11 to verify a signature generated by the second security element using its associated private key. Thus, the first security element 11 can verify the validity of the cryptographically protected second configuration information of the second component, generated and provided by the second component 2. In one variant, the shared, cryptographically protected device configuration information can include or reference the public key of the second security element 22, for example, by specifying a cryptographic hash value of the public key of the second security element 22.
[0046] One way to achieve this using the means provided by the TPM is for the firmware of subcomponent 1 to query a PCR value from subcomponent 2 during the boot process of subcomponent 1 and include it in its own PCR value: PCR _ sub 1 _ value _ new = hash _ func PCR _ sub 1 _ value _ old PCR _ sub 2 _ value
[0047] PCR_sub1_value_new can now either be further expanded or used directly either to grant local rights or for remote attestation.
[0048] According to a further aspect of the invention, the security of the method can be improved as follows: A security element 11, 22 provides a special extend function that accepts only signed checksums. The control register is only extended after successful verification of the signature. PCR _ value _ new = verify _ and _ hash _ func PCR _ value _ old digest , digest _ sig
[0049] The additional parameter digest_sig contains a signature via the digest parameter. The public key required for verification must be provided in advance to the respective Secure Element 11, 22, which is to execute the function verify_and_hash_func, via a secure communication channel, e.g., a secure channel.
[0050] If not all required checksums are available with a signature, two PCR values can be generated in parallel: one exclusively via hash_func, the other via verify_and_hash_func. Both PCRs can then be certified either independently or in a joint procedure.
[0051] Although the invention has been illustrated and described in detail by the exemplary embodiments, the invention is not limited by the disclosed examples and other variations can be derived from them by a person skilled in the art without leaving the scope of protection of the invention.
Claims
1. Method for outputting a common, cryptographically protected device configuration information item from at least one first component (1) of a device (3) and at least one second component (2) of the device (3), the first component (1) having a first configuration and the second component (2) having a second configuration, the at least one first component (1) having been defined by: - a user input, comprising the steps of: - the at least one first component (1) receiving a second configuration information item, the second configuration information item having a cryptographic signature and describing the second configuration, - a first security element (11) of the at least one first component checking the cryptographic signature, - the first security element (11) generating a common cryptographically protected device configuration information item in consideration of the second configuration information item and a first configuration information item on the basis of a result of the checking of the cryptographic signature, the first configuration information item describing the first configuration, and - the first security element (11) outputting the common, cryptographically protected device configuration information item.
2. Method according to Claim 1, the at least one first component (1) additionally being defined by - the topological position thereof within the device (3) or - an address of the first component (1)3. Method according to either of the preceding claims, the at least one first component (1) additionally being defined randomly or pseudo-randomly.
4. Method according to one of the preceding claims, the at least one first component (1) additionally being defined on the basis of the functionality thereof and / or a specified protection level.
5. Method according to one of the preceding claims, the at least one first component (1) additionally being defined during use of the device (3).
6. Method according to one of the preceding claims, the at least one first component (1) and / or the at least one second component (2) being in the form of: - a programmable logic controller and / or - a smart actuator and / or - a smart sensor and / or - an expansion module and / or - an IO module and / or - an AI module and / or - a communication processor7. Method according to one of the preceding claims, the at least one second component (2) comprising a second security element (22).
8. Method according to one of the preceding claims, the cryptographic signature of the second configuration information item being based on a cryptographic key pair, and a public key of the key pair being made available to the first component (1).
9. Device comprising at least one first component (1) and at least one second component (2), the first component (1) being designed to carry out a method according to one of Claims 1 to 8.
10. Device according to Claim 9, the first component (1) having a first configuration and the second component (2) having a second configuration, the first component (1) comprising: - a receiving unit, designed to receive a second configuration information item, the second configuration information item having a cryptographic signature and describing the second configuration, - a first security element (11), - designed to check the cryptographic signature, and - additionally designed to generate a common cryptographically protected device configuration information item in consideration of the second configuration information item and a first configuration information item on the basis of a result of the checking of the cryptographic signature, the first configuration information item describing the first configuration, and - an output unit, designed to output a common, cryptographically protected device configuration information item, the common, cryptographically protected device configuration information item relating to the at least one first component (1) of the device (3) and the at least one second component (2) of the device (3).
11. Computer program product comprising a computer program, the computer program being able to be loaded into a memory device of a computing unit, the computer program being used to perform the steps of a method according to one of Claims 1 to 8 when the computer program is executed on the computing unit.
12. Computer-readable medium on which a computer program is stored, the computer program being able to be loaded into a memory device of a computing unit, the computer program being used to perform the steps of a method according to one of Claims 1 to 8 when the computer program is executed on the computing unit.