The very first devices are being released that support EtherNet/IP with CIP Security. With these new technologies come terms that may not be familiar to EtherNet/IP users. The most important of these terms follows:
Authentication | Authentication is the process of recognizing a user’s identity by validating the credentials it supplies. In CIP Security, Digital Certificates and Private Shared Keys (PSK) are the two mechanisms used to authenticate a device. |
Certificate Authority | A trusted entity that issues the certificates that can be used to verify an entity’s identity on the EtherNet/IP network. |
Cipher Suite | A cipher suite is a set of algorithms that are used to sign or encrypt messages between an EtherNet/IP Scanner and an Adapter. The specific ciphers used on a connection are negotiated during the connection sequence. |
DTLS | Datagram Transport Layer Security (DTLS) is a version of Transport Layer Security (TLS) adapted for UDP and used to secure I/O messages on a CIP Secure EtherNet/IP network. |
Digital Certificate | An electronic “passport” that verifies a device’s identity. Certificates are one of two trust models in CIP Security. |
Digital Signature | The digital equivalent of signature or a stamped seal on a digital entity. It is a mathematical technique to validate the authenticity and integrity of a message or digital content. It ensures the authenticity of the source of the message. |
Encryption, Asymmetric | A form of encryption that uses paired keys. One key is kept private and one key is public. The public key is used by outside entities to read messages encrypted with the private key. The public key is also used to encrypt messages sent to the entity. Messages encrypted with the public key can only be decrypted with the private key. |
Encryption, Symmetric | A well-known form of encryption that uses a single key to both encrypt and decrypt messages. |
Hash Function | A function that translates data of arbitrary size to fixed length data. It is designed to be a one-way translation such that it is infeasible to reverse the translation. |
Message Confidentiality | Assurance that the messages between two entities cannot be examined by an untrusted, outside entity. Acyclic message confidentiality is achieved in CIP Security via the TLS Algorithms. |
Message Integrity | Assurance that the message passed between two trusted entities has not been corrupted or altered. |
Public Key Infrastructure | A public key infrastructure (PKI) is the entire set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. |
Pre-shared Key Encryption | Encryption using a secret key that was previously shared between two entities. |
TLS | TLS (Transport Layer Security) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. TLS secures acyclic messaging on a CIP Secure EtherNet/IP network. |
Self-signed Digital Certificate | Digital certificates are trusted when they have a signature from a higher-level authority, the Certificate Authority (CA). If no CA is available, a vendor can self-sign the certificate, and that can be used to verify a device’s identity during the installation process. |
These terms are important to a complete understanding of the security features that are now part of CIP Security for EtherNet/IP. EtherNet/IP, unlike Modbus TCP and PROFINET IO, is the first technology to support a complete and thorough security standard.
For more information, see RTA’s page on CIP Security for EtherNet/IP.