BS EN 62351-9:2017
$215.11
Power systems management and associated information exchange. Data and communications security – Cyber security key management for power system equipment
| Published By | Publication Date | Number of Pages |
| BSI | 2017 | 94 |
This part of IEC 62351 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle public-key certificates and cryptographic keys to protect digital data and its communication. Included in the scope is the handling of asymmetric keys (e.g. private keys and public-key certificates), as well as symmetric keys for groups (GDOI).
This part of IEC 62351 assumes that other standards have already chosen the type of keys and cryptography that will be utilized, since the cryptography algorithms and key materials chosen will be typically mandated by an organization’s own local security policies and by the need to be compliant with other international standards. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. The objective is to define requirements and technologies to achieve interoperability of key management.
The purpose of this part of IEC 62351 is to guarantee interoperability among different vendors by specifying or limiting key management options to be used. This document assumes that the reader understands cryptography and PKI principles.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | National foreword |
| 7 | CONTENTS |
| 11 | FOREWORD |
| 13 | 1 Scope 2 Normative references |
| 14 | 3 Terms and definitions |
| 19 | 4 Abbreviations and acronyms |
| 20 | 5 Cryptographic applications for power system implementations 5.1 Cryptography, cryptographic keys, and security objectives |
| 21 | 5.2 Types of cryptography 5.3 Uses of cryptography 5.3.1 Goals of cyber security |
| 22 | 5.3.2 Confidentiality 5.3.3 Data integrity |
| 23 | 5.3.4 Authentication 5.3.5 Non-repudiation 5.3.6 Trust |
| 24 | 6 Key management concepts and methods in power system operations 6.1 Key management system security policy 6.2 Key management design principles for power system operations 6.3 Use of Transport Layer Security (TLS) 6.4 Cryptographic key usages |
| 25 | 6.5 Trust using a public-key infrastructure (PKI) 6.5.1 Registration authorities (RA) 6.5.2 Certification authority (CA) 6.5.3 Public-key certificates |
| 26 | 6.5.4 Attribute certificates 6.5.5 Public-key certificate and attribute certificate extensions Figures Figure 1 – Relationship between public-key certificates and attribute certificates |
| 27 | 6.6 Trust via non-PKI self-signed certificates 6.7 Authorization and validation lists 6.7.1 General |
| 28 | 6.7.2 AVLs in non-constrained environments 6.7.3 AVLs in constrained environments 6.7.4 Use of self-signed public-key certificates in AVLs 6.8 Trust via pre-shared keys |
| 29 | 6.9 Session keys 6.10 Protocols used in trust establishment 6.10.1 Certification request 6.10.2 Trust Anchor Management Protocol (TAMP) 6.10.3 Simple Certificate Enrolment Protocol (SCEP) 6.10.4 Internet X.509 PKI Certificate Management Protocol (CMP) |
| 30 | 6.10.5 Certificate Management over CMS (CMC) 6.10.6 Enrolment over Secure Transport (EST) 6.10.7 Summary view on the different protocols |
| 31 | 6.11 Group keys 6.11.1 Purpose of group keys 6.11.2 Group Domain of Interpretation (GDOI) Figure 2 – Group key management distribution |
| 32 | Figure 3 – GDOI IKE Phase 1 – Authentication and securing communication channel |
| 33 | Figure 4 – GDOI Pull Phase 2 |
| 35 | Figure 5 – Key renewal triggered by the entities |
| 36 | 6.12 Key management lifecycle 6.12.1 Key management in the life cycle of an entity Figure 6 – Key management in product life cycle |
| 37 | 6.12.2 Cryptographic key lifecycle Figure 7 – Simplified certificate life cycle |
| 38 | Figure 8 – Cryptographic key life cycle |
| 39 | 6.13 Certificate management processes 6.13.1 Certificate management process 6.13.2 Initial certificate creation 6.13.3 Enrolment of an entity |
| 40 | Figure 9 – Example of the SCEP entity enrolment and CSR process |
| 41 | 6.13.4 Certificate signing request (CSR) process Figure 10 – Example of the EST entity enrolment and CSR process |
| 42 | 6.13.5 Certificate revocation lists (CRLs) Figure 11 – CSR processing |
| 43 | 6.13.6 Online certificate status protocol (OCSP) Figure 12 – Certificate revocation list |
| 44 | Figure 13 – Overview of the online certificate status protocol (OCSP) |
| 45 | Figure 14 – Diagram using a combination of CRL and OCSP processes |
| 46 | 6.13.7 Server-based certificate validation protocol (SCVP) 6.13.8 Short-lived certificates Figure 15 – Call Flows for the Online Certificate Status Protocol (OCSP) Figure 16 – Overview Server-Based Certificate Validation Protocol using OCSP Backend |
| 47 | 6.13.9 Certificate renewal Figure 17 – SCEP certificate renewal |
| 48 | 6.14 Alternative process for asymmetric keys generated outside the entity Figure 18 – EST certificate renewal/rekeying |
| 49 | 6.15 Key distribution for symmetric keys with different time frames 7 General key management requirements 7.1 Asymmetric and symmetric key management requirements 7.2 Required cryptographic materials Figure 19 – Central certificate generation |
| 50 | 7.3 Public-Key certificates requirements 7.4 Cryptographic key protection 7.5 Use of existing security key management infrastructure 7.6 Use of object identifiers 8 Asymmetric key management 8.1 Certificate generation and installation 8.1.1 Private and public key generation and installation |
| 51 | 8.1.2 Private and public key renewal 8.1.3 Random Number Generation 8.1.4 Certificate policy 8.1.5 Entity registration for identity establishment |
| 52 | 8.1.6 Entity configuration 8.1.7 Entity enrolment |
| 53 | 8.1.8 Trust anchor information update |
| 54 | 8.2 Public-key certificate revocation 8.3 Certificate validity 8.3.1 Validity of certificates |
| 55 | 8.3.2 Certificate revocation 8.3.3 Certificate revocation status checking 8.3.4 Handling of authorization and validation lists (AVLs) |
| 60 | 8.4 Certificate expiration and renewal 8.5 Secured Time Synchronization |
| 61 | 9 Symmetric key management 9.1 Group based key management (GDOI) 9.1.1 GDOI requirements 9.1.2 Internet Key Exchange Version 1 (IKEv1) Tables Table 1 – KDC IKEv1 Requirements |
| 62 | 9.1.3 Phase 1 IKEv1 main mode exchange type 2 Figure 20 – IKEv1 (RFC 2409) main mode exchange with RSA digital signatures |
| 63 | Figure 21 – IKEv1 main mode exchange and security association messages |
| 64 | Figure 22 – IKEv1 main mode exchange: key exchange messages Figure 23 – IKEv1 Main Mode Exchange: ID authentication messages |
| 65 | 9.1.4 Phase 1/2 ISAKMP informational exchange type 5 Figure 24 – IKEv1 HASH_I calculation |
| 66 | Figure 25 – Phase 1 Informational Exchange |
| 67 | 9.1.5 Phase 2 GDOI GROUPKEY-PULL exchange type 32 Figure 26 – GD004FI GROUPKEY-PULL as define in RFC 6407 |
| 68 | Figure 27 – GROUPKEY-PULL hash computations |
| 69 | Figure 28 – GROUPKEY-PULL initial SA request exchange Figure 29 – RFC 6407 Identification Payload |
| 70 | Figure 30 – ID_OID Identification Data Table 2 – IEC 61850 Object IDs: Mandatory (m) and Optional (o) |
| 71 | Figure 31 – 61850_UDP_ADDR_GOOSE/SV ASN.1 BNF Figure 32 – IPADDRESS ASN.1 BNF |
| 72 | Figure 33 – Example IecUdpAddrPayload ASN.1 Data with DER Encoding Figure 34 – 61850_UDP_TUNNEL Payload ASN.1 BNF Figure 35 – 61850_ETHERNET_GOOSE/SV Payload ASN.1 BNF |
| 73 | Figure 36 – RFC 6407 SA TEK Payload |
| 74 | Figure 37 – IEC-61850 SA TEK Payload |
| 75 | 9.1.6 GROUPKEY-PULL group key download exchange Figure 38 – GROUPKEY-PULL Key Download Exchange |
| 76 | 10 Connections to the IEC 62351 parts and other IEC documents Figure 39 – IEC 62351 Part 9 relationship to other IEC 62351 parts |
| 78 | Annex A (normative)Protocol Implementation Conformance Statement (PICS) |
| 79 | Annex B (informative)Random Number Generation (RNG) B.1 Random number generation types B.2 Deterministic random bit generators |
| 80 | B.3 Non-deterministic random number generation B.4 Entropy sources |
| 81 | Annex C (informative)Certificate enrolment and renewal flowcharts C.1 Certificate enrolment C.2 Certificate renewal Figure C.1 – Certificate enrolment |
| 82 | Figure C.2 – Certificate renewal state machine |
| 83 | Annex D (informative)Examples of certificate profiles |
| 84 | Table D.1 – Examples of operator public-key certificates |
| 85 | Table D.2 – Examples of OEM certificates |
| 86 | Table D.3 – Example of OCSP certificate |
| 87 | Bibliography |
