2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

Authenticated Distributed Device Network Sapana Garde#

# Electronics & Communication Department, Gujarat Technological University

Mahatma Gandhi Institute o/Technical Education & Research Centre

Bhanunagar, Eru-aat road, Jalalpor, Navsari, Gujarat, India

sapana garde@yahoo.co.in

Abstract- Demand of today's globalized business world is to join different kind of data & communication sources and cross-border

collaborations have led to work with distributed environments

across multiple organizational and geographical boundaries. The

new requirements of portability, configurability and

interoperability of distributed device networks put forward new

challenges and security risks to the system's design and

implementation. There are critical demands on highly secured

collaborative control environments and security enhancing

mechanisms for distributed device control, configuration,

monitoring, and interoperation. This paper addresses the collabo­

rative control issues of distributed device networks with entity

authentication. The security challenges of authenticity, integrity, confidentiality, and execution safety are considered as primary

design constraints. By adopting policy-based network security

technologies, a technique of passing secret key is designed in this

paper to provide high authenticity in distributed network, more

over modules of Secure Device Control Gateway and Security Agent are modified into regular distributed device control

networks to provide security and safety enhancing mechanisms.

The main architectures, applied mechanisms, and implementation

considerations are presented in detail in this paper.

Keywords-distributed device network, secret key, secure device

control gateway, secure client, secure agent, self generated code,

repository system.

I. INTRODUCTION

The growing globalization and decentralization of businesses demands for automated data transaction between different nodes of organization or transfer between different organizations. Businesses and interactions are now happening across traditional physical boundaries. The decentralization of organizations has become a major impact on the traditional business models. Services and resources are distributed everywhere and sourced anywhere through virtual chain. In recent years, a number of research projects have been proposed to address the collaborative control problem of distributed device systems in open environments. Hitachi Seiki (Japan) in­troduced Seiki Flex Link Open CNC/PC Network Connectivity

[5] to its turning and machining centres, making possible to connect with a hand held personal digital assistant (PDA) or a laptop computer and do in-process gauging, machine moni­

toring, and cycle-time analysis. Since 1998, Mazak (Japan) has operated its high-tech Cyber Factory concept at its headquarters in Oguchi, Japan. The fully network able Ma=atrol Fusion con-trois allow Mazak machines to

978-1-4673-1627-9112/$3l.00 ©2012 IEEE

communicate over wireless networks for applications including real-time machine tool monitoring and diagnostics. MetaMorph

II [6] was proposed as a hybrid, agent-based, mediator-centric architecture to integrate partners, suppliers, and customers in a dynamic manufacturing environment The internet is widely used as an open medium for information communication for distributed system hence security of data becomes a wide issue here which could be solve by secret key generation which is the approach of this paper, this will provide following advantages.

• Control tasks or components can be designed and ex­changed between different vendors.

• Different devices can be operated and monitored by each other or by human operators, within or outside the organ­ization.

• Different devices can be reconfigured remotely to respond unanticipated events.

II. DISTRIBUTED DEVICE CONTROL

Within the efforts towards increasing the configurability,

interoperability and other collaborative features of distributed

device control systems, International Electro technical

Commissions' function Block specification (lEC61499) [7] is one of the most significant effort.

communication network I

I I I I I

I I Application A I I

Del.icE Del.icE Del.icE Del.icE 1 2 3 �

I I Application E! I I Appl.e

I I I I controlled process I

Fig. 1 IEC61499 Distributed Control system Model (source: [7])

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

client domain 1 client domain N

Repository system 1

Device domain 1 Device domain N

Network router/Gateway

,<> SDCG secure client

Secure Repository system

Fig.2 Secure distributed device control model (source: [I])

IEC61499 provides a set of systematic approaches for the design of distributed industrial process measurement and

control system (IPMCS). It specifies a series of reference models and covers the whole life cycle of a control system,

including the phases of system planning, design, implementation, validation, operation, and maintenance. As shown in Fig.l different kinds of devices are virtually connected to each other through internet network, where all devices could be of different category and processing different applications. All the processes are controlled by accessing devices on demand through centralised system which would be explained in detail in section no. III. Demonstration of IEC61499 and (Functional Block) FB related concepts for dis­tributed industrial and device control systems have been demonstrated in a number of projects in the literature [8]-[10]. For example, Brennan et at. [8] proposed a model to support runtime reconfiguration of distributed control systems that are built upon FB models. FBDK (The functional block development kit) [9] was developed as an experimental devel­opment kit to enable the building and testing of FB-based control and applications However, IEC61499 specification does not address how FB components are stored, retrieved and protected in a network environment. In another words, there is no discussion concerning how such a distributed device control system could run under open and dynamic environments. It is also hard to find such discussion in available research literature. In order to actually implement collaborative control -

978-1-4673-1627-9112/$3l.00 ©2012 IEEE

shared devices

under open and dynamic environments, further research and developments are required.

III. SECURITY CHALLENGES UNDER OPEN AND DYNAMIC ENVIRONMENT

The open and dynamic environment brings many new chal­

lenges to the collaborative control of distributed device

systems. In such an environment, for example, device access

and information exchange have to cross multiple corporate

networks or even over the Internet. Critical security challenges

may arise in the processes of command transferring, function

modifications, remote diagnosis, and maintenance. Any control

operations in open and dynamic environments may result in

potentially hazardous conditions. Most significantly, security

risks may come from the network, data storage, operating

platforms, and application modules. A distributed device

network is described in Fig.2 where various clients, RS

(repository systems) and devices to be accessed are inter

connected through internet hence authentication is essential.

RS is loaded with address of devices and their respective

SDCG (Secure Device Control Gateways) in terms of codes

which interconnects devices practically to the authenticated

client through key verification process designed by software

tools which is explained in section IV, such open collaboration

scenario is accompanied by the following significant security

challenges.

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

1) identification: Distributed devices, software tools, and human operators need to identify themselves within the open and dynamic environment. This is the means by which devices, tools, and users may use to claim their identities to the device control system.

2) Entity Authentication: This is a process to demonstrate the evidence of the identity of a device or operator.

3) Data Authentication: This is a process to demonstrate the evidence of the identity of the original source of exchanged commands, control codes, or device feedback

4) Authori=ation: This is a process by which an entity is granted to access another entity's processes or resources. It determines the extent of system rights that an entity holds.

5) integrity: Command and control codes must be protected to ensure that no part is changed while in storage or in transmission across networks.

6) Corifidentiality: Valuable codes and data, perhaps rep­resenting confidential manufacturing processes, must be protected from malicious attackers or competitors.

7) No repudiation: An entity (a device, an operator, and so on) cannot deny the authenticity of its signature on a command or a communication that it originates.

8) Execution Safety: The acceptance and execution of out­side commands and control codes must be safe to the device and the control system. Each device may have independent local task execution and protection requirements

IV. DESIGN OF SECURED DISTRIBUTED DEVICE NETWORK

Following fig.3 describes entire process of authenticated device access stepwise

CLIENT

key acknow ledge<

Fig. 3 secure accessing between client, RS, SDCG (source: [I])

• SA (Security Agent- It is a module which implements all the security enhancing operations including security

policy negotiation, entity authentication, data confidentiality, nonrepudiation, and integrity) [I] at Client side sends request and Credential to repository system for device access, The Request indicates that the

978-1-4673-1627-9112/$3l.00 ©2012 IEEE

operator wants to retrieve some available control components from a repository.

• SA module at RS accepts the request & checks the credential against the security policy to see if the request is authorized and provided credentials satisfy the policies, the Repository SA generates the key from IP address of the client which is unique per transaction the key generation process is described in Fig.no.7

• RS passes the same key to the respective SDCG where requested device is connected, on the device side there are a series of SDCG with local devices beneath them. By default, each SDCG and its associated devices are considered to be within one trust boundary. This means

that there is no security risk between devices in one trust boundary. More about SDCG is discussed in section V.

• SDCG sends the acknowledgement back to repository system for successful reception of the key

• Client sends request and secret key to SDCG to have access on selected device

• If key received from client is verified with the key sent by repository system then SDCG provides access of device to the client otherwise denies the access

Hence access is provided only to the verified user.

V. ARCHITECTURE OF SDCG

In our proposed model, the SDCG plays important roles by mediating outside requests and internal control actions in the Device Domain. It guarantees the security and safety of the device control. The architecture of this SDCG is illustrated in Fig. 4, which includes the following.

A. Security Agent

For incoming dataflow, the SA checks the authenticity and integrity of the data. Then it decrypts dataflow, which may contain commands or control components in the form of XML. For outgoing dataflow, the SA signs and encrypts outgoing XML data and delivery results for their destinations. The architecture of the SA and the applied mechanisms are presented in Section VI.

B. Admission Agent

The Admission Agent checks whether a newly requested task is available to be executed according to the admission policy.

C. Queue Agent

When a new Task passes the admission test, a Task ID will be assigned to it. The task will then be put into the Task Queue. The first task in the queue is always waiting for execution in the next scheduling period. The Queue Agent maintains the queuing policy for ordering queried tasks. Specified rules can be set for smooth functioning of multiple tasks.

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

The task queuing policy may be set according to the following factors.

• Priority of each task. • Task entry time. • Fairness-guarantee that each waiting task will have a

'Fair' opportunity to run. • Desired completion time of each task.

Fig. 4 Architecture of SDCG (source: [I])

D. Execution Agent

The Execution Agent is responsible for the execution of a task. It gets the first task from the task queue and uses the corresponding device application identity (API) to begin the execution of that task on the specified device. After proper authentication, execution agent allow access of respective devices and sends feedback to the respective clients

VI. DESIGN OF DISTRIBUTED DEVICE CONTROL SYSTEMS WITH SECURITY FEATURES

There are three logical domains in this model: client domain, repository domain, and device domain. Entities in different do­

mains may be geographically distributed and connected through networks (LAN or WAN). The collaboration and control operations may run across any open and unsecured network, like the Internet. Each client in this model is a secure client (SC), which is protected by a module called the SA. Fig. no.5 illustrates the basic functional modules of SC. The

978-1-4673-1627-9112/$31.00 ©2012 IEEE

SA is playing important roles, which implements all the security enhancing operations including security policy negotiation, entity authentication, data confidentiality, no repudiation, and integrity. The working mechanisms of SA are to be presented in Section VII in detail. On the client side, an operator or designer holds one or more credentials, which certify that slhe has some granted rights to request some services under limited conditions. For example, before an operator wants to query the status of a device, the operator must provide a proof (credential) signed by the device's administrator or others who have the delegation authority. Depending on an operator's priorities and responsibilities, slhe may request different services, like programming a new control

application, device reconfiguration, device operation, or device monitoring.

Device operator/System designer

Security agent

Internet browser

Internet Fig. 5 Functional module in Secure Client (source: [1])

On the repository side, a series of control components, ex­pressed as IEC61499 FB Codes are stored in different repos­itories. These components are different control functions and applications (e.g., PID Control) that may come from different suppliers. These repositories are distributed across several physical locations and may belong to different organizations. There is a SA residing in each of the repositories.

Task components

repositor� __ _

Securit� Policie� --1--

Security agent

I HTTPserver

? ""0,""""''' Internet

Fig. 6 Functional module in Secure Repository (source: [I])

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

The SA is responsible for all the security-related operations such as authentication, data encryption, integrity verification, audit and so on. Each repository SA also maintains a series of security-related policies, which specify the detailed security requirements and constraints. Only requests compatible with these policies will be served by SA. Fig. 6 illustrates the basic functional modules of a secure repository (SR).

VII. PROCESS OF KEY GENERA nON

In the distributed network a client can access intended device by proving its valid identity which is the approach of

this paper, different control systems may use different devices from different vendors. Software and tools by different suppliers cannot recognize each other. The status and operations of distributed devices are difficult to predict and control from a remote site. Such situations have created barriers to forming new collaborations with changing global supply chains and other activities. In recent years, a number of research projects have been proposed to address the collaborative control problem of distributed device systems in open environments. Significant projects include NfllP [2]. The goal of this project was to develop a series of open industry software protocols that can make software interoperation possible between manufacturers and their suppliers. More recently, Cimplicity [3] from GE Fanuc Automation (USA) was developed to allow users to view their factory's operational processes through an XML-based Web-View

screen. In order to bring legacy machine tools on-line and make machine tools become servers of information, e-Manu­facturing Network Inc. (Canada) introduced its fON Universal

fnteiface and CORTEX Gateway [4]. Hitachi Seiki (Japan) in­troduced Seiki FlexLink Open CNC/PC Network Connectivity

[4] to its turning and machining centers, making possible to connect with a hand held personal digital assistant (PDA) or a Laptop computer and do in-process gauging, machine moni­toring, and cycle-time analysis. Since 1998, Mazak (Japan) has operated its high-tech Cyber Factory concept at its headquarters in Oguchi, Japan. The fully networkable Mazatrol

Fusion con-trois allow Mazak machines to communicate over wireless networks for applications However, despite all these accomplishments, most of the above systems are either for off­line simulation or for monitoring only. Most of these systems require a specific application to be installed and configured instead of using standard interfaces. However to secure this transaction special key is generated in this paper to make the process authenticated

The key is generated by RS through eight steps as following • RS accepts the request from client who wants to have an

access on remote devices; RS detects the valid 32 bit IP address of the client and recovers its last two digits 16 bits through logical anding IP mask 0.0.l.l.

• Result generated in step no. 1 is logically ex-ored with 32 bit predefined common block code 0.0.10101010.10101010 in RS

978-1-4673-1627-9112/$3l.00 ©2012 IEEE

• Generated ex-ored code is again logically anded with two different 8 bit defined codes X and Y individually which generates two different 8 bit results A & B respectively.

• Result A is logically ex-ored with special self generated code -SGC and produce 8 bit code C where SGC is unique for each client IP address and predefined by RS however it defines unique key for each client.

• Result B of 8 bit is given to the bit shuffler and produce different 8 bit result D after predefined bit shuffling.

• 8 bit generated code C is then given to the simple inverter to add complications in the key generation

process and produces inverted 8 bit code E. • Code E is logically ex-ored with code D and produces

output 8 bit code F. • Finally two 8 bit codes E & F are merged together to

form 16 bit code called as secret key.

I)

Fig. 7 Key generation for entity authentication at RS

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

Now sharing and application of these key is described in detail in next section VIII.

VIII. PROCESS OF AUTHENnCA nON

This section elaborates the application of key for each client in the collaborative system. The client of registered organisation seeking an access of remotely located device over a boundary of local network need to send the request to the RS, where first time from clients IP address RS would produce a secret key through above section VII process. The key is passed to the client itself. After receiving the key now client is

allowed for further access of device, for this client has to request RS for the device access. In response RS passes the key to all SDCG connected to it.

Denied the

access

Ke)

encry ption

pass key to

client

client sends

request & key te

SDCG

client

request te

RS

pass key to

SDCG

SDCG

stores the

key

provides

device

access

execution

of process

Fig. 8 Flowchart of authentication process

978-1-4673-1627-9112/$31.00 ©2012 IEEE

Now client would request to the respective SDCG by sending same key to it, if it got matched and verified at SDCG then it permits the device access to the client otherwise denies the access. In this way device access is provided to the only authenticated user

IX. CONCLUSION

For open and dynamic environments, effective security

enhancing mechanisms and architectures are critical for the

control of distributed systems and devices. This paper

addresses the security challenges involved in the collaborative

control of distributed device network under open and dynamic

environments. By combining network security technologies,

software agents, the major security problems of authenticity,

integrity, confidentiality, and execution safety are addressed.

Two new modules, the SA and the SDCJ, are proposed as

primary security supports. The architecture and applied

security mechanisms are presented in detail.

The security constraints for devices access could be modified

by adding complexity to the encryption process of the key and

same could be implemented and verified by working with

different layers of computer network in simulation soft wares

like different versions of ns-2

REFERENCES

[I] Distributed device networks with security constraints by yuefei xu, RonggOng song, Larry Korba, Lihui wang, weiming shen, Sherman Lang, IEEE Explorer

[2] The National Industrial Infonnation Infrastructure Protocols (NIIIP) (2003). [Online]. Available: http://www.niiip.org/public/home.nsf

[3] P. Waurzyniak, "Electronic intelligence in manufacturing," SME Manu­fact. Eng., vol. 127, no. 3, pp. 44-67, 2001.

[4] CNC Intemetworking, e-Manufacturing Networks Inc.. (2003). [Online]. Available: hltp://www.e-manufacturing.com/products/inter­networking.htm

[5] Scanning the Horizon-Hitachi Seiki Introduces Open CNC-PC Network Connectivity, MMS Online. (2003). [Online]. Available: hltp://www.mmsonline.com/artic1es/0699scan2.html

[6] W. Shen, F. Maturana, and D. H. Norrie, "MetaMorph II: An agent­based architecture for distributed intelligent design and manufacturing," J. Intell. Manufact., vol. II, no. 3, pp. 237-251, 2000.

[7] Function Blocks for Industrial-Process Measurement and Control Sys­

tems, 2000. IEC TC65JWG6, IEC-TC65JWG6 Committee. [8] R. W. Brennan, X. Zhang, Y. Xu, and D. H. Norrie, "A reconfigurable

concurrent function block model and its implementation in real-time Java," J. Integ. Comput.-Aided Eng., vol. 9, pp. 263-279, 2002.

[9] J. Christensen. (2003) FBDK-The Function Block Development Kit. [Online]. Available: http://www.holobloc.com/fbdk/README.htm

[10] Y. Wei, "Implementation of IEC61499 Distributed Function Block Ar­chitecture for Industrial Measurement and Control Systems (IPMCS)," degree thesis, National Univ. Singapore, 2001/2002.

2012 1 st International Conference on Emerging Technology Trends in Electronics, Communication and Networking

978-1-4673-1627-9112/$31.00 ©2012 IEEE