Authenticity And Integrity Through Signatures - Siemens SIMATIC S7-1500 Function Manual

Encryption processes in practice
In practice, for example with a CPU Web server and Secure Open User Communication, the
TLS protocol is used below the relevant application layer. Application layers are HTTP or
SMTP, for example, as detailed above.
TLS (Transport Layer Security) uses a combination of asymmetric encryption and symmetric
encryption (hybrid encryption) for secure data transfer, for example, over the Internet, and
uses the following subprotocols:
● TLS Handshake Protocol, responsible for authentication of communication partners and
negotiation of the algorithms and keys to be used for subsequent data transfer on the
basis of asymmetric encryption.
● TLS Record Protocol, responsible for encryption of user data with symmetric encryption
and data exchange.
Both asymmetric and symmetric encryption are considered secure encryption schemes -
there is basically no difference in security between the two procedures. The degree of
security depends on parameters such as the selected key length.
Abuse of encryption
You cannot tell what identity is assigned to a public key from the bit string. A fraud could
provide their public key and claim to be someone else. If a third party then uses this key
thinking that they are addressing their required communication partner, confidential
information could end up with the fraud. The fraud then uses their private key to decrypt the
message that was not intended for them, and sensitive information falls into the wrong
hands.
To prevent this type of abuse, the communication partners must be confident that they are
dealing with the right communication partner. This trust is established by using digital
certificates in a PKI.
3.6.3

Authenticity and integrity through signatures

Attacks from programs that intercept communication between the server and client and act
as if they themselves were client or server, are called man-in-the-middle attacks. If the false
identity of these programs is not detected, they can obtain important information about the
S7 program, for example, or set values in the CPU and attack a machine or plants. Digital
certificates are used to avoid such attacks.
Secure communication uses digital certificates that meet the X.509 standard of the
International Telecommunication Union (ITU). This allows the identity of a program, a
computer or an organization to be checked (authenticated).
Communication
Function Manual, 11/2019, A5E03735815-AH
Communications services
3.6 Secure Communication
39