dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorCODESYS Development Systemdl-breadcrumb-item__separatorSecuritydl-breadcrumb-item__separatorGeneral Information
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
General Informationdl-permalink__symbolPermalink

The following provides some general information about safety functions (security measures). This information applies regardless of the usage in CODESYS or one with a connection controller.

Access protection with user management

As a means of protecting against unauthorized access to data, it is necessary to configure user accounts with specific access rights. Only a user with the credentials has access to the data or functions.

Creating passwords according to the general recommendations for achieving a high password strength is a tremendous contribution to security.

The following types of user management are roughly distinguished as follows:

  • Simple user management:

    To access data, only a password or the valid combination of user name and password has to be entered. This means that access can be only granted or denied. Graduated permissions cannot be configured.

  • Group-based user management:

    The access rights are assigned to user groups. Users who belong to a group can access the data or functions after entering the credentials with precisely these assigned and different permissions.

Encryption, signature

Encryption:

Encryption of data means the following: Data is converted into an unreadable form and can only be made readable again with a matching key. In the simplest case, the key is a password or a key pair.

There are two types of encryption methods:

  • Symmetric method: (the only type of encryption until the mid-1970s)

    Characteristic: Use of a secret key

    Advantages: Fast, simple encoding

    Disadvantages: The key has to be shared secretly.

  • Asymmetric method:

    Characteristic: Use of a key pair (private/secret key and public key)

    Advantages: The public key can be made accessible to anyone, and authentication possible with it.

    Disadvantages: Slow (approx. 1,000 to 10,000 times slower than symmetric methods); complex encoding; long key lengths

Key exchange is usually performed by asymmetric methods; encryption and decryption by symmetric methods.

Signature:

In order for the irrefutable ownership and integrity of a message to be verifiable, it should be provided with a signature. These are usually the steps involved:

  • Sender: Determines a unique hash value over the data (H)

  • Sender: Encrypts the hash value with private key (He)

  • Recipient: Also calculates the hash value and decrypts the He with the public key and compares the two values. This allows the sender to be identified uniquely and verifies that the sender owns the private key.

In the case of asymmetric encryption, a public key contained in a certificate is first exchanged between the sender and the recipient. In addition, each participant needs a private key with which they can decrypt the data if they have the certificate. So if you want to access a certificate, you need a certificate AND a private key.

Hash methods are necessary for this:

  • Hash method:

    Characteristic: Unique thumbprint of the data (for example, checksum of the data)

    As low a collision as possible (it is very difficult to find / construct two different data for a single hash value)

Certificates

In order to assign the public key to an identity, it is usually embedded in a certificate.

In certificate-based systems, each user receives a digital certificate. The certificate is used for digital identification. It contains information about the identity and the public key of the user. Each certificate is authenticated by an issuing authority, which in turn may be authenticated by higher authorities. The trust system of this PKI (Public Key Infrastructure) is strictly hierarchical. The common trust anchor is a root certificate.

Contents of a certificate:

  • Version

  • Serial number

  • Algorithm ID

  • Issuer (authority or company)

  • Validity from (not before) to (not after)

  • Certificate owner (subject)

  • Certificate owner key information (subject public key)

    • Public key algorithm

    • Public key of the certificate owner

  • Unique ID of the issuer (optional)

  • Unique ID of the owner (optional) The owner possess a private key matching the public key.

  • Extensions

    • Purpose (extended key usage)

    • ...

The certificate consists of 2 parts/files:

  • Public X.509 certificate (can be issued to anyone)

  • Private key that matches the certificate or its public key only (has to be kept secret).

To manage the certificates in your local "Windows Certificate Store", see the following help page: