Security

Motivation

Driven by legal requirements like EU Cyber Resilience Act (CRA), security for industrial communication systems is more and more playing a crucial role. The RTC Testbench can also be used to measure and optimize the performance of a particular security implementation for authentication and/or encryption of each processed frame.

The RTC Testbench demonstrates one exemplary Profinet security implementation. The Profinet security specification is still under development. This implementation is to be used only for performance measurements. For instance, what impact does real time frame encryption and decryption have on quantity structures? Key management, updates, rotation etc. and other mechanisms are not covered.

Configuration parameters

The parameters which allow to configure frame authentication or encryption are shown below:

Features & configure options

Option

Description

SecurityMode (String)

One of None, AO (Authentication only), AE (Authentication and Encryption)

SecurityAlgorithm (String)

One of AES256-GCM, AES128-GCM, CHACHA20-POLY1305

SecurityKey (String|Hex)

Key to be used for crypto functions either 16 or 32 bytes depending on selected algorithm

SecurityIvPrefix (String|Hex)

Prefix of the IV which is 6 bytes in size

These options are valid for classes TSNHigh, TSNLow, RTC and RTA.

Implementation

The current implementation uses OpenSSL v3 or later. This means the authentication and encryption work is performed in software. Therefore, enabling security can have a significant performance impact.

Future hardware like ASIC(s) or newer generation NIC(s) may provide Profinet security hardware offloading with the goal of zero performance impact. This is not covered yet.

Example

There are examples for Profinet Authentication only and Authentication and Encryption:

  • tests/profinet_auth

  • tests/profinet_crypt

For measuring the security performance impact the CPU run times of the involved real time tasks can be traced. See scripts/trace_rtc.bt for an example.