Project number
IEC/TC or SC :
TC 57
Title of TC/SC:
Date of circulation
2009-05-01
2009-08-07
Supersedes document
57/914/NP - 57/949/RVN
Functions concerned:
Safety
Secretary:
EMC
Environment
Quality assurance
Title:
Power systems management and associated information exchange - Data and communications
security - Part 8: Role-based access control
(Titre) :
Introductory note
FORM CD (IEC)
2002-08-08
62351-8/CD IEC(E)
5771001/CD
CONTENTS
1
1.1 Purpose...................................................................................................................7
1.2 Scope......................................................................................................................7
1.3 RBAC and the AAA-Framework................................................................................8
1.4 Justification .............................................................................................................9
1.5 Out of Scope ...........................................................................................................9
Normative references...................................................................................................... 10
Abbreviated terms........................................................................................................... 13
Credentials ............................................................................................................ 21
6.1.1 Profiles ...................................................................................................... 21
6.1.2 Mandatory fields in credential..................................................................... 21
6.1.3 Optional fields in credentials ...................................................................... 21
6.1.4 Mandatory profile-specific fields ................................................................. 21
6.1.5 Resolution of timestamp............................................................................. 22
6.1.6 Maximal lifetime of credential ..................................................................... 22
6.1.7 Size of credentials ..................................................................................... 22
6.1.8 Number of issuers...................................................................................... 22
6.2 Role-right assignment ............................................................................................ 22
6.2.1 Number of supported rights ........................................................................ 22
6.2.2 Number of supported roles ......................................................................... 22
6.2.3 Flexibility of role-right mapping................................................................... 22
6.3 Role-Right assignment with respect to power systems............................................ 22
6.3.1 Power utility automation - IEC 61850 .......................................................... 22
6.3.2 CIM IEC 61968 ....................................................................................... 27
6.3.3 AMI............................................................................................................ 27
6.3.4 DA ............................................................................................................. 27
6.3.5 Markets ..................................................................................................... 27
6.4 Role-Right Assignment with respect to other Non-Power System domains
(e.g. industrial process control) .............................................................................. 27
Role formats (normative) ................................................................................................ 28
7.1
62351-8/CD IEC(E)
57/1001/CD
62351-8/CD IEC(E)
5771001/CD
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. Recipients
of this document are invited to submit, with their comments, notification of any relevant patent
rights of which they are aware and to provide supporting documentation.
This working draft of the International Standard IEC 62351 Part 8 has been prepared by IEC
technical committee 57: Working Group 15 on Data and Communications Security.
It is part of the standard series IEC 62351, a set of specifications for data and communication
security. At time of publication of this part, the standard series IEC 62351 comprises the
following parts:
62351-8/CD IEC(E)
57/1001/CD
IEC 62351-4: Communication Network and System Security Profiles Including MMS.
These security standards cover those profiles used by ICCP and IEC 61850.
IEC 62351-5: Data and Communication Security Security for IEC 60870-5 and
Derivatives (i.e. DNP 3.0). These security standards cover both serial and networked
profiles used by IEC 60870-5 and DNP.
IEC 62351-6: Data and Communication Security Security for IEC 61850 Profiles.
These security standards cover those profiles in IEC 61850-7-2 that are not based on
TCP/IP GOOSE, GSSE, and SMV.
IEC 62351-7: Data and Communication Security Management Information Base (MIB)
Requirements for End-to-End Network Management. These security standards define
Management Information Base (MIBs) that are specific for the power industry, to handle
network and system management through SNMP-based capabilities.
62351-8/CD IEC(E)
5771001/CD
INTRODUCTION
This document provides a technical specification for access control in power systems. The
power system environment supported by this specification is enterprise-wide and extends
beyond traditional borders to include external providers, suppliers, and other energy partners.
Driving factors are the liberalization of the energy sector, the increasingly decentralized
generation of energy, and the need to control access to data of precious resources. This
specification supports a distributed security environment in which security is also a distributed
service.
The power system sector is continually improving the delivery of energy by leveraging technical
advances in computer-based applications. Utility operators, energy brokers and end-users are
increasingly accessing multiple applications to deliver, transmit and consume energy in a
personalized way. These disparate applications are naturally connected to a common network
infrastructure that typically supports protection equipment, substation automation protocols,
inter-station protocols, remote access and business-to-business services. Consequently,
secure access to these distributed and often loosely coupled application is even more
important than any access to an application running on a stand-alone device.
Secure access to legacy computer-based applications involves authentication of the user to the
application using single-factor identification, such as a password. After authentication, the
application determines the level at which a user can use the application. This level of authority
for a user is typically done, if at all, by each application. Sometimes users associated to groups
or roles using a local database or simply a flat file under the control of the application
administrator.
The use of local mechanisms for authorization creates a patchwork of approaches difficult to
uniformly administer across the breadth of a power system enterprise. Each application
decides on its logic the authorization. If applications can use a network, a database can serve
as trusted source of users group or role affiliation. Thus, the access to shared user base can
be controlled centrally. Each application can then examine the rights listed for a subject and
corresponding role and determine their level of authorization.
Referring to the generic AAA architecture of RFC2903, the PUSH model is used in that the
credential including the role is pushed into the target device for verification. All credentials
have a lifetime and are subject to expiration. This entails the advantage of local verification of
the credentials validity for field devices at remote sites without access to a centralized
repository.
At the net-control level the credentials can be embedded into service-oriented architectures via
XACML/SAML for automated agents including validation of credentials validity at a centralized
repository in retrospect.
Three different credential formats are supported as three different profiles. Two of them are
X.509 credentials and the third is a software token similar to Kerberos. They can be used over
TCP/IP and serial communication links.
This specification defines role-based access control (RBAC) for enterprise-wide use in power
systems. It supports a distributed or service-oriented architecture where security is distributed
service and applications are consumers of distributed services.
62351-8/CD IEC(E)
57/1001/CD
The scope of this technical specification is the access control of users and automated agents,
in the following called subjects, to data objects in power systems by means of role-based
access control (RBAC). RBAC is not a new concept; in fact, it is used by many operating
systems to control access to system resources. RBAC is an alternative to the all-or-nothing
super-user model. RBAC is in keeping with the security principle of least privilege, which states
that no user should be given more rights than necessary for performing that persons job.
RBAC enables an organization to separate super-user capabilities and package them into
special user accounts termed roles for assignment to specific individuals according to their job
needs. This enables a variety of security policies, networking, firewall, back-ups, and system
operation. A site that prefers a single strong administrator but wants to let more sophisticated
users fix portions of their own system can set up an advanced-user role. RBAC is not confined
to users though, it applies equally well to automated computer agents, i.e., software parts
operating independent of user interactions. As in many aspects of security, RBAC is not just a
technology; it is a way of running a business. RBAC provides a means of reallocating system
controls, but it is the organization that decides the implementation.
1.2
Scope
Figure 1 provides a survey of an infrastructure for implementing RBAC with respect to the
generic AAA framework (figure 2) applied to the substation automation environment. First, the
management of a power corporation, as an example, decides to implement a set of security
policies, e.g., based on NERC [3]. It also assigns permissions for local execution to specific
substations (thereby realizing network segregation).
62351-8/CD IEC(E)
5771001/CD
must be met by that specific substation. The role-right mapping is used for configuring the
devices of the substation. The substation management also assigns users to the roles and
issues the credentials with the roles to the users. The role-right mapping is stored in the deivce
as configuration file (termed PIP in figure 1). The user-role mapping stored in the repository
called PDP.
The scope of this specification is the lower part of figure 1, i.e., everything that is needed for
interoperability between systems from different vendors. The purpose of this specification is
therefore:
Secondly, to promote role-based access solutions for the entire pyramid in power system
management; and
To achieve these goals, this part of IEC 62351 specifies the following items:
Mandatory security roles and rights for administration, audit, and maintenance;
1.3
Figure 2 depicts the generic AAA framework [25]. The subject connects to a policy enforcement
point (PEP). The PEP constructs the request based on the users attributes and information
specified in the policy information point (PIP). The users attributes will include the role. The
policy decision point (PDP) receives the constructed request, compares it with the applicable
policy through the policy access point (PAP) and returns the replies to the PEP.
62351-8/CD IEC(E)
57/1001/CD
The PEP is usually part of a device (object) and may have no connection to the PDP which is
often the case in substation automation where the device is a bay unit. Thus, the interface
depicted in figure 2 by dashed lines may not always exist. This is also the reason why this
specification is based on the PUSH model (see later), i.e. the crendetials are presented by the
subject to the device.
1.4
Justification
The IEC 62351 specifies end-to-end security in power systems such that secure connections
are established between applications. RBAC is recognized as a potentially efficient and safe
means to control access to data objects based policies.
Existing standards (see [4], [10], and [14]) in process control industry and access control ([25] [27]) are not sufficient as neither they specify the exact role name and associated rights nor the
format of the credentials nor the detailed mechanism by which credentials are transferred to
the target system all these information are needed though for interoperability. To overcome
this drawback, this specification defines the five items listed in the previous section.
1.5
Out of Scope
Engineering of roles;
62351-8/CD IEC(E)
10
5771001/CD
Normative references
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
62351-8/CD IEC(E)
11
57/1001/CD
In addition to the definitions in [1], the following terms are defined for this document.
Area of
Responsibility
Automated Agent
Credential
Object
Operation
Permission
Privilege
Privilege
management
infrastructure
(PMI)
Right
Role
Service
Session
Static separation
of duty (SSD)
Dynamic
separation of duty
(DSD)
62351-8/CD IEC(E)
12
5771001/CD
Token
User
62351-8/CD IEC(E)
13
57/1001/CD
Abbreviated terms
AA
Attribute Authority
AAA
ACL
ACRL
ACSI
AoR
Area of Responsibility
CRL
EAP
HMAC
IED
ID
Identity
IS
International Standard
ISA
LDAP
LD
Logical Device
LN
Logical Node
OCSP
PAP
PDP
PEP
PIP
PKI
PMI
R2R
Role-to-Right
62351-8/CD IEC(E)
14
RBAC
S2R
Subject-to-Role
SCL
SOA
Source of Authority
5771001/CD
62351-8/CD IEC(E)
15
57/1001/CD
The purpose of an access control mechanism is to protect system resources, formally called
objects. For a system that implements RBAC, system resources can represent information
containers (e.g., files, directories in an operating system and/or columns rows, tables, and
views within a database management system) or objects that represent exhaustible device
resources, such as printers, disk space, and CPU cycles.
Role-based access control (RBAC) is a technology that has the potential to reduce the
complexity and cost of security administration in networks with large numbers of intelligent
devices. Under RBAC, security administration is simplified through the use of roles and
constraints to organize subject access levels. RBAC reduces costs within an organization
primarily because it accepts that employees change roles and responsibilities more frequently
than the rights within roles and responsibilities.
5.1
RBAC is part of a general AAA infrastructure required for access control to data.
The subject must provide information (e.g. software token) along with a request to the verifier
(push) or the verifier can get the required information from a trusted source (pull) directly or via
an agent (agent).
5.1.1
In general, the subject has rights assigned by the enterprise domain authorities pushed or
pulled to the verifying entity (at run-time or through provisioning). In deciding whether to employ
a push or pull model, several factors should be considered:
PUSH:
PULL:
Because of the fact that protection equipment in a substation automation environment can be
located at remote places without permanent connection to a centralized repository, this
specification is based on the PUSH model. This entails that the credential pushed into the
device is issued by a central instance outside the device and subject to lifetime expiration.
62351-8/CD IEC(E)
5.2
16
5771001/CD
A model for RBAC including separation of duty (static as well as dynamic) is given in figure 3.
Figure 3 Diagram of a RBAC with static and dynamic seraration of duty according to [4]
The arrows in figure 3 indicate relationships (e.g., a subject can be assigned to one or more
roles, and a role can be assigned to one or more subjects). This arrangement provides great
flexibility and granularity in assigning rights to roles and subjects to roles. Without these
conveniences there is a danger that a subject may be granted more access to resources than
is needed because of limited control over the type of access that can be associated with
subjects and resources. Any increase in the flexibility of controlling access to resources also
strengthens the application of the principle of least right.
Each session is a mapping of one subject to possibly many roles, i.e., a subject establishes a
session during which the subject activates some subset of roles that it is assigned to. Each
session is associated with a single subject and each subject is associated with one or more
sessions.
The main components of RBAC are thus: subject, role, right for operations and objects, and
session.
There are two mappings between these components that need be configured by the
administrator:
Figure 4 gives a survey of subjects, roles, rights, and operations in the scope of the IEC 61850
standard.
62351-8/CD IEC(E)
17
57/1001/CD
Subject assignment
The subject assignment or subject-role mapping is stored outside the system in a repository,
e.g. LDAP as shown in figure 1. The repository may be accessed by the system to verify the
validity of the credential submitted by the subject to the system.
One or more subjects can be assigned to one or more roles.
The time period during which a particular subject-role mapping is valid should be kept flexible.
For security reasons it should be quite short.
5.2.2
Right assignment
The right assignment or role-right mapping is stored inside the system. It represents the
configuration of the device and depends on the data model in use.
This mapping is also determined by security/safety regulations and is thus the main focus of
this specification. Pre-defined roles and pre-defined rights are used to implement such policies.
62351-8/CD IEC(E)
18
5771001/CD
Operation assignment
The mapping between operations and rights is given by the data model in use. Please refer to
Section 6.3.
5.3
Figure 5 shows the lower part of figure 1 when a subject wants to access from system A an
object (e.g.: an application) on system B.
We assume that the devices are properly configured, i.e. the role-right assignment has been
loaded into system B and user-role assignment with corresponding version is stored in the
repository.
The small letters define the access control mechanism (the PUSH model with respect to the
AAA framework), i.e.:
a. First, the subject authenticates itself from system A towards a repository for retrieval of his
credentials and roles;
Note: This step may be optional if the user is already in possession of his credentials.
b. The repository provides the subject with his credentials and roles;
Note: This step may be optional if the user is already in possession of his credentials.
c. The subject submits its credential and its role from system A to the system B; this can be
done online or offline; the mapping is a one-to-many, i.e. the credential is valid for all
system B; restriction are optional;
d. System B verifies the credentials and gives the subject authorized access to the object
according to the right(s) associated with the role inside the credential;
Optionally, system B may verify whether the credential has not been revoked by accessing
the repository; thereby the repository serves as a policy decision point (PDP);
The configuration of the role-right assignment is a prerequisite to enforce RBAC and must
be undertaken in the scope of an engineering process.
e. Acknowledgement of system B to system A.
The process outlined from item a. to item e. is similar to Kerberos with PKI [19]. The repository
takes the function of a ticketing server. It issues a credential with limited lifetime for system A
to authenticate towards system B.
62351-8/CD IEC(E)
19
57/1001/CD
5.4
This specification bases on the first variant and uses a public-key certificate, an attribute
certificate, an XACML attribute, or a software token as container for the credential.
5.5
5.5.1
A minimal set of roles is defined by policies and standards (such as this one). These roles are
mandatory and are called pre-defined roles.
Vendors of substation protection equipment, as an example, may deploy their equipment with a
set of additional roles. These roles are called default roles and may serve vendors specific
configuration procedures and/or vendor specific handling of the equipment.
Finally, roles may be defined by the power corporation and/or the substation management to
meet their specific needs (e.g. local implementation requirements). These roles are termed
specific roles.
62351-8/CD IEC(E)
5.5.2
20
5771001/CD
O( s ri ),
Eq. 1
O( s ro ) + O( ro ri )
Eq. 2
where ro is the number of roles. Eq. 2 can be smaller than Eq. 1. In fact, this is always the
case if the number of roles is smaller than the half of the minimum of the number of subjects
and rights. Thus, the concept of roles is recognized as a possibly efficient means to control
access rights.
5.5.3
Separation of duty does not increase complexity, for SoD can equally well be realized with an
additional role or an additional subject.
62351-8/CD IEC(E)
21
6.1
Credentials
Profiles
6.1.2
Time-period during which the credential and thus the role is valid;
6.1.3
Area of responsibility;
6.1.4
57/1001/CD
62351-8/CD IEC(E)
Hash algorithms;
Key length;
Hash value.
6.1.5
22
5771001/CD
Resolution of timestamp
Size of credentials
Number of issuers
6.2
Role-right assignment
6.3
6.3.1
The access control for IEC 61850 data objects is to implement by the virtual access view.
Operations are called in IEC 61850 Services.
A client must be identified by the authentication parameters passed to the server.
62351-8/CD IEC(E)
23
57/1001/CD
A session must then be established along with the role of the subject and assigned to the
subject at the client side.
A subject shall then access an IEC 61850 Object simply if the required access right appears in
the access control matrix; see server class and application association model in IEC 61850-72.
There are two areas in which access control shall be applied:
6.3.1.1
6.3.1.1.1
Role
Role configured in the device (see and others)
DENY
ALLOW
Right
Comments
Associate
Release
Abort
6.3.1.1.2.2 DENY Right
ACSI Service Name
Comments
Abort
6.3.1.2
For each Logical Device, in a Server, this clause specifies the types of rights that may be
configured for a particular subject/role.
62351-8/CD IEC(E)
6.3.1.2.1
24
5771001/CD
The list of the predefined Right for a particular role shall be represented by the following
PACKED LIST:
Predefined Rights
AttributeName
AttributeType
Comments
m/o
View
BOOLEAN
Read
BOOLEAN
DataSet
BOOLEAN
Reporting
BOOLEAN
File
BOOLEAN
Control
BOOLEAN
Config
BOOLEAN
Setting Group
BOOLEAN
Management
BOOLEAN
Security
BOOLEAN
VIEW right: Allows the user/role to discover what objects are present within a Logical
Device. If this right is not granted to a user/role, the Logical Device for which the View
privilege has not been granted shall not appear.
READ right: Allows the user/role to obtain the values of objects that are present within a
logical device.
DATASET right: Allows the user/role to have full management rights for both permanent
and non-permanent DataSets.
FILE right: Allows the user/role to have restricted rights for File Services.
CONFIG right: Allows a user to remotely configure certain aspects of the server.
MNGT right: Allows the role to transfer substation configuration language files and other
files, as well as delete existing files.
62351-8/CD IEC(E)
25
57/1001/CD
6.3.1.2.2
AttributeName
AttributeType
SecurityAdmin
UNICODE STRING64
Security-Audit
UNICODE STRING64
RBACMaintenance
UNICODE STRING64
6.3.1.2.3
Comments
m/o
RBACMaintenance
6.3.1.2.4
SECURITY
MNGT
Security-Audit
SETTINGGROUP
CONFIG
CONTROL
DATASET
FILE
READ
SecurityAdmin
Role
REPORTING
VIEW
Right
x
x
62351-8/CD IEC(E)
26
5771001/CD
If the View right is granted to a subject/role, then the subject/role shall have access to objects
in the Logical Device, through the following ACSI services:
ACSI Service
Comment
GetLogicalNodeDirectory
GetDataDirectory
GetDataDefinition
GetDataSetDirectory
UNICODE STRING64
ST
Right
AccessRight
ST
6.3.1.3
Logging
Upon a successful authentication and association, the server shall log the subject and allowed
roles, to a Log named Security-Audit. The implementation of this log is defined in the specific
communication service mapping (SCSM) of IEC 61850 (It is called Service Tracking, and
applies to all services).
6.3.1.4
Executive shall be assigned a passive role without access to the reporting / logging data.
Remark: Executives must obey the security policy enforced by the security officer.
62351-8/CD IEC(E)
6.3.1.5
27
57/1001/CD
Configuration of devices
The configuration shall be performed in out-of-band manner (e.g., manually) via SCL.
The configuration of the right-assignment must have a versioning number.
6.3.2
AMI
DA
Markets
6.4
62351-8/CD IEC(E)
28
5771001/CD
7.1
::=
[0]
[1]
[2]
[3]
SIGNED{SEQUENCE{
Version DEFAULT v 1
CertificateSerialNumber
AlgorithmIdentifier
Name
Validity
Name
SubjectPublicKeyInfo
IMPLICIT UnqiueIdentifier OPTIONAL
IMPLICIT UnqiueIdentifier OPTIONAL
Extensions}}
To become an ID certificate, the subject must contain the name of the Subject.
The extensions defined for X.509 v3 certificates provide methods for associating additional
attributes with users/devices (e.g. nationality of the user) or public keys and for managing a
certification hierarchy. The X.509 v3 certificate format also allows communities to define
private extensions to carry information unique to those communities.
subjectDirectoryattributes
::=
Attribute
::=
SEQUENCE {
type
AttributeType,
value
SET OF AttributeValue
-- at least one value is required --}
AttributeType
AttributeValue
::= ANY
7.1.1
attributeType1:
Role
value1:
See (6.3.1.2.2)
attributeType2:
AoR
value2:
X.509 ID certificates with extensions are suitable in environments when one or more of the
following are true:
Lifetime of the right(s) encapsulated by a role is aligned with that of the public-key included
in the certificate;
The same physical entity is acting both as certificate authority and as attribute authority;
Delegation is permitted, but for any one delegation, all rights in the certificate have the
same delegation parameters and all extensions relevant to delegation apply equally to all
rights in the certificate.
62351-8/CD IEC(E)
7.2
29
57/1001/CD
Meaning
Version
Holder
Issuer
Signature
SerialNumber
attCertValidityPeriod
Period of validity
notBeforeTime
notAfterTime
Attributes
Certified attributes
issuerUniqueID
extensions
Extensions
Roles provide a means to directly assign rights to subjects. Subjects are issued role
assignment certificates that assign one or more roles to them through the role attribute
contained in the certificate.
role ATTRIBUTE
::={
WITH SYNTAC
ID
RoleSyntax ::= SEQUENCE{
roleAuthority
roleName
RoleSyntax
id-at-role}
[0]
[1]
GeneralNames
GeneralName}
OPTIONAL,
The roleAuthority identifies the recognized authority that issued the role certificate.
The roleName component identifies the role to which the user is assigned to.
7.2.1
X.509 attribute certificates are suitable in environments when on or more of the following are
true:
Lifetime of the right is differs from that of the users public-key certificate validity;
62351-8/CD IEC(E)
30
5771001/CD
The right is valid only during certain intervals of time which are asynchronous with that
users public-key validity or with validity of other rights;
A different entity is responsible for assigning a particular right to a subject than for issuing
public-key certificates to the same subject;
There are a number of rights assigned to the subject from a variety of issuing authorities.
The attribute certificate may form an own certificate hierarchy and be completely independent
of the ID certificates.
Attribute certificates can also form a sub-tree in a PKI in that the certificate of the SOA is
signed by the root of the PKI.
For further information please refer to [8].
7.2.2
Concept
PKI
PMI
Name of certificate
ID certificate
Attribute certificate
Certified contents
Certified holder
Subject
Subject
Revocation
CRLs
ACRLs
Anchor of trust
Root-CA
Source of Authority
7.3
Software Token
::=
UNSIGNED{
HASHED{
SEQUENCE{
Version of Credential;
Name of the Subject;
Role assigned to the Subject;
Issuer of the credential;
Time-stamp of the issuing moment;
62351-8/CD IEC(E)
31
57/1001/CD
Hash function
7.4
The distribution of the credentials to the Subject is an administrative task and is handled on an
on-demand basis.
Profile A (see 6.1.1): Distribution of credentials must be done in a secure way, i.e., an out-ofband manner.
Profile B (see 6.1.1): Distribution of credentials must not be done in a secure way, as the
attribute certificate is bonded to the ID certificate.
Profile C (see 6.1.1): Distribution of the credentials to the calling subject is done on an ondemand basis.
7.5
Area of responsibility: Area within which the credential is valid, used for network
segregation;
Delegation.
62351-8/CD IEC(E)
32
5771001/CD
8.1
8.1.1
Phase 1 transport layer: TLS v1.1 opens a secure tunnel based on X.509 ID certificates.
Phase 2 application layer: X.509 ID (user) certificates are transmitted, e.g. via MMS as given
in IEC 62351-4.
Note: The role is transmitted over a secure tunnel.
8.1.2
Phase 1 transport layer: TLS v1.1 opens a secure tunnel with X.509 ID certificates.
Phase 2 application layer: X.509 ID (attribute) certificates are transmitted.
8.1.3
Phase 1 transport layer: TLS v1.1 opens a secure tunnel with X.509 ID certificates.
Phase 2 application layer: software tokens are transmitted.
8.2
62351-8/CD IEC(E)
33
57/1001/CD
9.1
Mandatory:
Time-period of credentials;
Comparison of the version for right-assignment in the credential with the version of
configuration in the device;
Optional:
Issuing instance;
Profile version;
Depending on profile:
Integrity of certificate/ticket/token;
9.2
9.2.1
General
Supported Methods
OCSP;
62351-8/CD IEC(E)
34
5771001/CD
10 Interoprability
10.1 Supported credentials
Supported credentials as Credentials are:
X.509 ID certificates;
Profile A.
X.509 ID certificate
with extensions
Profile B:
X.509 Attribute
certificate
Profile C:
Software token
defined in 7.3
as
EAP-TTLS or
TLS with challenge response
and pre-shared keys according
to [18].
TLS according to
IEC 62351-3/4
Challenge response with preshared keys according to [18].
62351-8/CD IEC(E)
35
57/1001/CD
Profile C: Similar to Kerberos [19]. A PKI can be realized underneath the software token
system and is needed to access the central repository in a secure manner (see figure 5).