Manualsbrain.com
  1. Manuals
  2. Brands
  3. Siemens
  4. Version: 1.2
  5. User Manual

Siemens Version: 1.2 User Manual

Download
Page of 18
2. Security Services 
 
 
•  Exchange of addresses of the internal networks between security modules 
•  Signalizing that a packet was rejected because it was not received via an 
IPsec tunnel. 
The learning is always initiated if a node wants to communicate with another node 
and devices located in the same subnet actively scan by ICMP messages. The 
exchange of information about found nodes is sent encrypted over the network. 
2.4 Key 
Management 
There are several certificates and keys used by the security module as described 
in the following: 
•  Firmware: In order to authenticate a new firmware for the updating process it 
is digitally signed with RSA. The private key is handled by Siemens only, the 
public key for signature verification is stored in the flash memory of each 
device. Additionally, the firmware to load is symmetrically encrypted with 
3DES. The corresponding key is also stored in the flash memory. All devices 
use the same key. If the secret 3DES key is compromised, then the device 
must be sent to Siemens where the module is supplied with a new 3DES 
key. 
•  SSL/configuration: For the communication with SSL for configuration 
purposes a server certificate with corresponding private key is issued for 
each security module. If this key is compromised or the secret key is lost, 
the administrator needs to issue a new certificate. 
•  VPN: There are network certificates issued for each VPN. The 
corresponding private key is stored on the configuration PC. Every security 
module that belongs to the VPN holds a certificate which is signed by the 
secret key of the network certificate. A security module has thus a certificate 
with private key for every VPN it belongs to. Using this certificate it 
authenticates to other security modules establishing a secure 
communication tunnel. If a key is compromised, a new certificate must be 
issued with the configuration tool. 
•  Configuration: The configuration data on the removable media is encrypted 
with AES where a global symmetric key is used. If this key is compromised, 
a new global key needs to be deployed by a firmware update. 
 
19-Aug-05 escrypt 
GmbH 
11