Industrial Automation Tech Note 05 - TNIA05
This document describes how to configure log files to include signatures, and how to verify that the data within the log was not altered.
CR3000 Human Machine Interface (HMI), Data Station Plus (DSP) (excludes LE model), G3 HMI,
Graphite Controller, Graphite HMI, Modular Controller (excludes LE and V2 models) and
Verifying that data logs files were not altered.
Crimson 3.0 and Crimson 3.1
Digital Signature of Log Files
This document describes the method used by Red Lion Controls operator panels to apply digital signatures to log files so as to ensure and verify their integrity. The method is published to allow third parties to satisfy themselves as to the security of the algorithm, and to write their own verification software should they wish to have independent confirmation of the integrity of a given file. The source code of Red Lion’s command-line verifier is similarly available for inspection, and for use as the basis of other verification tools.
Log File Structure
Each log file comprises a header line and a number of data lines. Each line in the file is terminated with a CR-LF sequence. The header line comprises comma-separated labels for the data fields in the file. Each data line comprises time and date information, followed by comma-separated data fields appropriate to the log file in question. The data fields are followed by a comma, and then a signature block, which starts with a two-digit hexadecimal type code. The type code is followed by a dash, and then an eight-digit hexadecimal sequence number. The sequence number increases monotonically. It is based on a non-resetable counter stored within the non-volatile memory of the G3. A given sequence number will never be used more than once, making it impossible for a G3 to produce the same output line twice, even if the real-time clock is wound-back. The sequence number is followed by a dash, and then a further six-digit hexadecimal number equal to the least significant portion of the operator panel’s Ethernet MAC identifier. This field allows a file to be traced to a given device, as the identifiers are allocated during manufacture so that each unit has a unique assignment. If the type code is 00, no further data is included. If the type code is 01, the MAC identifier is followed by another dash, and a 256-digit hexadecimal number containing a digital signature. The last line of a valid log file will always be a type-01 signature block. A type-01 block will occur at least every 32768 bytes in the data. Type-01 signature blocks may occur on consecutive lines.
The 256-digit hexadecimal number is an RSA digital signature based upon the MD5 hash of certain bytes in the file. For the first type-01 block in a given file, the byte stream begins with the first byte of the file i.e. the first character of the header line. For subsequent type-01 blocks, the stream starts with the ‘0’ at the start of the prior type-01 block. The stream comprises all characters from this first character to the last character of the line to which the signature block is to be appended. This last line excludes any CR-LF sequence, as this has yet to be output, and similarly excludes the signature block itself or the separating comma. Any prior lines include their CR-LF sequences. The MD5 hash of this stream is then taken, and the 1024-bit RSA digital signature is then computed using a key pair with the following public key…
-----BEGIN PUBLIC KEY BLOCK----
-----END PUBLIC KEY BLOCK-----
The resulting signature is output in Little Endian order as a 256-digit hexadecimal number.
The algorithm described above can detect the following kinds of tampering or misrepresentation:
• A representation that the file came from a different G3 than the unit that actually produced it
• Attempts to recreate data within a sequence of files by re-winding the clock of an operator panel
• Changes to the data fields contained within the file or the header line thereto
• Re-ordering of lines (or blocks or lines) within the file
• Deletion of lines from the start or the middle of the file.
The algorithm cannot detect the deletion of lines at the end of a file if such deletion occurs, it will leave a valid type-01 signature block on its last line. This ability is not considered vital, as the absence of such data at the end of a file cannot, in any case, be taken as probative of any condition.
Enabling the Signatures
1. Referring to figure 1, click on the log to validate.
2. Set Apply Signatures to Yes
3. Save and Download the file.
4. The resulting file will look something like what is shown in figure 2.
Validating File Data
1. Run wincheck.exe from the Crimson 3.0 folder.
2. Select Open and choose the file to validate.
3. Click the Open button to view the results.
a. Figure 3 shows a valid file, notice the green smiley faces.
b. Figure 4 shows an invalid file, notice the red frowny faces and text.
NOTE: The signatures are shown once the data is unable to be validated. In this case the sample from 15:54:46 was removed, so the data from the previous save (15:54:00) onward cannot be validated.
It is the customer's responsibility to review the advice provided herein and its applicability to the system. Red Lion makes no representation about specific knowledge of the customer's system or the specific performance of the system. Red Lion is not responsible for any damage to equipment or connected systems. The use of this document is at your own risk. Red Lion standard product warranty applies.
Red Lion Technical Support
If you have any questions or trouble contact Red Lion Technical Support by clicking here or calling 1-877-432-9908.
For more information: http://www.redlion.net/support/policies-statements/warranty-statement