{"id":255495,"date":"2024-10-19T16:53:24","date_gmt":"2024-10-19T16:53:24","guid":{"rendered":"https:\/\/pdfstandards.shop\/product\/uncategorized\/bs-en-62351-92017\/"},"modified":"2024-10-25T12:21:16","modified_gmt":"2024-10-25T12:21:16","slug":"bs-en-62351-92017","status":"publish","type":"product","link":"https:\/\/pdfstandards.shop\/product\/publishers\/bsi\/bs-en-62351-92017\/","title":{"rendered":"BS EN 62351-9:2017"},"content":{"rendered":"

This part of IEC 62351<\/span> <\/span> specifies cryptographic key management, namely how to generate, distribute, revoke, and handle public-key certificates and cryptographic keys to protect digital data and its communication. Included in the scope is the handling of asymmetric keys (e.g. private keys and public-key certificates), as well as symmetric keys for groups (GDOI).<\/p>\n

This part of IEC 62351<\/span> <\/span> assumes that other standards have already chosen the type of keys and cryptography that will be utilized, since the cryptography algorithms and key materials chosen will be typically mandated by an organization\u2019s own local security policies and by the need to be compliant with other international standards. This document therefore specifies only the management techniques for these selected key and cryptography infrastructures. The objective is to define requirements and technologies to achieve interoperability of key management.<\/p>\n

The purpose of this part of IEC 62351<\/span> <\/span> is to guarantee interoperability among different vendors by specifying or limiting key management options to be used. This document assumes that the reader understands cryptography and PKI principles.<\/p>\n

PDF Catalog<\/h4>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
PDF Pages<\/th>\nPDF Title<\/th>\n<\/tr>\n
2<\/td>\nNational foreword <\/td>\n<\/tr>\n
7<\/td>\nCONTENTS <\/td>\n<\/tr>\n
11<\/td>\nFOREWORD <\/td>\n<\/tr>\n
13<\/td>\n1 Scope
2 Normative references <\/td>\n<\/tr>\n
14<\/td>\n3 Terms and definitions <\/td>\n<\/tr>\n
19<\/td>\n4 Abbreviations and acronyms <\/td>\n<\/tr>\n
20<\/td>\n5 Cryptographic applications for power system implementations
5.1 Cryptography, cryptographic keys, and security objectives <\/td>\n<\/tr>\n
21<\/td>\n5.2 Types of cryptography
5.3 Uses of cryptography
5.3.1 Goals of cyber security <\/td>\n<\/tr>\n
22<\/td>\n5.3.2 Confidentiality
5.3.3 Data integrity <\/td>\n<\/tr>\n
23<\/td>\n5.3.4 Authentication
5.3.5 Non-repudiation
5.3.6 Trust <\/td>\n<\/tr>\n
24<\/td>\n6 Key management concepts and methods in power system operations
6.1 Key management system security policy
6.2 Key management design principles for power system operations
6.3 Use of Transport Layer Security (TLS)
6.4 Cryptographic key usages <\/td>\n<\/tr>\n
25<\/td>\n6.5 Trust using a public-key infrastructure (PKI)
6.5.1 Registration authorities (RA)
6.5.2 Certification authority (CA)
6.5.3 Public-key certificates <\/td>\n<\/tr>\n
26<\/td>\n6.5.4 Attribute certificates
6.5.5 Public-key certificate and attribute certificate extensions
Figures
Figure 1 \u2013 Relationship between public-key certificates and attribute certificates <\/td>\n<\/tr>\n
27<\/td>\n6.6 Trust via non-PKI self-signed certificates
6.7 Authorization and validation lists
6.7.1 General <\/td>\n<\/tr>\n
28<\/td>\n6.7.2 AVLs in non-constrained environments
6.7.3 AVLs in constrained environments
6.7.4 Use of self-signed public-key certificates in AVLs
6.8 Trust via pre-shared keys <\/td>\n<\/tr>\n
29<\/td>\n6.9 Session keys
6.10 Protocols used in trust establishment
6.10.1 Certification request
6.10.2 Trust Anchor Management Protocol (TAMP)
6.10.3 Simple Certificate Enrolment Protocol (SCEP)
6.10.4 Internet X.509 PKI Certificate Management Protocol (CMP) <\/td>\n<\/tr>\n
30<\/td>\n6.10.5 Certificate Management over CMS (CMC)
6.10.6 Enrolment over Secure Transport (EST)
6.10.7 Summary view on the different protocols <\/td>\n<\/tr>\n
31<\/td>\n6.11 Group keys
6.11.1 Purpose of group keys
6.11.2 Group Domain of Interpretation (GDOI)
Figure 2 \u2013 Group key management distribution <\/td>\n<\/tr>\n
32<\/td>\nFigure 3 \u2013 GDOI IKE Phase 1 \u2013 Authentication and securing communication channel <\/td>\n<\/tr>\n
33<\/td>\nFigure 4 \u2013 GDOI Pull Phase 2 <\/td>\n<\/tr>\n
35<\/td>\nFigure 5 \u2013 Key renewal triggered by the entities <\/td>\n<\/tr>\n
36<\/td>\n6.12 Key management lifecycle
6.12.1 Key management in the life cycle of an entity
Figure 6 \u2013 Key management in product life cycle <\/td>\n<\/tr>\n
37<\/td>\n6.12.2 Cryptographic key lifecycle
Figure 7 \u2013 Simplified certificate life cycle <\/td>\n<\/tr>\n
38<\/td>\nFigure 8 \u2013 Cryptographic key life cycle <\/td>\n<\/tr>\n
39<\/td>\n6.13 Certificate management processes
6.13.1 Certificate management process
6.13.2 Initial certificate creation
6.13.3 Enrolment of an entity <\/td>\n<\/tr>\n
40<\/td>\nFigure 9 \u2013 Example of the SCEP entity enrolment and CSR process <\/td>\n<\/tr>\n
41<\/td>\n6.13.4 Certificate signing request (CSR) process
Figure 10 \u2013 Example of the EST entity enrolment and CSR process <\/td>\n<\/tr>\n
42<\/td>\n6.13.5 Certificate revocation lists (CRLs)
Figure 11 \u2013 CSR processing <\/td>\n<\/tr>\n
43<\/td>\n6.13.6 Online certificate status protocol (OCSP)
Figure 12 \u2013 Certificate revocation list <\/td>\n<\/tr>\n
44<\/td>\nFigure 13 \u2013 Overview of the online certificate status protocol (OCSP) <\/td>\n<\/tr>\n
45<\/td>\nFigure 14 \u2013 Diagram using a combination of CRL and OCSP processes <\/td>\n<\/tr>\n
46<\/td>\n6.13.7 Server-based certificate validation protocol (SCVP)
6.13.8 Short-lived certificates
Figure 15 \u2013 Call Flows for the Online Certificate Status Protocol (OCSP)
Figure 16 \u2013 Overview Server-Based Certificate Validation Protocol using OCSP Backend <\/td>\n<\/tr>\n
47<\/td>\n6.13.9 Certificate renewal
Figure 17 \u2013 SCEP certificate renewal <\/td>\n<\/tr>\n
48<\/td>\n6.14 Alternative process for asymmetric keys generated outside the entity
Figure 18 \u2013 EST certificate renewal\/rekeying <\/td>\n<\/tr>\n
49<\/td>\n6.15 Key distribution for symmetric keys with different time frames
7 General key management requirements
7.1 Asymmetric and symmetric key management requirements
7.2 Required cryptographic materials
Figure 19 \u2013 Central certificate generation <\/td>\n<\/tr>\n
50<\/td>\n7.3 Public-Key certificates requirements
7.4 Cryptographic key protection
7.5 Use of existing security key management infrastructure
7.6 Use of object identifiers
8 Asymmetric key management
8.1 Certificate generation and installation
8.1.1 Private and public key generation and installation <\/td>\n<\/tr>\n
51<\/td>\n8.1.2 Private and public key renewal
8.1.3 Random Number Generation
8.1.4 Certificate policy
8.1.5 Entity registration for identity establishment <\/td>\n<\/tr>\n
52<\/td>\n8.1.6 Entity configuration
8.1.7 Entity enrolment <\/td>\n<\/tr>\n
53<\/td>\n8.1.8 Trust anchor information update <\/td>\n<\/tr>\n
54<\/td>\n8.2 Public-key certificate revocation
8.3 Certificate validity
8.3.1 Validity of certificates <\/td>\n<\/tr>\n
55<\/td>\n8.3.2 Certificate revocation
8.3.3 Certificate revocation status checking
8.3.4 Handling of authorization and validation lists (AVLs) <\/td>\n<\/tr>\n
60<\/td>\n8.4 Certificate expiration and renewal
8.5 Secured Time Synchronization <\/td>\n<\/tr>\n
61<\/td>\n9 Symmetric key management
9.1 Group based key management (GDOI)
9.1.1 GDOI requirements
9.1.2 Internet Key Exchange Version 1 (IKEv1)
Tables
Table 1 \u2013 KDC IKEv1 Requirements <\/td>\n<\/tr>\n
62<\/td>\n9.1.3 Phase 1 IKEv1 main mode exchange type 2
Figure 20 \u2013 IKEv1 (RFC 2409) main mode exchange with RSA digital signatures <\/td>\n<\/tr>\n
63<\/td>\nFigure 21 \u2013 IKEv1 main mode exchange and security association messages <\/td>\n<\/tr>\n
64<\/td>\nFigure 22 \u2013 IKEv1 main mode exchange: key exchange messages
Figure 23 \u2013 IKEv1 Main Mode Exchange: ID authentication messages <\/td>\n<\/tr>\n
65<\/td>\n9.1.4 Phase 1\/2 ISAKMP informational exchange type 5
Figure 24 \u2013 IKEv1 HASH_I calculation <\/td>\n<\/tr>\n
66<\/td>\nFigure 25 \u2013 Phase 1 Informational Exchange <\/td>\n<\/tr>\n
67<\/td>\n9.1.5 Phase 2 GDOI GROUPKEY-PULL exchange type 32
Figure 26 \u2013 GD004FI GROUPKEY-PULL as define in RFC 6407 <\/td>\n<\/tr>\n
68<\/td>\nFigure 27 \u2013 GROUPKEY-PULL hash computations <\/td>\n<\/tr>\n
69<\/td>\nFigure 28 \u2013 GROUPKEY-PULL initial SA request exchange
Figure 29 \u2013 RFC 6407 Identification Payload <\/td>\n<\/tr>\n
70<\/td>\nFigure 30 \u2013 ID_OID Identification Data
Table 2 \u2013 IEC\u00a061850 Object IDs: Mandatory (m) and Optional (o) <\/td>\n<\/tr>\n
71<\/td>\nFigure\u00a031 \u2013 61850_UDP_ADDR_GOOSE\/SV ASN.1 BNF
Figure 32 \u2013 IPADDRESS ASN.1 BNF <\/td>\n<\/tr>\n
72<\/td>\nFigure 33 \u2013 Example IecUdpAddrPayload ASN.1 Data with DER Encoding
Figure 34 \u2013 61850_UDP_TUNNEL Payload ASN.1 BNF
Figure 35 \u2013 61850_ETHERNET_GOOSE\/SV Payload ASN.1 BNF <\/td>\n<\/tr>\n
73<\/td>\nFigure 36 \u2013 RFC 6407 SA TEK Payload <\/td>\n<\/tr>\n
74<\/td>\nFigure 37 \u2013 IEC-61850 SA TEK Payload <\/td>\n<\/tr>\n
75<\/td>\n9.1.6 GROUPKEY-PULL group key download exchange
Figure 38 \u2013 GROUPKEY-PULL Key Download Exchange <\/td>\n<\/tr>\n
76<\/td>\n10 Connections to the IEC\u00a062351 parts and other IEC documents
Figure 39 \u2013 IEC\u00a062351 Part 9 relationship to other IEC\u00a062351 parts <\/td>\n<\/tr>\n
78<\/td>\nAnnex\u00a0A (normative)Protocol Implementation Conformance Statement (PICS) <\/td>\n<\/tr>\n
79<\/td>\nAnnex\u00a0B (informative)Random Number Generation (RNG)
B.1 Random number generation types
B.2 Deterministic random bit generators <\/td>\n<\/tr>\n
80<\/td>\nB.3 Non-deterministic random number generation
B.4 Entropy sources <\/td>\n<\/tr>\n
81<\/td>\nAnnex\u00a0C (informative)Certificate enrolment and renewal flowcharts
C.1 Certificate enrolment
C.2 Certificate renewal
Figure C.1 \u2013 Certificate enrolment <\/td>\n<\/tr>\n
82<\/td>\nFigure C.2 \u2013 Certificate renewal state machine <\/td>\n<\/tr>\n
83<\/td>\nAnnex\u00a0D (informative)Examples of certificate profiles <\/td>\n<\/tr>\n
84<\/td>\nTable D.1 \u2013 Examples of operator public-key certificates <\/td>\n<\/tr>\n
85<\/td>\nTable D.2 \u2013 Examples of OEM certificates <\/td>\n<\/tr>\n
86<\/td>\nTable D.3 \u2013 Example of OCSP certificate <\/td>\n<\/tr>\n
87<\/td>\nBibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Power systems management and associated information exchange. Data and communications security – Cyber security key management for power system equipment<\/b><\/p>\n\n\n\n\n
Published By<\/td>\nPublication Date<\/td>\nNumber of Pages<\/td>\n<\/tr>\n
BSI<\/b><\/a><\/td>\n2017<\/td>\n94<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"featured_media":255500,"template":"","meta":{"rank_math_lock_modified_date":false,"ep_exclude_from_search":false},"product_cat":[2641],"product_tag":[],"class_list":{"0":"post-255495","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-bsi","8":"first","9":"instock","10":"sold-individually","11":"shipping-taxable","12":"purchasable","13":"product-type-simple"},"_links":{"self":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product\/255495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media\/255500"}],"wp:attachment":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media?parent=255495"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_cat?post=255495"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_tag?post=255495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}