High Level Security (Hls) Authentication; Password And Key Handling; Addressing Of Logical Devices - Elvaco CMe3100 DLMS Plugin User Manual

CMe3100 DLMS Plugin User's Manual
7.3.3

High Level Security (HLS) authentication

When running HLS authentication both the client and the server have to successfully authenticate
themselves to establish a connection (in DLMS known as Application Association or AA). It is a four-pass
process and there are several HLS authentication mechanisms available, e.g. GMAC. HLS requires a block
cypher key to encrypt and decrypt messages sent between client and server.
For additional security an authentication key denoted AK is also specified. DLMS/COSEM supports
something called key exchange which is a process of securely change encryption keys. When doing such
an exchange the Key Encrypting Key (KEK) is used to wrap the keys before sending them. KEK is also
known as the DLMS Master Key.
See Table 1 for more information about the keys and their usage.
Key
Master Key / Key
Encryption Key
(KEK)
Authentication key
Block cipher key
Table 1 Encryption keys description

7.3.4 Password and key handling

The password described in section 7.3.3 is by default set to 12345678. If this key is used for
authentication, it's highly recommended to change the key after installing the DLMS plugin.
All keys described in section 7.3.3 will be automatically generated the first time the DLMS plugin
starts.
The keys can be updated in two ways. One way to update them is to change them on the DLMS
settings page as described in section 5.2.6.
The other way is to have them updated by the HES as described in section 7.3.
7.4

Addressing of logical devices

The logical devices can be addressed using the logical device address or a manufacturer
implemented channel selection mechanism. The channel and the logical device address are
mapped one to one (same numeric value).
The manufacturer specific channel selection mechanism is implemented to reduce the
handshaking overhead and enables the HES to access all logical devices in one single
association.
CMe3100 DLMS Plugin User's Manual
Description
A key encrypting key (KEK) is used to encrypt/decrypt other symmetric keys. In
DLMS/COSEM this is the master key. KEK is used by DLMS client and server
when exchanging keys.
The key must be at least 16 characters long.
In DLMS, for additional security, an authentication key denoted AK is also
specified. When present, it shall be part of the Additional Authenticated Data,
AAD.
The key must be at least 16 characters long.
The block cipher key, also known as Encryption Key (EK), is used in the AES-
GCM algorithm.
The key must be at least 16 characters long.
page |
27 48
( )
2022-02-23
Version 1.8