Important CIP Security Terms

Important CIP Security Terms

The very first devices are being released that support EtherNet/IP with CIP Security. With these new technologies come terms that may not be familiar to EtherNet/IP users. The most important of these terms follows:

AuthenticationAuthentication is the process of recognizing a user’s identity by validating the credentials it supplies. In CIP Security, Digital Certificates and Private Shared Keys (PSK) are the two mechanisms used to authenticate a device.
Certificate AuthorityA trusted entity that issues the certificates that can be used to verify an entity’s identity on the EtherNet/IP network.
Cipher SuiteA cipher suite is a set of algorithms that are used to sign or encrypt messages between an EtherNet/IP Scanner and an Adapter. The specific ciphers used on a connection are negotiated during the connection sequence.
DTLSDatagram Transport Layer Security (DTLS) is a version of Transport Layer Security (TLS) adapted for UDP and used to secure I/O messages on a CIP Secure EtherNet/IP network.
Digital CertificateAn electronic “passport” that verifies a device’s identity. Certificates are one of two trust models in CIP Security.
Digital SignatureThe digital equivalent of signature or a stamped seal on a digital entity. It is a mathematical technique to validate the authenticity and integrity of a message or digital content. It ensures the authenticity of the source of the message.
Encryption, AsymmetricA form of encryption that uses paired keys. One key is kept private and one key is public. The public key is used by outside entities to read messages encrypted with the private key. The public key is also used to encrypt messages sent to the entity. Messages encrypted with the public key can only be decrypted with the private key.
Encryption, SymmetricA well-known form of encryption that uses a single key to both encrypt and decrypt messages.
Hash FunctionA function that translates data of arbitrary size to fixed length data. It is designed to be a one-way translation such that it is infeasible to reverse the translation.
Message ConfidentialityAssurance that the messages between two entities cannot be examined by an untrusted, outside entity. Acyclic message confidentiality is achieved in CIP Security via the TLS Algorithms.
Message IntegrityAssurance that the message passed between two trusted entities has not been corrupted or altered.
Public Key InfrastructureA public key infrastructure (PKI) is the entire set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
Pre-shared Key EncryptionEncryption using a secret key that was previously shared between two entities.
TLSTLS (Transport Layer Security) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. TLS secures acyclic messaging on a CIP Secure EtherNet/IP network.
Self-signed Digital CertificateDigital certificates are trusted when they have a signature from a higher-level authority, the Certificate Authority (CA). If no CA is available, a vendor can self-sign the certificate, and that can be used to verify a device’s identity during the installation process.

These terms are important to a complete understanding of the security features that are now part of CIP Security for EtherNet/IP. EtherNet/IP, unlike Modbus TCP and PROFINET IO, is the first technology to support a complete and thorough security standard.

For more information, see RTA’s page on CIP Security for EtherNet/IP.

ATTENTION: We are currently updating our phone system. If you are having any issues getting through to us by phone, please send us an email or hit "Contact Us" below. We apologize for any inconvenience and appreciate your understanding!