In a customer application, we are looking for secure solutions to create daily service passwords or recovery passwords for end customers. It does not necessarily have to be a password, just any secure solution. The use cases would be:
If the end customer lock themselves out (forgot all passwords), they can request a recovery password / key, which is valid for one day. The recovery login will enable admin rights to reset the password of their existing users.
OEM Service personnel can use daily passwords for service operations
Traditionally, there were fixed passwords for such things, but these passwords spread quickly and the whole security goes down the drain.
In other customer applications I have seen tools developed by customers, which generate such passwords based on some secret customer specific algorithms. They would usually have a tool on the PC to generate the passwords. Others used simple calculations based on the date, which will be also easy to crack for an attacker, if they have a few working examples.
Myself, I was thinking if maybe a certificate based approach would be possible, now that OPC UA supports certificate based login. So that e.g. we could send a certificate file with one day validity, which the customer could use for login. The generated certificate would be based on a OEM root certificate, which is trusted by the PLC.
Are there any concrete solutions available for B&R systems? How did you / your customer solve such things?
As @kovarj mentioned, I also asked the same question in a B&R internal Teams channel, and there are two responses so far.
One approach was a customer using custom algorithms to generate daily passwords, based on some HW parameters (e.g. serial numbers, MAC) and the current date. A Windows application generates the same password and can be used for access. So this is the kind of custom solution, that I also mentioned in the initial post. I think especially with the upcoming CRA, such solutions need to be properly evaluated and proven to be secure enough for the machine / end user site.
Another answer mentioned that time-based one-time password (TOTP) would be a standard solution for this use case, but TOTP does currently not exist on B&R systems. TOTP basically requires HMAC and a date / time.
For the current customer I will see how we will move forward. Maybe we will do a custom algorithm for now. I will also look into finding an HMAC library which is easily portable to the B&R system, so we could maybe use TOTP. If someone knows such a library, this feel free to let me / the community know.
many years ago I implemented a CRAM-MD5 for SMTP authentication (SmtpSendMail wasn’t existing at that point of time).
It’s not exactly what you mentioned, but maybe utilizable? When I’m back in office I’ll check if the sources are still there and usable in actual AS versions.
I was facing issues that our customers made videos of every step we took and they would then easily get our different static passwords.
I then got a not offical library to create TOTP password and generate QR codes for Google Authenticator. I have not looked deaply in how this library works in detail. But have it now running in AR6.
I have now created a system that generates a password every 30 seconds. In my application the QR codes are valid for the current year or for the next 2 days. The valid time, 1/2/3 days/min you can create yourself. Then I have made static users on different levels for TOTP and use mappView to login to correct user depending on user level of the entered password.
This solution was good enough for our application to start with. I am hoping for a more offical solution some day.
This sounds very interesting. From where did you get this unofficial TOTP library? Is there any chance, that you could share the library in the community?
I think as a community we can always benefit, whenever we can share and open source solutions like this.
Fully agree about sharing knowledge in the community!
I have been thinking about writing about my OTP solution for some time. So good that I saw your question.
I got this library from BRSE, but the library was made by another customer. I have made some small changes because of AS6. I will ask my contact if it is ok to share.
If you decide to share library, please do so in Share Info&Ideas category with proper description. You can then share here a link to this wiki article. thanks
just for curiosity I had a deeper look inside the topic this morning.
I found some C code using HMAC-SHA1 that was portable very easy, so I created a C task as a sample out of it (should also be easy to be wrapped in a library).
It’s not as complete as the solution mentioned by @bengtssond, and I’m looking forward if that one can be shared in the Community, would be very interesting!
Nevertheless, I published my sample in my Github repo for those who want also learn more about such algorithms:
just as a quick update on that topic:
I’m working right now on a bit more comfortable library implementation based on the sample above, including a webservice-based QR code generation to create a easy link to authenticator apps like Google or Microsoft authenticator (will not look nice, but then it’s independent of mappView).
As I do this as “private pleasure”, it will take some more time (a few weeks I think) until having a first version available.
When I’m finished, I’ll share it for sure with the Community under MIT license.
