Agent Authentication
Securing the authenticity of the communication partners is essential to avoid attacks and eavesdropping. As a system administrator in charge of the security at your company, you can choose between three Agent authentication methods and thus define the level of security you want to apply. The authentication methods determine how to exchange the keys involved in Agent authentication (Authentication Key, Transfer Key, Session Key).
This topics describes the elements involved in Agent authentication and describes the available methods. It also describes what happens if an Agent is compromised.
This page includes the following:
Authentication, Transfer and Session Keys
During the authentication process, the following keys play an important role:
-
Authentication Key
This is the private key of the Automation Engine system. The key applies to the entire system, and is defined once during the installation.- This key is used to encrypt the Transfer Keys in the KeyStores.
- You can use the DB Load utility to load this key.
- In case of Authentication Method NO, this key is derived from the system name. Otherwise, the system administrator must specify it (see below).
Important! Do not change or delete the Authentication Key. If you do, all other keys become invalid.
-
Transfer Key
This key is shared by two communication partners within an Automation Engine system. The key is generated either before or during the first connection between the Automation Engine and an Agent. The key is valid for just one connection, and is used to authenticate the communication partners and to generate the session key. -
Session Key
This key is valid for just one connection, and is used for encrypting the data during transfer.
Three authentication methods are available to define how the communication key is initially distributed. Each method offers advantages and disadvantages, depending on the required security level.
NO
Agents that start for the first time can log on to the Automation Engine system immediately. The Authentication Key is derived automatically from the system name.
A Transfer Key is generated automatically per Agent when the agent is started for the first time.
Afterward, Agents can only log in to the Automation Engine system with the Authentication Key (which is common for all) and with the Transfer Key (which is specific per Agent).
Advantages:
- Standard authentication method
- No additional setup needed
Disadvantages:
- Least secure method
LOCAL (Server)
The system administrator defines the Authentication Key manually during the Automation Engine installation.
The Authentication Key can be exported to a file that must be used during Agent installation. On first start, the Agent loads it to its KeyStore file.
Agents log on to the Automation Engine system using the Authentication Key when they start for the first time. You must manually authenticate the Agents in the Administration perspective of Client 0000 before the Agents can be used.
Advantages:
- Semi-automatic setup of new Agents.
- Ensured authenticity of the Automation Engine on Agent side.
- Manual authentication of the Agents by the administrator.
Disadvantages:
- Manual distribution of the Authentication Key.
- Transfer Key transferred over the wire.
LOCAL_REMOTE (Server and Agent)
This is the most secure authentication method.
An Agent object must be created in system Client 0000 for each Agent that will communicate with the Automation Engine.
The Installation Package contains the system's Authentication Key and the Transfer Key of the particular Agent. The Agent is ready to use as soon as this is done. On first start, the Agent loads the keys from the Package and stores them in its KeyStore file.
Advantages:
- Quick and easy setup
- Automatic distribution of the key over a secure key exchange protocol
- No manual steps involved
- Automation registration of the Agents
Disadvantages:
- Key transferred over the wire
- No authentication of the communication partners
Note: To guarantee a secure installation, transfer the Installation Package to the Agent either manually or using a secure line. This ensures that potential hackers never get access to it through the network.
Warning! Changing the authentication method is possible, but involves considerable effort. For more information, see Changing the Authentication Method.
Compromised Agents
The architecture of the Automation Engine protects it and its communication against man-in-the-middle attacks. After setup, the connection between the Agent and the Automation Engine starts immediately without any key being exchanged. Therefore, it is not possible to capture the key during the initialization of the connection because it has not to be transferred any more.
Depending on the chosen authentication method, the Transfer Key is never transmitted over the wire. If attackers want to intercept or read a connection, they must compromise an Agent, which means that they need access to the machine on which the Agent is installed. If this happens, the Agent is compromised, however, old messages cannot be read thanks to the different session key used to encrypt them.
Agents do not send commands to the Automation Engine or to other Agents, they simply connect and wait for commands that they execute. Even if an Agent is already compromised, the system architecture prevents that this can lead to other parts being also compromised. The only exception are File Transfers, for which additional security measures are in place. See Secure File Transfer Protocol.
For more informatio, see Authenticating the Agents.
See also: