Authentication via Kerberos, basics

In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.

In order to prevent eavesdropping or different types of attacks, measures to secure authentication and to protect WinCC OA systems from such attacks have been developed. The Kerberos based authentication allows each WinCC OA component to verify the identity of another component. WinCC OA servers verify the identity of clients and clients verify the identity of servers. More than that, Kerberos is able to ensure that messages are not modified during transmission (preventing a capture replay attack) and can even be encrypted.

The Kerberos protocol is built on symmetric key cryptography and requires a trusted third party, the Key Distribution Center (KDC). The identity of an entity (user, computer, component) is proven by using tickets. Clients pass a ticket, issued by the trusted third party KDC, to the server. The server verifies the ticket and thus the identity of the client. Upon clients request, the server sends a proof of its identity to the client and the client can verify the identity of the server.

Session keys are used for the communication between a client and a server. Kerberos generates a session key that is used to secure the communication between the server and the client. The sent messages are signed and can be encrypted.

WinCC OA uses the Service Principal Names (SPN). The SPN must be entered on only one computer. If you enable Kerberos under Windows, Pmon creates the SPNs if Pmon runs as a service under the Local system. For any other user under Windows or under Linux, create the SPN yourself. For additional information, see chapter Requirements and configuration.