Skip to main content

Data Backup and Security Measures

The security measures protect data, information, and systems.

This is generally achieved by measures which ensure the protection of the core values of data and systems.

User management and permissions

A user management in CODESYS defined specific user groups. The user groups are granted different permissions, for example to access objects in a project or to view and execute specific actions on objects on the controller.

CODESYS supports user management for different areas in the overall system. See the following individual descriptions and instructions:

Encryption and signing

Tip

If you use CODESYS Security Agent V1.4.0.0 or higher, then you can save the respective private key on your local computer when you delete your own certificate and use it again later. For more information, see the following: Devices Tab of the Security Screen.

Data encryption

Encryption converts data into an unreadable form which can only be decrypted with the matching key. The key can be a password, a secret key, or a key pair (private/public). The public key is usually contained in a certificate.

Data is encrypted so that only the authorized recipient can read it. Most often, symmetric methods are used for this.

Digital signing

In addition to encryption, data can be signed to prove its authenticity and integrity. This is typically done using asymmetric methods.

Irrefutable ownership (non-repudiation) means that a party involved in a communication – whether sender or receiver – cannot later deny having sent a particular message or triggered a particular action. This is possible when the message has been signed with the sender's private key. Only the owner of this private key could generate the digital signature. Therefore, ownership is can be proven (authenticity).

Integrity This means that the data is complete, correct, and unchanged. The data has not been changed since the sender created it. This is verified by the recipient checking whether the hash value of the received data matches the hash value contained in the signature. If both match, then it is clear that the contents have not changed.

It is digitally signed to ensure that the ownership (authenticity) of a message can be proven beyond any doubt and that its integrity can be verified. A digital signature is based on asymmetric encryption. The sender uses their private key for signing. The recipient verifies the signature using the respective public key.

Typical procedure:

  1. The sender obtains a unique hash value of the data (H).

  2. The sender encrypts this hash value with a private key (He): digital signature.

  3. The receiver also calculates the hash value.

  4. The recipient decrypts the signature using the sender's public key and compares the two values.

This confirms that the data is unchanged and originates from the owner of the private key (identity verification).

Hashing methods create a unique "fingerprint" of the data. They have low collision, which means that it is extremely difficult to generate two different data sets with the same hash value.

Certificates

Tip

What is an X.509 certificate?

A public key is part of a certificate. This is simply a long sequence of numbers with no indication about the certificate owner. By embedding the key in a certificate, it is uniquely assigned to a person, device, server, or client.

. Parts of a digital certificate

  • General information

    • Version of the certificate standard (e.g. X.509 v3)

    • Serial number

    • Signature algorithm (e.g. SHA256‑RSA)

  • Issuer details

    • Name of the Certification Authority (CA)

    • Unique identification data (e.g. DN = Distinguished Name)

  • Subject: Information about the owner

    • Name, organization, or domain

    • Unique identification data (ID)

    • Optional: Alternative identities (Subject Alternative Names)

  • Public key

    • Public key of the owner

      The owner possesses a private key which corresponds to the public key.

      Certificate owner key information (Subject Public Key)

    • Algorithm (e.g. RSA, ECC)

    • Key length

  • Validity period

    • Not Before

      Valid from

    • Not After

      Valid until

  • Digital signature of the CA

    • A CA signs the certificate contents.

    • A CA guarantees authenticity and integrity.

  • Extensions

    Example of an X.509 v3 certificate:

    • Key Usage (e.g. signing, encryption)

    • Extended Key Usage (e.g. TLS Server Auth, TLS Client Auth)

    • Basic Constraints (e.g. whether or not it is a CA)

    • Extended Key Usage (e.g. TLS Server Auth, TLS Client Auth)

    • Subject Alternative Name (SAN)

Important

In certificate-based systems, the owner receives a digital certificate which works like a digital ID card. It is a public X.509 certificate and can therefore be issued to anyone.

This kind of certificate consists of several files and is usually organized as a certificate chain. These chained certificates contain the identity and public key of the owner and are authenticated by a certification authority. The certificates form a hierarchical PKI, whose common trust anchor is the root certificate.

  1. Root certificate

    The root certificate is at the top of the chain of trust.

  2. Intermediate certificates

    The intermediate certificates are signed by the Certificate Authority (CA) of the root certificate. There can also be only one intermediate certificate.

  3. End-entity certificate (last certificate)

    This is the actual certificate of the owner (server, client, device, user). This end-entity certificate includes the private key, which also matches the public key.

Important

The private key must be kept secret.

In this section: