Declaring authenticated variables and messages, Specifying the authentication key, How authentication works – Echelon Neuron C User Manual

Neuron C Programmer’s Guide

67

Declaring Authenticated Variables and
Messages

For network variables, include the authenticated (or auth) keyword as part of the

connection information. The partial syntax is shown below. For complete syntax
of the bind-info clause, see the

Neuron C Reference Guide

.

bind_info ( authenticated [(config | nonconfig)] )

Note: The authenticated keyword can be abbreviated as auth. Likewise, the
nonauthenticated keyword can be abbreviated as nonauth.
If you also include the config keyword in the declaration, network tools can

change the authentication status of this network variable after the device has
been installed. Include the nonconfig keyword to prevent the authentication

status from being changed for this network variable.

Example:

network output UNVT_boolean
bind_info(auth(nonconfig)) nvoSafeLock;

With this declaration, authentication can never be turned off for updates of the
nvoSafeLock network variable, because the declaration includes the nonconfig

keyword.

Specifying the Authentication Key

All devices that read or write a given authenticated network variable connection

must have the same authentication key. This 48-bit authentication key is used

in a special way for authentication, as described below.

The key itself is transmitted to the device only during the initial configuration.

All subsequent changes to the key do not involve sending it over the network.

The network tool can modify a device’s key over the network, in a secure fashion,
with a network management message.

How Authentication Works

The following sequence describes an example of authentication (Figure 8 on page

68 illustrates the process):

1

Device A sends an update to a network variable declared as

authenticated on Device B using the acknowledged service. If Device A

does not receive the challenge, it sends a retry of the initial update.

2

Device B generates a 64-bit random number and returns, to Device A, a

challenge packet that includes the 64-bit random number. Device B then
uses the encryption algorithm (built into the Neuron firmware) to

compute a transformation on that random number using its 48-bit

authentication key and the message data. The transformation is stored
in Device B.

3

Device A then also uses the encryption algorithm (built in to the Neuron

firmware) to compute a transformation on the random number (returned
to it by Device B) using its 48-bit authentication key and the message

data. Device A then sends this computed transformation to Device B.