Abstract: A device for detecting a manipulation to a program code wherein the program code is configured to be executed from an execution environment on a computing system, is provided. The device includes a comparator unit which is configured to compare data of the program code with reference data in order to produce a comparison result to compare, if the execution environment conveys a termination command to the program code, and a detection unit which is configured to detect a manipulation of the program code on the basis of the comparison result. The device can prevent data, which is produced or used during the execution of a program code, from continuing to be used after termination of the program code if an attack or manipulation of the program code has occurred. A method is further proposed for detecting a manipulation to a program code.

Abstract: Monitoring the integrity of industrial automation systems is provided. For example, a negative impact on integrity caused by unauthorized access should be identified. This is made possible by comparing state data which describe the operating state of the industrial automation system, with sensor data which describe an environmental influence of the automation system.

Abstract: A method and to an apparatus for achieving cryptographic protection of a plurality of messages in a message exchange, for example, in particular the cryptographic protection being implemented by means of digital signatures and nonces is provided. The nonces are not transmitted directly, but rather can be reproducibly calculated from preceding messages, wherein a checksum of a previous message is also considered for each nonce. Consideration is implemented in such a way that cryptographical calculations in particular intended for the creation of the digital signature and the nonce may be calculated one single time and not separately for the nonce and the digital signature.

Abstract: A method for producing a cryptographic timestamp for a digital document using multiple time servers is provided. In the method, a nonce value is produced and a current hash value is formed from the nonce value and the digital document. Then, a time server is repeatedly selected, the current hash value is transmitted to the selected time server, a response comprising a digital signature of the current hash value and a time indication is received by the selected time server, and an additional hash value is determined from the received response and used as the current hash value. The cryptographic timestamp for the digital document is formed from the nonce value and the multiple received responses. The method produces a tamperproof timestamp on a majority basis and is suitable for dating and protocolling in the field of automation and loT.

Abstract: Provided is a method and a security module for determining or providing a device-specific private key for an asymmetrical cryptographic process. A device-specific private primary seed is reproducibly formed from a device-specific secret piece of data, and the device-specific private key is determined from the device-specific private primary seed.

Abstract: Provided is a device unit, including a module, which can configure the device unit with an operating state from among different operating states during the start-up process and/or during ongoing operation of the device unit, wherein a first protected operating state of the different operating states is designed to allow the execution of at least one operating process which can be predefined and to optionally protect the operating process by means of defined cryptographic means, wherein at least one second operating state of the different operating states is designed to deactivate the first protected operating state and to allow at least one other changeable operating process and to optionally protect the operating process by means of specifiable cryptographic means.

Abstract: Provided is a detection device which is suitable for receiving a service within a network assembly, having the following:—means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device,—means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device,—means for providing the generated and/or determined network access configuration data to the network access device.

Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.

Abstract: A device for protecting a security module from manipulation attempts in a field device. A control device is configured to control the field device, a security module is configured to provide cryptographic key data which is to be used by the control device, and an interface device is connected to the control device. The security module is configured to allow the control device access to the cryptographic key data in the security module and to prevent access to the cryptographic key data in the event of a manipulation attempt on the field device.

Abstract: Provided is a method for an authorized issuing of an authentication token for a device, including requesting an authentication token for the device by sending a request message and at least one authentication parameter to an authorization apparatus, verifying authenticity of the request message using the authentication parameter, verifying authorization for the request by comparing information on the device obtained with the request message in the authorization apparatus with context information for the device stored in a database, and on success of the verification of the authenticity and of the authorization, authorizing the issuing of the requested authentication token.

Abstract: Systems and methods for characterizing a client apparatus on at least one server apparatus are provided. A first certificate is received in the event of a first request for a connection set-up from a server apparatus in a client apparatus. One or more predefined certificate parameters of the first certificate are stored as a set of characterization parameters in the client apparatus. Each further certificate from a server apparatus is checked that is received in the client apparatus in the event of a request for a further connection set-up, against the stored characterization parameter set. A request for a further connection set-up is accepted only if all of the predefined certificate parameters of the further certificate match all characterization parameters of the characterization parameter set.

Abstract: A method operates an arrangement having a substation and a terminal device connected to the substation. The terminal device is equipped with a terminal device certificate and a private key. The certificate enables a signed data transmission, indicates the substation as the certificate issuer, has a signature of the substation and contains a reference to a public key of the terminal device. Following a connection of a control station to the substation, the control station recertifies the public key of the substation by creating a signed certificate for the substation containing the public key of the substation, for the authentication of data which are or are intended to be transmitted from the terminal device to another terminal device. The terminal device certificate indicating the substation as the certificate issuer is transferred to the other terminal device and the certificate verification is carried out based on recertified public key.

Abstract: Provided is a retrieval device for secure retrieval of optical information for a first device from a light source of a second device, including: a housing made from at least one material which is opaque for the light emitted from the light source, wherein the housing is arranged to contain the light from at least a part of the light source, an attachment adapted to detachably attach the housing to the second device, a light receiver arranged to receive optical information from the light source, said light receiver located inside the housing, a connector arranged to transfer an optical and/or electrical signal from the light receiver to the first device.

Abstract: A method and a regulating unit for avoiding overloads for link sections within a power supply system use requirements for loads to determine which link sections can be enabled for loads.

Abstract: A method, system, backend, terminal, and computer program product are disclosed for producing a secure communication channel for a terminal, the method having the following method steps. A first method step for setting up a secure communication channel between a communication partner and a backend by a communication protocol. A second method step for producing a communication channel between the communication partner and the terminal. A third method step for transmitting the channel binding information. A fourth method step for storing the channel binding information on the terminal. A fifth method step for creating a data structure and a first digital signature across the data structure y. A sixth method step for sending the data structure and the digital signature from the backend to the terminal. A seventh method step for checking authenticity of the data structure.

Abstract: A method, system, backend, terminal, and computer program product are disclosed for producing a secure communication channel for a terminal, the method having the following method steps. A first method step for setting up a secure communication channel between a communication partner and a backend by a communication protocol. A second method step for producing a communication channel between the communication partner and the terminal. A third method step for transmitting the channel binding information. A fourth method step for storing the channel binding information on the terminal. A fifth method step for creating a data structure and a first digital signature across the data structure y. A sixth method step for sending the data structure and the digital signature from the backend to the terminal. A seventh method step for checking authenticity of the data structure.

Abstract: A method for achieving a security function for a security control device for controlling a device or an installation, including: a) providing at least one first partial secret that is stored in a basic control device, b) providing at least one second partial secret that is stored in a security module, c) combining the at least one first and second partial secret to form an overall secret, required to achieve the security function, within the time period in which the basic control device interacts with the security module via the first and second coupling interfaces, and d) disguising the combined overall secret outside the time period.

Abstract: Provided is a method for achieving a security function for a security control device for controlling a device or an installation, including: a basic control device, and a security module and having the following steps of a) providing at least one first partial secret which is stored in the basic control device, b) providing at least one second partial secret which is stored in the security module, c) combining the at least one first partial secret and the at least one second partial secret in order to achieve the security function, wherein the at least one first partial secret is broken down into sections of a predefinable size and the set of sections is gradually combined with the at least second partial secret by means of a calculation rule, which can be processed within a predefinable period during the execution of the calculation rule according to the size and set.

Abstract: Provided is a method for checking a safety rating of a first device with the aid of an associated digital certificate, including the steps: sending the digital certificate having an identifier of a safety rating from the first device to a second device, checking the identifier of the safety rating with respect to a predefined safety rule by means of the second device, executing safety measures in accordance with the result of checking the safety rules.

Abstract: A method for setting up a communication channel for exchanging data between a server device and a client device is provided. The method includes: transmitting authentication information from an issuer device to the client device; transmitting the authentication information from the client device to the server device in a cryptographic security protocol, in particular in a TLS handshake protocol; authenticating the client device by means of the server device depending on the received authentication information; and setting up the communication channel between the server device and the authenticated client device by means of the cryptographic security protocol. The authentication of the client device can be carried out in the context of setting up the communication channel. In this case, the communication channel is established by means of the cryptographic security protocol.