Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for encryption #78

Open
cigarplug opened this issue Nov 30, 2019 · 3 comments
Open

Add support for encryption #78

cigarplug opened this issue Nov 30, 2019 · 3 comments
Labels
question

Comments

@cigarplug
Copy link

Hi!

I was wondering if it's desirable to add support for encrypting messages between the client and server. It could be made optional, and off by default. I took a course related to network security recently and did something similar as a part of an assignment, which means some groundwork has already been laid.
I'd be happy to create a pull request. Do let me know your thoughts on this.

Cheers
@OrangeTux
Copy link
Collaborator

Hello @cigarplug

Great that you focus on security! As far as I know there is no Modbus standard for encrypting Modbus traffic. Therefore I'm hesitating to include a non-standard form of encryption to this project.

But I see use in encrypting Modbus traffic. What kind of encryption did you think of? What do you think of creating a extension to the uModbus package that adds encryption and upload this package to Pypi?

@jaapz
Copy link
Member

jaapz commented Dec 4, 2019

We could include an encryption scheme for uModbus Client to an uModbus Server, maybe as a kind of middleware, or a recipe that people can use easily.

As modbus doesn't do any encryption in the standard at all, if this is implemented we should be completely clear in documentation that it's a non-standard encryption implementation specific to uModbus.

I'm not sure if it's a great idea to add the encryption to the main package, but if we document it correctly and disable it by default we might be able to work with it.

Could be as simple as adding a layer of AES over each packet and encrypting with a default key, but how would you rotate those keys? Do we need to provide support for key rotation mechanisms, or would library users have to do that themselves? Keeping the same keys forever is only slightly better than not encrypting at all.

@cigarplug
Copy link
Author

Hi!

The traffic could be encrypted using an AEAD cypher like AES in GCM mode or chacha20-poly1305. And session keys for each connection could be generated by running an additional diffie-hellman server along with the modbus server. That is for each client connection, a new keypair must be negotiated.

I'm not particularly bent on adding encryption to the main project. The changes could be major and create additional dependencies such as the cryptography python package and OpenSSL.

The idea of publishing an extension package on PyPi sounds pretty good! But I am completely new to package development, so your assistance would be extremely good to have.

hmaerki pushed a commit to hmaerki/fork-uModbus-obsolete that referenced this issue Dec 31, 2023
@brainelectronics
Merge pull request AdvancedClimateSystems#78 from brainelectronics/fe…
481efde 
…ature/improve-contribution-guideline

Add contribution guideline
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaapz @OrangeTux @cigarplug