OCPP 1.6-J Security

[V2G-UK]

The OCPP 1.6 standard has just changed. See:

http://www.v2g-evse.com/2018/12/18/open-charge-alliance-enhances-ocpp-1-6-security/

Secure communication and operation is a critical aspect of Electric Vehicle Charging Infrastructure.

To further assist the industry the Open Charge Alliance now publishes a white paper to describe a standard way to address security using OCPP 1.6-J.

Jim

[TVolden]

Hi Jim,

Sounds exciting. I did noticed that OCA wrote IT om their Twitter profile, but haven't had a chance to look for my self.

Does anyone know what has changed?

Thomas

[V2G-UK]

I've had a chance to skim the new "white paper" now:

This document is for OCPP 1.6-J (JSON over WebSockets) only, OCPP-S (SOAP) is NOT supported. This document was started, as it is seen as a simple stap to port OCPP 2.0 security to OCPP 1.6. But as OCPP 2.0 only support JSON over WebSockets (not SOAP), this document is also written for OCPP 1.6-J only. Adding SOAP to this document would have taken a lot of work and review by security experts.

This document is based on OCPP 2.0. To help developers that are implementing both 1.6J security improvement and OCPP 2.0, we have kept the Use Case numbering from OCPP 2.0. So when implementing for example Use Case N01, it is the same use case in this document as in the 2.0 specification.

Jim

[dersteve]

Here is a link to the document and specification. It talks mainly about Basic Authentication and Client Side Certificates:

ocpp_1_6_security.pdf

https://www.openchargealliance.org/news/enhanced-security-for-ocpp-16/

[dersteve]

We could think of splitting this issue into 2 as they could be implemented separately and I guess Basic Authentication is much easier to implement.

• Basic Authentication
• Client Side Certificates

[erikvda]

Hi Thomas,

Is there any news on this topic? Next to the authentication methods the document also describes new messages.

[TVolden]

Hi @erikvda

Nothing new from me. I haven't gotten around to look into it, and I don't see that I will get around to it in the near future. Sorry.

[vikram919]

@TVolden First of all thanks to you and contributors for such a easy to use library. As @dersteve mentioned the steps. I am pretty interested in having Basic Authentication supported on OCPP json server. Can you please let me know which architectural adjustements we need to make inorder to have this feature. I can work on this but needed some help in terms of architecture wise.

Cheers!

[TVolden]

Hi @vikram919, thanks for your reply. I'll look into it at first chance, which may be Tuesday at best. Hope that's okay.

[vikram919]

@TVolden tuesday should be fine.

[TVolden]

Hi again @vikram919,

I had some time to look into it today. I'm having a hard time finding a way to use Basic Authentication with the Websocket component I use (Java-websocket). I'm not sure how to make it work. Sorry.

Here is a link, that discusses it:
TooTallNate/Java-WebSocket#88

[robert-s-ubi]

Hi @TVolden,

sorry for being late to the game, but I just created a pull request which adds OCPP-J client-side HTTP basic authentication support to your library. We successfully tested this in a plugfest against backends expecting basic authentication.

[TVolden]

Thanks @robert-s-ubi, I have merged it in now.

@vikram919 if your still interested. Can you test if it works now? - and if so, close this issue.

Thanks every one.

[vikram919]

@TVolden , thanks for the update, I will test it sooner until by next week and close this issue.

[dimaa6]

Hi! First of all, great project and thank you for the effort.

Regarding basic authentication on server side, not sure I understand what is the complication here. There is WebSocketListener.open which has access to ClientHandshake instance. That instance has all the headers, including Authorization - just debugged and saw them there. What is the difficulty of having a method in ServerEvents, something like authorizeSession, and pass there SessionInformation instance. Add user name and password extracted from Authorization header to SessionInformation class. Then class implementing ServerEvents can run whatever logic against identifier, IP address, user name and password of the client which is attempting connection, and prevent creation of the session if it decides so. WebSocketListener.open would just send HTTP status 401 to the client, and close client socket in this case. Am I missing something?

[dimaa6]

Added pull request #163 , please review

[dagarwal82]

Is there a plan to update the maven repo with this change in near future?

[TVolden]

Hi @dagarwal82

Thanks for asking. I can give it a try after exams. So after the 15th or so.

Sincerely,
Thomas

[dagarwal82]

I think authenticationSession in ServerEvents should also throw AuthenticationException so that ListenerEvents can capture and rethrow:

listener.open(
hostname,
port,
new ListenerEvents() {

      @Override
      public void authenticateSession(
          SessionInformation information, String username, byte[] password)
          throws AuthenticationException {
        serverEvents.authenticateSession(information, username, password);  //line 88
      }

Line 88 can not throw AuthenticationException and do not validate the outcome either.

[m-oben]

Hi @TVolden, @dagarwal82, I am actually in the process of making an implementation right now. Expect a PR soon...

[m-oben]

See my PR #196. Please take your time to review, it's a big one :-)

The library already supports HTTP basic auth and SSLContext is used so security profiles 2 and 3 are in theory already possible. However none of the defined management messages are implemented, which is the scope of my PR.

The whitepaper mentioned by @V2G-UK is already outdated in the meantime as a 2nd edition has been released.
My changed are based on said 2nd edition, downloadable here: https://openchargealliance.org/uploads/files/OCPP-1.6-security-whitepaper-edition-2.zip

The whitepaper does not define a "profile" and "features" as the original whitepaper did. However I did create a profile and features similar to the existing ones to fit everything in and be compatible with the rest of the library.

[muhammadumairsabir]

Hi members, How i can setup the basic auth security profile? Right now I am getting the password values as null. You little help will be much appreaciate.