Digital signature verifier

[tonnerre]

I am working on creating a program that would allow for saving of system logs and data, basically just sensor values and button strokes recorded to a data table, and I need to ensure that data was not manipulated after it was written. I like the fact that files can be digitally signed via the store DTI to file function. From an end-user perspective, I dont like that I need to direct my customers to use the programming tool to verify a digital signature.Maybe I am simply not aware of it or is there a standalone tool that a cutomer can use to verify whether a file was altered after being digitally signed? Im basically looking for the Digital Signature Verifier as a standalone tool. I this proprietary to unitronics or is there some industry standard tool that can be used instead?

Building on this, is there functionality to save a data table to say a signed PDF document or other format than what is listed in the Store DTI to File function?  What about adding password protection or encryption to files? I  currently dont have a good way of protecting accessibility of data once it is off of the PLC, adding password protection is not the best solution but it will add another layer of security. Ideally, if the files were read-only, this would solve a lot of the issues. Is there maybe a way to do this?

[Ausman]

I don't use Unistream and in reading your posts you are way above my pay grade! 

However, one simplistic thought...... zipping the files and putting them on a specific users' read only folder on a NAS or similar would likely do it.  Whether you can do this automatically on the plc I don't know, but you could certainly do it externally.

But any sort of data is open to manipulation by determined users.....the same way machine users endlessly try to get around safety systems to make their job "easier".  😞 

cheers, Aus.

[tonnerre]

Thanks @Ausman, yes this is an option but I fear that end-users will still not have a way to easily verify that the data was not manipulated. I do see the ability to zip the data and setting up a routine to move the files via secure connection to a dedicated server is a possibility. It is the route that I am leaning towards.

After consulting an industry professional, they liked the fact that unilogic allows for digital signatures, this is a huge win because they can use this to tell if a file was altered or modified since it as written. The issue arose when I told him that the user needs to use the digital signature verifier in unilogic (the programming tool) to verify that the file was not manipulated. For example, in the pharmaceutical industry and most others, IT doesnt allow just any program to be installed on a computer and the fact that the user needs to use the application used to program the PLC, this is a huge no-no. Granted, most users will not know how to connect to the PLC, nor will they know how to make changes but its giving them access to too much information and the risk of doing something wrong is too high. Hence I was hoping that maybe a digital signature is an inductry standard that can be verified by some other standalone tool (I dont know if this is the case) and if not, is there an application that is only used to verify digital signatures? I will have a much easier timeconvicing a client to use that tool than the unilogic programming software. In the meantime, I'm trying to explore other acceptable approaches to solve the issue.

[Saragani]

Well, the digital signature verifier can be ran out side if UniLogic. The main Exe is referencing one dll, and that dll is referencing few 3rd party dlls

You cannot create file as read-only, since it can always be edited in a computer. You can, as Ausman suggested, inserted into a zip, and that zip can have a password.


For having the Digital signature verifier working, you need to copy:

Unitronics Digital Signature Verifier.exe

Unitronics.DigitalSignature.Verifier.dll

System.ValueTuple.dll

Newtonsoft.Json.dll

BouncyCastle.Crypto.dll

 

Then if you give those files to someone, then he should be able to run it. There might be dependencies like .Net 4.6.2, or 4.7.2 which might need to be installed, but must computers have them already, so the program should run without any issue.

A clarification for Ausman: the file itself is not signed, but there is a signature file next to it (they go together). The idea behind it is to be able to sign textual files as well (like CSV).

Modifying either of the files (signature file or the csv file, for example) will result signature validation failure.

 

There are tools from Unitronics to convert  a Data Table file to a PDF (like Data Converter Suite), but they do not verify the signature of the input DT file, or sign the PDF. Signing a PDF is usually done using a certificate you buy, because anyone can sign a PDF, but you also want to assure that it was signed by someone you trust.

Currently, the PLC does not generate a PDF file from the Data Table.

[tonnerre]

Great, thanks @Saragani, this is helpful, I will give the signature verifier a go on my computer to see how it works in standalone format. Also thanks for the infroamtion about the availability of the DT to PDF tool, I may use something like this in the future.

[Saragani]

@tonnerre

Hi, I got confused about the Data Table to PDF. The conversion is actually Data Table to Excel. 

(The PDF Conversion is of Data Sampler), so I'm sorry if I led you wrong.

 

However, you might print the Excel file into a PDF