User's Manual

ManualsBrandsSchweitzer Engineering Laboratories ManualsElectronicsSEL-3022

Table Of Contents

SEL-3022

Wireless Encrypting Transceiver

Instruction Manual

20050615

Attention

The SEL-3022 is a cryptographic device. Limit access to the

SEL-3022, SEL-5809 Settings Software, SEL-5810 Virtual

Serial Software, and SEL-3022 Instruction Manual to authorized

personnel only. Do not copy these items. Securely store these

items when not in use. Destroy these items when no longer

needed.

Preliminary Copy

Summary of content (106 pages)

PAGE 1
Preliminary Copy SEL-3022 Wireless Encrypting Transceiver Instruction Manual 20050615 Attention The SEL-3022 is a cryptographic device. Limit access to the SEL-3022, SEL-5809 Settings Software, SEL-5810 Virtual Serial Software, and SEL-3022 Instruction Manual to authorized personnel only. Do not copy these items. Securely store these items when not in use. Destroy these items when no longer needed.
PAGE 2
Preliminary Copy CAUTION: Removal of enclosure ! panels exposes circuitry which may cause electrical shock which can result in injury. ATTENTION: Le retrait des ! panneaux du boîtier expose le circuit qui peut causer des chocos électriques pouvant entraîner des blessures. The software (firmware), drawings, commands, and messages are copyright protected by the United States Copyright Law and International Treaty provisions. All rights are reserved.
PAGE 3
Cryptographic Manual—Do Not Copy Preliminary Copy Table of Contents List of Tables ........................................................................................................... iii List of Figures ...........................................................................................................v Preface...................................................................................................................... vii Section 1: Introduction & Specifications Introduction ......
PAGE 4
ii Table of Contents Cryptographic Manual—Do Not Copy Preliminary Copy Appendix A: Firmware and Manual Versions Firmware............................................................................................................... A.1 Instruction Manual................................................................................................ A.2 Appendix B: Firmware Upgrade Instructions Introduction ..................................................................................................
PAGE 5
Cryptographic Manual—Do Not Copy Preliminary Copy List of Tables Table 1.1 Table 1.2 Table 4.1 Table 4.2 Table 4.3 Table 4.4 Table 4.5 Table 4.6 Table 4.7 Table 4.8 Table 4.9 Table 4.10 Table 4.11 Table 5.1 Table 5.2 Table 5.3 Table 5.4 Table A.1 Table A.2 Table C.1 Date Code 20050615 DCE (Female DB9) ..........................................................................1.8 Operating Systems and Wireless Modules Tested With the SEL-5809 Settings Software ............1.10 Settings: DCE Port..........
PAGE 6
Preliminary Copy This page intentionally left blank
PAGE 7
Cryptographic Manual—Do Not Copy Preliminary Copy List of Figures Figure 1.1 Figure 1.2 Figure 1.3 Figure 1.4 Figure 2.1 Figure 2.2 Figure 2.3 Figure 2.4 Figure 2.5 Figure 2.6 Figure 2.7 Figure 2.8 Figure 2.9 Figure 2.10 Figure 2.11 Figure 2.12 Figure 2.13 Figure 2.14 Figure 2.15 Figure 2.16 Figure 2.17 Figure 3.1 Figure 3.2 Figure 3.3 Figure 3.4 Figure 3.5 Figure 3.6 Figure 3.7 Figure 3.8 Figure 3.9 Figure 3.10 Figure 3.11 Figure 3.12 Figure 3.13 Figure 3.14 Figure 3.15 Figure 3.16 Figure B.1 Figure B.
PAGE 8
vi Cryptographic Manual—Do Not Copy List of Figures Preliminary Copy Figure B.3 Figure B.4 Figure B.5 Figure B.6 Figure B.7 Figure B.8 Figure B.9 Figure B.10 Figure B.11 Figure B.12 Figure C.1 Figure C.2 Figure C.3 Figure C.4 Figure C.5 SEL-5809 Settings Software Connection Method ...........................B.3 SEL-5809 Opening Connection .......................................................B.3 Status: Device Window ....................................................................B.
PAGE 9
Cryptographic Manual—Do Not Copy Preliminary Copy Preface Manual Overview The SEL-3022 Wireless Encrypting Transceiver Instruction Manual describes common aspects of the wireless encrypting transceiver application and use. It includes the necessary information to install, set, test, and operate the transceiver. An overview of each manual section and topics follows: Preface. Describes the manual organization and conventions used to present information. Section 1: Introduction & Specifications.
PAGE 10
viii Cryptographic Manual—Do Not Copy Preface Manual Overview Preliminary Copy Page Numbering This manual shows page identifiers at the top of each page; see the figure below. Introduction & Specifications Product Overview Title Block 1.3 Page Number Page Number Format The page number appears at the outside edge of each page; a vertical bar separates the page number from the page title block.
PAGE 11
Cryptographic Manual—Do Not Copy Preliminary Copy Preface Manual Overview ix Examples This instruction manual uses several example illustrations and instructions to explain how to effectively operate the SEL-3022. These examples are for demonstration purposes only; the firmware identification information or settings values included in these examples may not necessarily match those in the current version of your SEL-3022.
PAGE 12
Preliminary Copy This page intentionally left blank
PAGE 13
Cryptographic Manual—Do Not Copy Preliminary Copy Section 1 Introduction & Specifications Introduction This section includes the following overviews of the SEL-3022 Wireless Encrypting Transceiver: ➤ Product Overview ➤ Application Overview ➤ Connections, Reset Button, and LED Indications ➤ Software System Requirements ➤ General Safety and Care Information ➤ Specifications Date Code 20050615 Instruction Manual SEL-3022 Transceiver
PAGE 14
1.2 Introduction & Specifications Product Overview Cryptographic Manual—Do Not Copy Preliminary Copy Product Overview The SEL-3022 Wireless Encrypting Transceiver is an EIA-232 to IEEE 802.11b, or WiFi, encryption device that adds strong encryption and authentication features to the data sent across wireless ports.
PAGE 15
Cryptographic Manual—Do Not Copy Preliminary Copy Introduction & Specifications Product Overview 1.3 SEL-3022 Transceiver The SEL-3022 consists of two communication ports: the EIA-232 and IEEE 802.11b. The EIA-232 serial port connects to an IEDs EIA-232 serial port. The SEL-3022 and IED exchange unencrypted data such as engineering access data. The SEL-3022 forms an authentication message and encrypts the data received by the IED then passes it to the IEEE 802.11b port. The IEEE 802.
PAGE 16
1.4 Introduction & Specifications Product Overview Cryptographic Manual—Do Not Copy Preliminary Copy When the SEL-5809 Settings Software/SEL-5810 Virtual Serial Software receives a message from the wireless port, it decrypts and authenticates the message and passes it to the virtual serial port which in turn passes it to your PC program. See Figure 1.2.
PAGE 17
Cryptographic Manual—Do Not Copy Preliminary Copy Introduction & Specifications Application Overview 1.5 Application Overview The SEL-3022 is ideal for applications where engineering access communication is required but the IED is installed in a location where physical access is limited. For example, often recloser controls are mounted in inconvenient locations either because of power line location or to keep them out of reach of unauthorized users.
PAGE 18
1.6 Introduction & Specifications Connections, Reset Button, and LED Indications Cryptographic Manual—Do Not Copy Preliminary Copy Connections, Reset Button, and LED Indications The figure below shows typical connections for the SEL-3022. Recloser Control + 12 Vdc PWR SEL-651R SP EIA-232 PC Computer or PDA with 802.11b Figure 1.3 802.
PAGE 19
Cryptographic Manual—Do Not Copy Introduction & Specifications Connections, Reset Button, and LED Indications 1.7 Preliminary Copy IMPORTANT: Do NOT wire power to both the compression terminals and the 2.5 mm jack. Use only one power connection at a time. Alarm Output Connection Use the solid-state alarm contact to alert you to problems either with the communications channel or the SEL-3022. See Section 5: Testing and Troubleshooting for more details.
PAGE 20
1.8 Introduction & Specifications Connections, Reset Button, and LED Indications Cryptographic Manual—Do Not Copy Preliminary Copy 0.5 A, 250 V Fast Blow Fuse + SEL-3022 Alarm Output Contact — Wetting Voltage 125 Vdc Do not apply 125 Vdc directly to the SEL-3022 power supply connections Optional Load Resistor SEL-2030 Contact Input Typical SEL contact inputs draw 4 mA of nominal wetting source voltage Figure 1.
PAGE 21
Cryptographic Manual—Do Not Copy Introduction & Specifications Connections, Reset Button, and LED Indications 1.9 Preliminary Copy Reset Button Use the {RESET} button to reset and delete all security related settings. You can access the {RESET} button through the small hole in the end of the SEL-3022 near the status LED. Use a paper clip or other similar device to press the {RESET} button for at least 2 seconds, which resets the SEL-3022 into a default state.
PAGE 22
1.10 Introduction & Specifications Software System Requirements Cryptographic Manual—Do Not Copy Preliminary Copy Software System Requirements The SEL-3022 comes with configuration and monitoring software, referred to as the SEL-5809 Settings Software and the SEL-5810 Virtual Serial Software. The SEL-5809 Settings Software is the only means to set and monitor the SEL-3022. The software comes in two versions: one version is for a PC and one is for a PDA operating system.
PAGE 23
Cryptographic Manual—Do Not Copy Introduction & Specifications General Safety and Care Information 1.11 Preliminary Copy General Safety and Care Information General Safety Notes The SEL-3022 is designed for restricted access locations. Access shall be limited to qualified service personnel. The SEL-3022 should not be installed or operated in a condition not specified in this manual. CAUTION: The SEL-3022 is an intentional radiator.
PAGE 24
1.12 Introduction & Specifications Specifications Cryptographic Manual—Do Not Copy Preliminary Copy Specifications Indicators Green LED: Electromagnetic Compatibility Immunity Conducted RF Immunity: Device Status Solid-State Output 100 mA continuous 250 Vdc or 120 Vac Operational Voltage Max. On Resistance: 50 Ω Min. Off Resistance: 10 MΩ Insulation: 1500 Vdc Wiring size: 14 AWG Max. 26 AWG Min. 0.4 mm Min. Insulation 105°C, 250 V Min.
PAGE 25
Cryptographic Manual—Do Not Copy Preliminary Copy Introduction & Specifications Specifications 1.13 Certifications ISO: Listings: FCC: IC: Date Code 20050615 Device is designed and manufactured using ISO 9001 certified quality program. IEC 60950-1: 1st Ed./ CSA C22.2 No.60950-1/ EN 60950-1 15.
PAGE 26
Preliminary Copy This page intentionally left blank
PAGE 27
Cryptographic Manual—Do Not Copy Preliminary Copy Section 2 Installation Introduction This section includes the following: ➤ Dimension Drawing ➤ Setting Up Your PC or PDA With the SEL-5809 Settings Software and SEL-5810 Virtual Serial Software. ➤ Initializing the SEL-3022: Discusses the settings required to initialize the SEL-3022 when the SEL-3022 is in a reset condition.
PAGE 28
2.2 Installation Dimension Drawing Cryptographic Manual—Do Not Copy Preliminary Copy Dimension Drawing 5.24 (133.0) 4.80 (121.9) TOP 2.40 (61.0) 3.68 (93.3) Ø0.19 (Ø4.8) MOUNTING HOLES FOR #8 SCREW 4.06 (103.0) 1.00 (25.4) FRONT LEGEND in (mm) Figure 2.
PAGE 29
Cryptographic Manual—Do Not Copy Installation Setting Up Your PC or PDA With the SEL-5809 and SEL-5810 Software 2.3 Preliminary Copy Setting Up Your PC or PDA With the SEL-5809 and SEL-5810 Software Software Installation The SEL-5809 Settings Software is required to set, operate, and test the SEL-3022. The SEL-5810 Virtual Serial Software is used by operators to connect PC programs to remote IEDs using the SEL-3022.
PAGE 30
2.4 Installation Cryptographic Manual—Do Not Copy Setting Up Your PC or PDA With the SEL-5809 and SEL-5810 Software Preliminary Copy Step 2. Complete the software loading process. Follow the loading instructions as they appear on the PC screen. Registering the SEL-5809 Settings Software To start the SEL-5809 Settings Software, use the Windows Start menu to open the software. If you installed the software within the Programs group in the main Windows directory, click Start > Programs > SEL Applications.
PAGE 31
Cryptographic Manual—Do Not Copy Installation Setting Up Your PC or PDA With the SEL-5809 and SEL-5810 Software 2.5 Preliminary Copy Step 5. When SEL receives your e-mail, you will be sent a registration key file (regkey.xml), which allows you to run the SEL-5809 Settings Software. Step 6. Once you receive this key file, save it on your computer. Step 7. Restart the SEL-5809 Settings Software. Load the key file using the {Load Key} button of the registration form.
PAGE 32
2.6 Installation Cryptographic Manual—Do Not Copy Setting Up Your PC or PDA With the SEL-5809 and SEL-5810 Software Preliminary Copy Step 7. Restart the SEL-5809 Settings Software. Load the key file using the {Load Key} button of the registration form. The key automatically removes the lock. NOTE: The registration form is also available using the Help > Register menu. The SEL-5810 Virtual Serial Software does not have a registration key and does not need to be registered.
PAGE 33
Cryptographic Manual—Do Not Copy Preliminary Copy Installation Initializing the SEL-3022 2.7 Initializing the SEL-3022 When the SEL-3022 is sent from the factory, or if the {RESET} button in the SEL-3022 is pressed, the transceiver is in a Reset state. The Reset state indicates that all of the encryption keys and related security parameters are erased. You can quickly determine whether the SEL-3022 is in a Reset state by applying power and viewing the status LED.
PAGE 34
2.8 Installation Initializing the SEL-3022 Step 5. Figure 2.5 Cryptographic Manual—Do Not Copy Preliminary Copy Type in the Device Location and Device Name. Figure 2.5 is an example. Specify New Device Location Step 6. Click OK. Step 7. Your device location is now listed. For our example, this location is New_Group. Select the plus arrow beside your new device location to expand the view. Step 8. To open a serial connection to the SEL-3022, double-click on the device name.
PAGE 35
Cryptographic Manual—Do Not Copy Preliminary Copy Step 9. Figure 2.7 Installation Initializing the SEL-3022 2.9 The first screen displays your system parameters. Identification Screen Step 10. The Status: Device tab shows the SEL-3022 diagnostic status, previous diagnostic failures, and the constant transmit test feature. Figure 2.8 is an example. Refer to Device Information on page 4.7 in Section 4: Settings and Commands for a description of these test parameters.
PAGE 36
2.10 Installation Initializing the SEL-3022 Figure 2.8 Cryptographic Manual—Do Not Copy Preliminary Copy Status: Device Step 11. Select the Settings: Wireless tab and consult your System Administrator for the Wireless Connections Settings. The settings shown are for example only. Figure 2.
PAGE 37
Cryptographic Manual—Do Not Copy Preliminary Copy Installation Initializing the SEL-3022 2.11 Step 12. Select the Settings: WEP Keys tab and consult your System Administrator for the WEP Key Settings. The settings shown in Figure 2.10 are for example only. WEP Keys must be set to a unique 26-character hexadecimal ASCII value other than the default. Figure 2.10 Settings: WEP Keys Step 13. Select the Settings: User tab and enter random 32-character hexadecimal ASCII encryption and authentication keys.
PAGE 38
2.12 Installation Initializing the SEL-3022 Cryptographic Manual—Do Not Copy Preliminary Copy Step 14. Select the Settings: Operator tab and enter random 32-character hexadecimal ASCII encryption and authentication keys. Select a password or phrase that is 6–60 characters in length. Only the security officer should set the encryption and authentication keys. All values must be set to nondefault values. The settings shown in Figure 2.12 are for example only. Figure 2.12 Settings: Operator Step 15.
PAGE 39
Cryptographic Manual—Do Not Copy Preliminary Copy Installation Initializing the SEL-3022 2.13 Step 16. After you are satisfied with your choices select Device > Send All. This will send your initialization settings to the SEL-3022. Step 17. You will see the following confirmation of send prompt. Select Yes to continue or No to abort. Figure 2.14 Confirm Send Prompt Step 18. When settings have been sent successfully the following pop-up message appears. Select OK to acknowledge the message. Figure 2.
PAGE 40
2.14 Installation Initializing the SEL-3022 Figure 2.16 Cryptographic Manual—Do Not Copy Preliminary Copy Select Items to Print Step 21. Print to a specific printer or print directly to a file. Figure 2.17 Print Window Step 22. Close the Device by clicking File > Close Device. Select Yes when prompted to save current session. Step 23. To open a wireless connection to the SEL-3022, double click on the device name. Select User, Operator, or Security Officer. Enter pass phrase, then click OK.
PAGE 41
Cryptographic Manual—Do Not Copy Preliminary Copy Installation Initializing the SEL-3022 2.15 Wireless Configuration A wireless card is required to perform in-system settings modifications, monitoring, and to establish a virtual serial port connection. The SEL-3022 complies with the IEEE 802.11b Wireless Standard. Suitable wireless cards and associated software drivers can be found at your local computer or office supply store. Follow the 802.
PAGE 42
Preliminary Copy This page intentionally left blank
PAGE 43
Cryptographic Manual—Do Not Copy Preliminary Copy Section 3 Job Done Example Introduction This section contains a Job Done® example for applying the SEL-3022 to an SEL-651R Recloser Control mounted twenty feet above the street.
PAGE 44
3.2 Cryptographic Manual—Do Not Copy Job Done Example Job Done Example 1 Preliminary Copy Job Done Example 1 EXAMPLE 3.1 Applying the SEL-3022 to an SEL-651R Identifying the Problem Your objective is to provide a simple and secure means of communications to an SEL-651R Recloser Control mounted twenty feet above the street. You decide on the SEL-3022 Wireless Encrypting Transceiver for the following reasons: ➤ The SEL-3022 eliminates the requirement to have physical access to the recloser control, i.
PAGE 45
Cryptographic Manual—Do Not Copy Preliminary Copy Job Done Example Job Done Example 1 3.3 SEL-3022 Initialization An SEL-3022 direct from the factory is in a Reset condition. You must initialize various settings before installing the SEL-3022 in the recloser control. You can initialize the SEL-3022 at your desk before you deploy the transceiver. You will need the following: ➤ PC with IEEE 802.11b wireless card and SEL-5809 Settings Software loaded.
PAGE 46
3.4 Job Done Example Job Done Example 1 Figure 3.3 Cryptographic Manual—Do Not Copy Preliminary Copy Select a Wireless Session for DNP3 Job Done Example Step 6. Select the Settings: DCE Port tab and configure the serial port parameters to match the SEL-651R serial port which the SEL-3022 is going to be connected to. Figure 3.4 Settings: DCE Port Step 7. Select Device > Send All to save the settings to the SEL-3022. Step 8. Select File > Close Device to close the connection to the SEL-3022. Step 9.
PAGE 47
Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.5 Job Done Example Job Done Example 1 3.5 Status: Virtual Serial Port With Connection Status Red NOTE: This display informs you regarding the virtual serial port number created by the SEL-5809 Settings Software. In this case, the SEL-5809 Settings Software has created COM5. Also note the Connection Status is RED indicating that there is not a PC program using the virtual port. Step 13. Open ACSELERATOR (or other serial terminal program).
PAGE 48
3.6 Job Done Example Job Done Example 1 Figure 3.6 Cryptographic Manual—Do Not Copy Preliminary Copy Communication Parameters Window in ACSELERATOR 16. At this point, a virtual connection between ACSELERATOR and the SEL-651R exists. Look at the SEL-5809 Settings Software Status: Virtual Serial Port page, the Connection Status is GREEN indicating the virtual serial port is in service. Figure 3.
PAGE 49
Cryptographic Manual—Do Not Copy Preliminary Copy Job Done Example Job Done Example 1 3.7 Step 17. Through use of ACSELERATOR, you can perform such tasks as reading the settings out of the SEL-651R (see Figure 3.8) or viewing the metering data (see Figure 3.9). Figure 3.
PAGE 50
3.8 Job Done Example Job Done Example 1 Figure 3.9 Cryptographic Manual—Do Not Copy Preliminary Copy Monitoring SEL-651R Meter Data Via the SEL-3022 Step 18. When you are done setting and configuring the SEL-651R, click Communication > Disconnect (to close the ACSELERATOR serial port connection) or click File > Exit (to shut down ACSELERATOR).
PAGE 51
Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.10 Job Done Example Job Done Example 1 3.9 Status: Virtual Serial Port Connection Status Red Step 19. Select File > Close Device, to close the SEL-5809 Settings Software virtual serial port. Linemen or engineers who do not need to configure the SEL-3022 transceivers, will use the SEL-5810 Virtual Serial Software, which is strictly a virtual serial port program.
PAGE 52
3.10 Job Done Example Job Done Example 1 Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.11 Specify Device to Export to SEL-5810 Virtual Serial Software Step 24. Enter an encryption password to protect the file. Step 25. Select OK. This will keep the file encrypted while it is being transferred to the lineman’s PC. Figure 3.12 Export Encrypted User Configuration File Step 26. Choose a folder to store the encrypted file and enter a file name in the File name box. Step 27. Select OK.
PAGE 53
Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.13 Job Done Example Job Done Example 1 3.11 Store Encrypted File Step 28. Send or load this file onto the lineman’s PC. Step 29. Start the SEL-5810 Virtual Serial Software. Step 30. Click File > Import and select the file saved in Step 26 to import the SEL-3022 device image into the SEL-5810 Software. Step 31. Enter password. Step 32. Select OK. Step 33. Select the {Connect} button. Step 34. Enter User password.
PAGE 54
3.12 Job Done Example Job Done Example 1 Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.14 Password Prompt in SEL-5810 Virtual Serial Software Step 35. Verify the {Connect} button changes from Connect to Disconnect. Step 36. Open ACSELERATOR. Step 37. Select Communication < Parameters. Step 38. Specify Device by selecting, from the drop-down menu, the Communication port generated by the SEL-5810 Virtual Serial Software (reference the SEL-5810 Terminal Connection Status: COM Port). Step 39.
PAGE 55
Cryptographic Manual—Do Not Copy Preliminary Copy Figure 3.15 Job Done Example Job Done Example 1 3.13 Communication Parameters Window in ACSELERATOR Step 40.Verify on the SEL-5810 the Terminal Connection Status: Terminal Status shows Connected. Step 41. You can now perform setting and monitoring functions via the ACSELERATOR program such as reading SER reports by selecting HMI < Meter & Control < SER.
PAGE 56
3.14 Job Done Example Job Done Example 1 Figure 3.16 Cryptographic Manual—Do Not Copy Preliminary Copy Reading SER Report Via ACSELERATOR Step 42. When you are done communicating with the SEL-651R, close ACSELERATOR. Step 43. At that point the SEL-5810 Terminal Connection Status: Terminal Status shows Disconnected. Step 44.Select the SEL-5810 Wireless Connection: {Disconnect} button to close the wireless session. Note, the {Disconnect} button will change to Connect.
PAGE 57
Cryptographic Manual—Do Not Copy Preliminary Copy Section 4 Settings and Commands Introduction This section explains the settings and commands of the SEL-3022. ➤ Serial Port Settings: Settings that configure the EIA-232 serial port. ➤ Wireless Port Settings: Settings that configure the 802.11b wireless port. ➤ Communication Status Command: Diagnostic status report on the health of the SEL-3022 serial port communications channel. ➤ Device Information: Displays device-related information.
PAGE 58
4.2 Settings and Commands Serial Port Settings Cryptographic Manual—Do Not Copy Preliminary Copy Serial Port Settings The following settings in Table 4.1 configure the serial port. Table 4.
PAGE 59
Cryptographic Manual—Do Not Copy Preliminary Copy Settings and Commands Wireless Port Settings 4.3 Wireless Port Settings The following settings configure the wireless interface. NOTE: If the SEL-3022 is in a Reset mode, the wireless port will not function. See Initializing the SEL-3022 on page 2.7 in Section 2: Installation for details on enabling the wireless interface. Table 4.
PAGE 60
4.4 Cryptographic Manual—Do Not Copy Settings and Commands Wireless Port Settings Table 4.3 Preliminary Copy Settings: WEP Keys Setting Name Setting Description Value or Range WEP Key 1 Twenty-six character hexadecimal (104-bit) key used in the wireless encryption algorithm. 0–9 and A–F WEP Key 2 Twenty-six character hexadecimal (104-bit) key used in the wireless encryption algorithm.
PAGE 61
Cryptographic Manual—Do Not Copy Preliminary Copy Table 4.5 Settings and Commands Wireless Port Settings Settings: Operator Setting Name Setting Description Value or Range Encryption Key Thirty-two character hexadecimal ASCII (128-bit) key. 0–9 and A–F Authentication Key Thirty-two character hexadecimal ASCII (128-bit) key. 0–9 and A–F Password Password or Pass Phrase for operator-controlled access, referred to as Access Level 1. 6–80 printable ASCII characters Table 4.6 4.
PAGE 62
4.6 Settings and Commands Communication Status Command Cryptographic Manual—Do Not Copy Preliminary Copy Communication Status Command You can use the SEL-5809 Settings Software and the wireless interface to issue a Communication Status command. Use the Communication Status command to analyze the health of your serial channel. All error counters reset to zero when you press the Clear Comm Statistics {Clear} button or if power is cycled to the SEL-3022.
PAGE 63
Cryptographic Manual—Do Not Copy Preliminary Copy Settings and Commands Device Information 4.7 Device Information You can use the SEL-5809 Settings Software and the wireless interface to obtain device information. Table 4.8 Identification Version Name Version Description Firmware Version This is the released firmware version number the SEL-3022 is running. Hardware Version This is the released hardware version number that determines the SEL-3022 configuration.
PAGE 64
4.8 Settings and Commands Device Information Cryptographic Manual—Do Not Copy Preliminary Copy Output Alarm Use the SEL-5809 Settings Software to test the alarm output of the SEL-3022. Table 4.
PAGE 65
Cryptographic Manual—Do Not Copy Preliminary Copy Section 5 Testing and Troubleshooting Introduction This section provides guidelines for testing and troubleshooting the SEL-3022. Included are discussions on testing philosophies, methods, and tools. At the end of the section are descriptions of communication, channel diagnostics, self-tests, and troubleshooting procedures.
PAGE 66
5.2 Testing and Troubleshooting Testing Philosophy Cryptographic Manual—Do Not Copy Preliminary Copy Testing Philosophy SEL-3022 testing can be divided into three categories: acceptance, commissioning, and maintenance testing. The categories are differentiated both by when they take place in the life cycle of the transceiver and by test complexity.
PAGE 67
Cryptographic Manual—Do Not Copy Preliminary Copy ➤ Testing and Troubleshooting Testing Philosophy 5.3 Ensure that the SEL-3022 functions with your settings according to your expectations. What to Test Perform commissioning testing on serial, and wireless ports, and your alarm output. SEL performs a complete functional check of each SEL-3022 before shipment. SEL-3022 commissioning tests should verify that the power supply, serial cable antenna, and alarm output (if used) are connected properly.
PAGE 68
5.4 Cryptographic Manual—Do Not Copy Testing and Troubleshooting Communications Channel Diagnostics Preliminary Copy Communications Channel Diagnostics The SEL-3022 provides a serial communication diagnostic function to aid in troubleshooting. The SEL-3022 monitors the DCE serial port for various errors. You can use the number and type of errors to troubleshoot communications channel problems.
PAGE 69
Cryptographic Manual—Do Not Copy Testing and Troubleshooting Communications Channel Diagnostics 5.5 Preliminary Copy Table 5.2 Device Status: Device Status (Sheet 2 of 2) Status Name Description Avg Signal Level Report RF Signal Level from 802.11b module Avg Noise Level Report RF Noise Level from 802.
PAGE 70
5.6 Testing and Troubleshooting Self-Tests Cryptographic Manual—Do Not Copy Preliminary Copy Self-Tests The SEL-3022 has extensive self-test capabilities. You can determine the diagnostic status of your SEL-3022 via the SEL-5809 Settings Software or the Status LED located on the SEL-3022. Table 5.3 SEL-3022 Self-Test Capabilities Test SEL-5809 Status: Device SEL-3022 Disable Status LED Contact Output Alarm RAM Pass Yes Toggle .
PAGE 71
Cryptographic Manual—Do Not Copy Preliminary Copy Testing and Troubleshooting Troubleshooting 5.7 Troubleshooting Inspection Procedure Complete the following procedure before disturbing the SEL-3022. After you finish the inspection, proceed to the Troubleshooting Procedure. Step 1. Measure and record the power supply voltage at the power input terminals. Step 2. Check to see that the power is on. Do not turn the SEL-3022 off. Step 3. Measure and record the voltage at the alarm output. Step 4.
PAGE 72
5.8 Testing and Troubleshooting Factory Assistance Cryptographic Manual—Do Not Copy Preliminary Copy Factory Assistance We appreciate your interest in SEL products and services. If you have questions or comments, please contact us at: Schweitzer Engineering Laboratories, Inc. 2350 NE Hopkins Court Pullman, WA USA 99163-5603 Telephone: (509) 332-1890 Fax: (509) 332-7990 Internet: www.selinc.
PAGE 73
Cryptographic Manual—Do Not Copy Preliminary Copy Appendix A Firmware and Manual Versions Firmware This manual covers SEL-3022 Wireless Encrypting Transceivers containing firmware bearing the firmware version numbers listed in Table A.1. This table also lists a description of modifications and the instruction manual date code that corresponds to firmware versions. The table lists the most recent firmware version first. Table A.
PAGE 74
A.2 Firmware and Manual Versions Instruction Manual Cryptographic Manual—Do Not Copy Preliminary Copy Instruction Manual The date code at the bottom of each page of this manual reflects the creation or revision date. Table A.2 lists the instruction manual release dates and a description of modifications. The table lists the most recent instruction manual revisions at the top. Table A.2 Instruction Manual Revision History Revision Date Summary of Revisions 20050615 Initial Release.
PAGE 75
Cryptographic Manual—Do Not Copy Preliminary Copy Appendix B Firmware Upgrade Instructions Introduction SEL occasionally offers firmware upgrades to improve the performance of your transceiver. The SEL-3022 stores firmware in Flash memory; therefore, changing physical components is not necessary. These instructions give a step-by-step procedure to upgrade the SEL-3022 firmware by uploading a file from a personal computer to the transceiver via the DCE serial port.
PAGE 76
B.2 Firmware Upgrade Instructions Introduction Cryptographic Manual—Do Not Copy Preliminary Copy IMPORTANT: Pressing the {Reset} button will erase all settings, so be sure to save your settings if they are going to be used again. Step 3. Press the {Reset} button for at least 2 seconds. The Status LED will blink at a 2-second rate while in the reset mode. Step 4. Start the SEL-5809 Settings Software and connect to the SEL-3022 via the serial port. C388 Figure B.
PAGE 77
Cryptographic Manual—Do Not Copy Preliminary Copy Step 6. Figure B.3 Firmware Upgrade Instructions Introduction At the Connection Method tab, select Serial. SEL-5809 Settings Software Connection Method Step 7. Click OK. Step 8. Double-click the device from the SEL-5809 Settings Software main menu to establish communications. While the SEL-5809 Settings Software and SEL-3022 are establishing a connection you will see the following status box. Figure B.4 B.3 SEL-5809 Opening Connection Step 9.
PAGE 78
B.4 Firmware Upgrade Instructions Introduction Figure B.5 Cryptographic Manual—Do Not Copy Preliminary Copy Status: Device Window Step 10. Click the {Begin} button to put the SEL-3022 into Firmware Download Mode. Step 11. Click Yes to enter firmware download mode. Figure B.6 Confirmation Prompt Step 12. Click OK to acknowledge the SEL-3022 is entering firmware upgrade mode. Figure B.
PAGE 79
Cryptographic Manual—Do Not Copy Preliminary Copy Firmware Upgrade Instructions Introduction B.5 Step 13. Configure the serial port settings in the Terminal software to the following: Figure B.8 a. b. Bits per Second: 115200 Data bits: 8 c. d. Parity: None Stop bits: 1 e. Flow control: Hardware Configuring Serial Port Settings in the Terminal Software Step 14. Establish a connection to the SEL-3022 using the Terminal application. Step 15.
PAGE 80
B.6 Firmware Upgrade Instructions Introduction Figure B.9 Cryptographic Manual—Do Not Copy Preliminary Copy Send File Prompt Step 19. Click Send. Figure B.10 Sending Confirmation Window Step 20. If Xmodem transfer was successful, you will receive the validating firmware message. See first line of message in Figure B.11. Step 21. If the firmware is invalid, you will receive an invalid firmware error message. See second line of message in Figure B.11.
PAGE 81
Cryptographic Manual—Do Not Copy Preliminary Copy Figure B.11 Firmware Upgrade Instructions Introduction B.7 Terminal Invalid Firmware Error Message Step 22. Once the firmware is validated, you will receive the message that the firmware is being written to nonvolatile program memory (Flash). IMPORTANT: Do not disconnect power during this stage. Figure B.12 Terminal Valid Firmware Message Step 23. When successfully written to Flash, you will need to cycle power for the new firmware to take effect.
PAGE 82
B.8 Firmware Upgrade Instructions Factory Assistance Cryptographic Manual—Do Not Copy Preliminary Copy Factory Assistance We appreciate your interest in SEL products and services. If you have questions or comments, please contact us at: Schweitzer Engineering Laboratories, Inc. 2350 NE Hopkins Court Pullman, WA USA 99163-5603 Telephone: (509) 332-1890 Fax: (509) 332-7990 Internet: www.selinc.
PAGE 83
Cryptographic Manual—Do Not Copy Preliminary Copy Appendix C Wireless Operator Interface Security Introduction The SEL-3022 incorporates a wireless LAN (WLAN) with which you can perform engineer access to IED and diagnostic and maintenance functions. The wireless aspect of the device makes connection of the SEL-3022 to a Personal Computer (PC) simple and efficient. Make such a connection through use of the SEL-5809 Settings Software or SEL-5810 Virtual Serial Software and 802.
PAGE 84
C.2 Cryptographic Manual—Do Not Copy Wireless Operator Interface Security Wireless Interface Security Overview Preliminary Copy Wireless Interface Security Overview The SEL-3022 wireless operator interface and SEL-5809 Settings Software implement a two-part encryption system consisting of IEEE 802.11 WEP and the SEL Security Application. WEP is an encryption standard defined by the 802.11 specification and is available on most 802.11-enabled devices.
PAGE 85
Cryptographic Manual—Do Not Copy Wireless Operator Interface Security Wireless Interface Security Overview C.3 Preliminary Copy Application. The data frames must then AES decrypt and HMAC SHA-1 authenticate. If the SEL Security decryption or authentication fails, the SEL Security Application discards these data frames and disconnects. In summary, before the SEL-3022 considers data to be valid, the data must AES decrypt, HMAC SHA-1 authenticate, and WEP decrypt correctly, or the data are discarded.
PAGE 86
C.4 Wireless Operator Interface Security Wireless Interface Security Overview Cryptographic Manual—Do Not Copy Preliminary Copy or stolen maintenance PC, this feature gives the system security officer time to change the cryptographic security parameters on the network. ➤ Wireless Port Timeouts: The SEL-3022 will not allow another wireless connection for a short period of time after any failed authentication attempt.
PAGE 87
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security IEEE 802.11 WEP Security C.5 IEEE 802.11 WEP Security The IEEE 802.11 designers included provisions for data encryption and authentication to provide what they considered strong data security and network access control. The Wired Equivalent Privacy (WEP) procedures outlined in the standard provide both functions.
PAGE 88
C.6 Wireless Operator Interface Security IEEE 802.11 WEP Security Cryptographic Manual—Do Not Copy Preliminary Copy WEP Security Flaws Explanation WEP is based on a two-part encryption algorithm called RC-4. The first stage of the encryption process, known as the Key Scheduling Algorithm (KSA), takes a string of key bits as input and forms an output initialization string. The second stage, known as the Pseudo-Random Generation Algorithm (PRGA), produces a pseudo-random bitstream of arbitrary length.
PAGE 89
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security IEEE 802.11 WEP Security C.7 The weaknesses Fluhrer, Mantin, and Shamir described are a direct consequence of the RC-4 algorithm. These researchers demonstrated that there are large classes of keys for which a very small portion of the key determines a very large portion of the KSA output.
PAGE 90
C.8 Wireless Operator Interface Security IEEE 802.11 WEP Security Cryptographic Manual—Do Not Copy Preliminary Copy would have to capture encrypted packets for an extremely long time to analyze the few million packets necessary to determine the WEP key and defeat the WEP encryption function.
PAGE 91
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security The SEL Security Application C.9 The SEL Security Application The SEL Security Application consists of an authentication and encryption scheme that provides very strong data security. Authentication verifies message integrity (i.e., the message has not been altered). Encryption conceals the contents of the message.
PAGE 92
C.10 Wireless Operator Interface Security The SEL Security Application Cryptographic Manual—Do Not Copy Preliminary Copy To produce a cryptographically secure signature of a message, NIST designed the SHA-1 hash function to have the following properties: ➤ Given the SHA-1 hash function, H(m), and its output, h, it is extremely difficult to derive a message, m, such that H(m) = h. ➤ Given a message, m, it is extremely difficult to find another message, m', that produces the same SHA-1 hash output.
PAGE 93
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security The SEL Security Application C.11 might use K1 for encryption and K2 for decryption. The AES encryption algorithm the SEL-3022 uses is a symmetric block cipher, with an encryption/decryption key size of 128 bits. The Advanced Encryption Standard (AES) is the latest encryption standard adopted by the National Institute of Standards and Technology (NIST).
PAGE 94
C.12 Wireless Operator Interface Security The SEL Security Application Cryptographic Manual—Do Not Copy Preliminary Copy HMAC SHA-1 keyed hash value over the payload (message) portion of the received frame. If the calculated HMAC SHA-1 hash output does not match the received message fingerprint, the SEL-3022 rejects the message and terminates the session.
PAGE 95
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security The SEL Security Application C.13 1.83 • 1063 years, on average, to guess both the authentication key and the encryption key values. The analysis just described suggests that it is statistically impossible to launch a key guessing attack against the SEL-3022 device that would result in compromise of the system.
PAGE 96
C.14 Wireless Operator Interface Security The SEL Security Application Table C.1 Cryptographic Manual—Do Not Copy Preliminary Copy Number of Years Required to Guess an SEL-3022 Password Average Number of Years Required to Guess the Password (Assuming Strong Password Choice) Password Length Number of Possible Password Values ... ... ... 80 3.86 • 10158 3.
PAGE 97
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security The SEL Security Application C.15 without direct knowledge of the correct password value. This remains true even if someone attempts a connection through use of a stolen PC with the correct wireless authentication and encryption keys programmed into the device image.
PAGE 98
C.16 Wireless Operator Interface Security The SEL Security Application Cryptographic Manual—Do Not Copy Preliminary Copy The connection dialog begins with a connection request frame (Frame 1 in Figure C.5) that is encrypted and authenticated with encryption and authentication keys programmed into the SEL-5809 Settings Software device image. Upon receiving the connection request, the SEL-3022 decrypts and authenticates the frame.
PAGE 99
Cryptographic Manual—Do Not Copy Preliminary Copy Wireless Operator Interface Security The SEL Security Application C.17 match the challenge value the SEL-3022 issued in the First Challenge frame (Frame 2 in Figure C.5), and the SEL-3022 would terminate the connection attempt. If the connection dialog succeeds up to this point (i.e.
PAGE 100
C.18 Wireless Operator Interface Security The SEL Security Application Cryptographic Manual—Do Not Copy Preliminary Copy value that is less than, or equal to, the sequence number value received in the last frame. It is exceedingly difficult to maliciously alter the sequence number in any given frame to bypass this functionality because the sequence number field is protected by the strong cryptographic authentication mechanisms provided by the HMAC SHA-1 function.
PAGE 101
Cryptographic Manual—Do Not Copy Preliminary Copy Appendix D Certificates ISO The device is designed and manufactured through use of an ISO 9001 certified quality program. Listings IEC 60950-1: 1st Ed./CSA C22.2 No. 60950-1/EN 60950-1 FCC 15.
PAGE 102
Preliminary Copy This page intentionally left blank
PAGE 103
Cryptographic Manual—Do Not Copy Preliminary Copy Glossary AES Advanced Encryption Standard - sponsored by NIST, AES was developed for securing sensitive but unclassified material by U.S. Government agencies. AES is a symmetric encryption algorithm (same key for encryption and decryption) that uses block encryption.
PAGE 104
Preliminary Copy This page intentionally left blank
PAGE 105
Preliminary Copy
PAGE 106
Preliminary Copy Solutions Systems, Services, and Products for the Protection, Monitoring, Control, Automation, and Metering of Utility and Industrial Electric Power Systems Worldwide. Attention The SEL-3022 is a cryptographic device. Limit access to the SEL-3022, SEL-5809 Settings Software, SEL-5810 Virtual Serial Software, and SEL-3022 Instruction Manual to authorized personnel only. Do not copy these items. Securely store these items when not in use. Destroy these items when no longer needed.