OCPP TLS and SecurityProfile 2

OCPP Secure Communications: TLS

OCPP websocket communications can be established via unsecure or secured connections using TLS. It is strongly recommended to always TLS for these sockets, as it greatly increases security and significantly reduces the risks of malicious parties snooping on your communications. Technically this is supported in OCPP1.6 Security Whitepaper or OCPP2.0.1 via the SecurityProfile configuration setting, but most chargepoints handle TLS connections without any SecurityProfile being specified.

OCPP TLS SecurityProfile 2

The common approach

Many chargepoint manufacturers handle TLS using a pre-installed public pool of root certificates to use for connections, but do not support SecurityProfile 2 correctly. Specifically, they do not support commands for managing RootCAs: InstallCertificate, DeleteCertificate, and GetInstalledCertificateIds. This means they can connect over TLS out-of-the-box, but it means you cannot ensure potentially dangerous RootCAs are not installed or can be removed, and you cannot enforce certificate pinning.

The correct approach

According the the Security Whitepaper and OCPP2.0.1, the correct method is to require the CPMS to install RootCAs to the chargepoint using the InstallCertificate command. The downside it that this method adds complexity to both the CPMS and the chargepoint to manage certificates; the upside is that you can ensure your chargepoint will only connect to your specific CPMS.

Common approach

Connects via TLS out-of-the-box
Much easier initial setup
Cannot control which RootCAs to use
Cannot enforce certificate pinning

Secuity Whitepaper approach

Requires InstallCertificate before using TLS
Complexity in initial setup
Can explicitly only trust specific RootCAs
Can enforce certificate pinning

What is TLS? An overview

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over a computer network. It is widely used to safeguard data exchanged between clients and servers, especially on the internet. Whether you're browsing websites, sending emails, or conducting online transactions, TLS ensures that the information transmitted remains private and protected from eavesdropping or tampering.

The primary purpose of TLS is to establish a secure, encrypted connection between two parties. This is achieved through a process called the handshake, during which the client and server authenticate each other and agree on encryption keys. Once established, all data exchanged is encrypted, making it extremely difficult for malicious actors to intercept or alter the information. This security mechanism is vital for sensitive activities such as online banking, shopping, and transmitting personal data.

Using TLS offers numerous benefits over unsecured communication methods. It helps maintain the confidentiality and integrity of data, ensuring that sensitive information like passwords, credit card numbers, and personal details are kept private. Additionally, TLS provides authentication, verifying the identity of websites or servers, which helps prevent impersonation and man-in-the-middle attacks. Overall, TLS enhances trustworthiness and security in digital interactions, making online activities safer for users and organizations alike.

TLS certificate pinning

TLS certificate pinning is a security technique used to enhance the trustworthiness of secure communications. It involves associating a specific cryptographic certificate or public key with a particular server or domain and configuring client applications to only accept that pre-defined certificate or key during the TLS handshake.

When a client, such as a mobile app or web browser, connects to a server, it typically verifies the server’s TLS certificate against a trusted certificate authority (CA). However, certificate authorities are numerous, and compromised or fraudulent certificates can sometimes pose security risks. Certificate pinning mitigates this by "pinning" the expected certificate or public key within the client. During subsequent connections, the client compares the server’s presented certificate to the pinned one. If they don’t match, the connection is rejected, preventing man-in-the-middle attacks that rely on fraudulent certificates.

By implementing TLS certificate pinning, organizations can significantly reduce the risk of impersonation and ensure that users are communicating with the legitimate server. It is especially useful in high-security environments, mobile applications, and sensitive services where tampering or impersonation could have serious consequences. However, it also requires careful management, as updating pinned certificates in the client applications can be complex if certificates need to be rotated or renewed.