OCPP Basic Authentication

OCPP SecurityProfile 1 and 2 - Basic Auth

Within the OCPP specification documents, chargers connecting to a CPMS using either SecurityProfile 1 or 2 must connect using Basic Authentication. In the real world, many charger manufacturers allow you to configure basic authentication credentials regardless of whether or not the SecurityProfile of the chargepoint has been specified.

The access credentials, in this case a username and password, are taken from the chargePointId (which becomes the username) and the configuration key "AuthorizationKey" (which becomes the password). If setting remotely via a CPMS, the AuthorizationKey should be set before attempting to upgrade the SecurityProfile to 1.

The AuthorizationKey should not be sent in plain text, but instead should be hexdecimal encoded prior to sending to the chargepoint, which should then internally decode it prior to using it in its Authorization credentials. According to the OCA Security Whitepaper, the AuthorizationKey password should be as follows:

• Hexdecimal encoded - to convert the password string into a hexdecimal string
• Randomly-generated binary - to obtain a high level of entropy
• Length - between 16 and 20 bytes (inclusive)
• WriteOnly - the chargepoint must not send the password in response to a GetConfiguration request

An example of this process might be as follows:

1. The CPMS generated a random password string: dk2q0rfu2q0f-2f0rdg
2. The CPMS hex-encodes the string as follows: 646B327130726675327130662D326630726467
3. The CPMS sends a ChangeConfiguration with this password: [2, "UUID-1234", "ChangeConfiguration", { "key":"AuthorizationKey", "value":"646B327130726675327130662D326630726467" }]
4. The chargepoint decodes the string back to dk2q0rfu2q0f-2f0rdg and uses this for future connections

If you want to test this flow, our ocpp1.6 simulator supports AuthorizationKey with or without SecurityProfile 1.

Basic Authentication

Basic authentication is one of the simplest and most widely used methods for securing access to web resources and applications. It functions by requiring users to provide a username and password before gaining access to protected content. This method is often implemented in HTTP protocols, making it a fundamental component of web security. While basic authentication is simple and easy to implement, it has notable security limitations. Since credentials are only encoded and not encrypted, they can be intercepted if transmitted over unsecured connections. Therefore, it is highly recommended to use basic authentication alongside HTTPS, which encrypts data in transit, safeguarding user credentials from potential eavesdroppers. Despite its simplicity, basic authentication remains a foundational concept in web security, often used in conjunction with other security measures to protect online systems effectively.

Authentication header

HTTP authentication headers are essential components in securing web communications, enabling servers to verify user identities before granting access to protected resources. In basic authentication, the key header is the Authorization header, which carries the user's credentials in a specific format. The access credentials, in this case a username and password, are combined into a single string formatted as username:password. To transmit this securely within HTTP headers, the credentials are encoded using Base64, a binary-to-text encoding scheme that converts data into an ASCII string. The encoded string is then prefixed with the word Basic and sent back to the server in the Authorization header, such as Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=. This process ensures that the credentials are formatted correctly for transmission, although it is important to note that Base64 encoding does not provide encryption—additional security measures like HTTPS should be used to protect sensitive data during transit.

Simple Basic-Authentication Example

A very simple example would be a chargepoint with the chargePointId mycharger and the password password12345. We'd construct the Authorization header as follows:

Basic base_64_encode(mycharger:password12345)

Which would become:

Basic bXljaGFyZ2VyOnBhc3N3b3JkMTIzNDU=