Specify which Hash-based Message Authentication Code (HMAC) algorithm the outstation is to use when:

• responding to challenges sent by Geo SCADA Expert
• issuing Aggressive Mode responses to Geo SCADA Expert. (This only applies if the outstation is configured to issue, and Geo SCADA Expert is configured to accept, Aggressive Mode responses (see Specify Whether Aggressive Mode is Used).)

Use the combo box to display a list of supported HMACs. We recommend that you select the largest HMAC supported by the DNP3 outstation and appropriate to the type of communications being used. In addition to specifying which algorithm the devices are to use, the selected option also determines how each calculated HMAC value is truncated before being inserted into each message. (A SHA-1 value is 20 octets long before truncation; a SHA-256 value is 32 octets long before truncation.)

The outstation will generate an ‘HMAC Algorithm Not Permitted’ diagnostics message should it receive a challenge using an HMAC algorithm that it does not support. Should this occur, Geo SCADA Expert will revert to using the HMAC-SHA1 algorithm for further challenge requests.

Geo SCADA Expert uses this Key Wrap algorithm to encrypt the Session Keys during a Session Key Change, using a pre-shared Update Key. The algorithm also determines the length of Update Key. Geo SCADA Expert supports a single Key Wrap algorithm, the Advanced Encryption Standard (AES) AES-128. The AES-128 algorithm requires a 128-bit Update Key, comprising 32 hexadecimal digits.

During a Session Key Change, the outstation determines which Key Wrap algorithm Geo SCADA Expert is to use for the Session Key Change. Should the outstation request an unsupported Key Wrap algorithm, Geo SCADA Expert will send a ‘Key Wrap Algorithm Not Permitted’ error to the outstation. If this occurs, the outstation has to revert to using the mandatory Key Wrap algorithm AES-128.