GeneralSigning for pass 3 "Reply to HLS authentication" in Suite 1

By alexdlms2 , 26 June, 2025

Forums

Hi,

I am trying to connect to a Sagemcom T-210D using Suite 1 (AuthenticatedEncryption) and HLS-5 (HighGMAC).
I could successfully import the client certificate using the public client, however, logging on to the management client fails.

I compared the messages between an existing, working DLMS application and DLMSDirector and noticed that our existing application wraps the message in pass 3 (invocation of "reply to HLS authentication" method) in a GeneralSigning APDU using the client key, whereas DLMSDirector does not. As a result, the meter responds with "ServiceNotAllowed".

In DLMSDirector, I enabled "Sign Initiate request and response", with Signing set to "GeneralSigning". The correct signing client key is selected.

Below you see the message as sent by the existing DLMS application, with GeneralSigning in place:

<HDLC len="21" >
<!-- Logical address:1, Physical address:16 -->
<TargetAddress Value="90" />
<SourceAddress Value="2" />
<FrameType Value="34" />
<!-- UNI/TS system title:
Manufacturer: CPO
Serial number: 08090A0B0C0D
-->
<!-- Invocation Counter: 1427 -->
<!-- Decrypt data: DF 00 08 0F 0E 0D 0C 0B 0A 09 08 08 53 41 47 67 70 06 7A 23 00 00 20 C3 01 C1 00 0F 00 00 28 00 00 FF 01 01 09 11 11 00 00 05 92 70 50 C6 67 AF CA E3 35 FF E4 91 EB 40 E0 DD C8 E6 9B 5A B6 FC BE DD 26 0B 74 3F 98 40 5C EA 8C 52 83 C2 25 C9 57 64 81 DC 3D E0 73 63 DA E8 A6 65 5A FB BF E7 E9 B0 E5 B1 9F C9 7A 5C B4 40 48 58 A8 59 88 09 1C D6 2D EB 43 AE 4B 0F
 <GeneralSigning>
   <TransactionId Value="0000000000000000" />
   <OriginatorSystemTitle Value="0F0E0D0C0B0A0908" />
   <RecipientSystemTitle Value="5341476770067A23" />
   <DateTime Value="" />
   <OtherInformation Value="" />
   # Security : AuthenticationEncryption
   # Security Suite: Suite1
   # Invocation Counter: 0
   # Decrypt data: C3 01 C1 00 0F 00 00 28 00 00 FF 01 01 09 11 11 00 00 05 92 70 50 C6 67 AF CA E3 35 FF E4 91 EB 40 E0 DD C8 E6 9B 5A B6 FC BE DD 26 0B 74 3F 98 40 5C EA 8C 52 83 C2 25 C9 57 64 81 DC 3D E0 73 63 DA E8 A6 65 5A FB BF E7 E9 B0 E5 B1 9F C9 7A 5C B4 40 48 58 A8 59 88 09 1C D6 2D EB 43 AE 4B 0F
     <ActionRequest>
       <ActionRequestNormal>
         # Priority: High, ServiceClass: Confirmed, Invoke ID: 1
         <InvokeIdAndPriority Value="C1" />
         <MethodDescriptor>
           # AssociationLogicalName
           <ClassId Value="000F" />
           # 0.0.40.0.0.255
           <InstanceId Value="0000280000FF" />
           # Reply to HLS authentication
           <MethodId Value="01" />
         </MethodDescriptor>
         <MethodInvocationParameters>
           <OctetString Value="11000005927050C667AFCAE335FFE491EB" />
         </MethodInvocationParameters>
       </ActionRequestNormal>
     </ActionRequest>
   <Content Value="C301C1000F0000280000FF0101091111000005927050C667AFCAE335FFE491EB" />
   <Signature Value="" />
 </GeneralSigning>
-->
<GeneralGloCiphering>
 <SystemTitle Value="0F0E0D0C0B0A0908" />
 <CipheredService Value="3100000593A13AC6D7F7FE8398AC4AF2F41EF97BD00D93AD620A83B7075EE5E59316658DD71F98F3F34F77BE34CE9225706853E4F9F626533774BAEB9F6B7A621DE971DD05F5C2109ADDF0ED09689B2C1CB3A508D4A52394078662042CE98CE4FC5912DD9E20A96DD8FA28F767938D8297400E7ED53C7413DCACD0CEB9622A183637DA505DE11FD7D7" />
</GeneralGloCiphering>
</HDLC>

And here the message that is sent by DLMSDirector:

<HDLC len="3F" >
<!-- Logical address:1, Physical address:16 -->
<TargetAddress Value="90" />
<SourceAddress Value="2" />
<FrameType Value="32" />
<PDU>
<!-- Invocation Counter: 1448 -->
<!-- Decrypt data: C3 01 C1 00 0F 00 00 28 00 00 FF 01 01 09 11 11 00 00 05 A7 DB 8D 2B 5F D1 0F DA CA D0 C9 D3 7C
 <ActionRequest>
   <ActionRequestNormal>
     # Priority: High, ServiceClass: Confirmed, Invoke ID: 1
     <InvokeIdAndPriority Value="C1" />
     <MethodDescriptor>
       # AssociationLogicalName
       <ClassId Value="000F" />
       # 0.0.40.0.0.255
       <InstanceId Value="0000280000FF" />
       # Reply to HLS authentication
       <MethodId Value="01" />
     </MethodDescriptor>
     <MethodInvocationParameters>
       <OctetString Value="11000005A7DB8D2B5FD10FDACAD0C9D37C" />
     </MethodInvocationParameters>
   </ActionRequestNormal>
 </ActionRequest>
-->
<glo_ActionRequest Value="31000005A8E5786BD961637A1CBA8DEC5CEDC3D52D71C4DBB962D701918968063BA75EE32FA174C66F0BB2989EB1F32303" />
</PDU>
</HDLC>

The latter which leads to receiving the following error message from the meter:

<HDLC len="36" >
<TargetAddress Value="2" />
<!-- Logical address:1, Physical address:16 -->
<SourceAddress Value="90" />
<FrameType Value="52" />
<PDU>
<ExceptionResponse>
 <StateError Value="ServiceNotAllowed" />
 <ServiceError Value="OperationNotPossible" />
</ExceptionResponse>
</PDU>
</HDLC>

Is there any way to apply a signature on the message in pass 3?

Thanks and best regards
Alex

Hi, According to the DLMS…

Hi,

According to the DLMS standards, the signature is used after the connection is fully established to the client and it's not added in Pass 3 or Pass 4.

++++++++++
If both passes 3 and 4 are successfully executed, then the AA is established with the
application context and xDLMS context negotiated.
++++++++++

This also applies to dedicated keys.

I also checked that all the meters that we have don't add GeneralSigning before the connections are fully established and the meter has passed step 4.

BR,
Mikko