The security algorithms used and the length of the KeyNonce for the UADP NetworkMessage depend on the selected SecurityPolicy. The algorithms are defined by SymmetricEncryptionAlgorithm and SymmetricSignatureAlgorithm in OPC 10000-7. The nonce length is part of the SymmetricEncryptionAlgorithm.

The keys used to encrypt and sign messages are extracted from the key data returned from the GetSecurityKeys method (see 8.3.2). This Method returns a sequence of key data with a length that depends on the SecurityPolicyUri, which is also returned by the Method. The layout of the key data is defined in Table 135.

Table 135 – Layout of the key data for UADP message security





Byte [SymmetricSignatureAlgorithm Key Length]

Signing key part of the key data returned from GetSecurityKeys. The SymmetricSignatureAlgorithm is defined in the SecurityPolicy.


Byte [SymmetricEncryptionAlgorithm Key Length]

Encryption key part of the key data returned from GetSecurityKeys. The SymmetricEncryptionAlgorithm is defined in the SecurityPolicy.


Byte [SymmetricEncryption Nonce Length]

Nonce part of the key data returned from GetSecurityKeys.

The layout of the MessageNonce for AES-CTR mode is defined in Table 136.

Table 136 – Layout of the MessageNonce for AES-CTR





Byte [4]

The random part of the MessageNonce. This number does not need to be a cryptographically random number, it can be pseudo-random.



Sequence number for the MessageNonce as defined in

The sequence number is reset to 1 after the key and SecurityTokenId are updated in the Publisher.

The message encryption and decryption with AES-CTR mode uses a secret and a counter block. The secret is the EncryptingKey from the key data defined in Table 135. The layout and content of the counter block is defined in Table 137.

Table 137 – Layout of the counter block for UADP message security for AES-CTR





Byte [4]

The KeyNonce portion of the key data returned from GetSecurityKeys.


Byte [8]

The first 8 bytes of the Nonce in the SecurityHeader of the NetworkMessage.

For AES-CTR mode the length of the SecurityHeader Nonce shall be 8 Bytes.


Byte [4]

The counter for each encrypted block of the NetworkMessage.

The counter is a 32-bit big endian integer (the opposite of the normal encoding for UInt32 values in OPC UA. This convention comes from the AES-CTR RFC).

The counter starts with 1 at the first block. The counter is incremented by 1 for each block.

AES-CTR mode takes the counter block and encrypts it using the encrypting key. The encrypted key stream is then logically XORed with the data to encrypt or decrypt. The process is repeated for each block in plain text. No padding is added to the end of the plain text. AES-CTR does not change the size of the plain text data and can be applied directly to a memory buffer containing the message.

The signature is calculated on the entire NetworkMessage including any encrypted data. The signature algorithm is specified by the SecurityPolicyUri in OPC 10000-7.

When a Subscriber or a Publisher receives a NetworkMessage, it shall verify the signature before processing the payload. If verification fails, it drops the NetworkMessage.

Other SecurityPolicy may specify different key lengths or cryptography algorithms.