A SecurityPolicyspecifies which security mechanisms are to be used and are derived from a Security Profile(see 4.7for details). Security policies are used by the Serverto announce which mechanisms it supports and by the Clientto select one to use with the Secure Channelit wishes to open or for the session-less connection it wishes to make. SecurityPoliciesare also used with PubSubcommunication. SecurityPoliciesinclude the following information:
- algorithms for signing and encryption
- algorithm for key derivation
The choice of allowed SecurityPoliciesis normally made by the administrator typically when the OPC UA Applicationsare installed. The available security policies are specified in OPC 10000-7. The Administrator can at a later time also change or modify the selection of allowed SecurityPoliciesas circumstances dictate.
The announcement of security policies is handled by special discovery services specified in OPC 10000-4. More details about the discovery mechanisms and policy announcement strategies can be found in OPC 10000-12.
Since computing power increases every year, specific algorithms that are considered as secure today can become insecure in the future, therefore, it makes sense to support different security policies in an OPC UA Applicationand to be able to adopt more as they become available. NIST or other agencies even make predictions about the expected lifetime of algorithms (see NIST 800-57). The list of supported security policies will be updated based on recommendation such as those published by NIST. From a deployment point of view it is important that the periodic site-review checks that the currently selected list of security profiles still fulfil the required security objectives and if they do not, then a newer selection of Security Profilesis selected
There is also the case that new security policies are composed to support new algorithms that improve the level of security of OPC UA products. The application architecture of OPC UA Applicationshould be designed in a way that it is possible to update or add additional cryptographic algorithms to the application with little or no coding changes.
OPC 10000-7specifies several policies which are identified by a specific unique URI. To improve interoperability among vendors’ products, Serverand Publisherproducts implement these policies rather than define their own. Clientsand Subscriberssupport the same policies.