The OPC UA Security Services are a group of abstract service definitions specified in OPC 10000-4that are used for applying various security mechanisms to communication between OPC UA Clients and Servers. OPC 10000-4provides an overview of security in the “Service Behaviours” section that include required behaviours to ensure secure communication.

The Discovery Service Set (specified in OPC 10000-4) defines services used by an OPC UA Clientto obtain information about the security policies (see 4.6) and the Certificates of specific OPC UA Servers.

The services of the Secure ChannelService Set (specified in OPC 10000-4) are used to establish a Secure Channelwhich is responsible for securing Messages sent between a Clientand a Server. The challenge of the Secure Channelestablishment is that it requires the Clientand the Serverto securely exchange cryptographic keys and secret information in an insecure environment, therefore a specific Key Exchange Algorithm(similar to SSL Handshake protocol defined in SSL/TLS) is applied by the communication participants.

The OPC UA Clientretrieves the security policies and Certificates of the OPC UA Serverby the above mentioned discovery services. These Certificatescontain the Public Keysof the OPC UA Server.

The OPC UA Clientsends its Public Keyin a Certificateand secret information with the OpenSecureChannel service Messageto the Server. This Messageis secured by applying Asymmetric Encryption with theServer’s Public Key and bygeneratingAsymmetric Signatures with the Client’s Private Key. However, theCertificate is sent unencrypted so that the receiver can use it to verify the Asymmetric Signature.

The Serverdecrypts the Messagewith its Private Keyand verifies the Asymmetric Signaturewith the Client’s Public Key. The secret information of the OPC UA Clienttogether with the secret information of the OPC UA Serveris used to derive a set of cryptographic keys that are used for securing all further Messages. Furthermore, all other service Messages are secured with Symmetric Encryptionand Symmetric Signatures instead of the asymmetric equivalents.

The Serversends its secret information in the service response to the Clientso that the Clientcan derive the same set of cryptographic keys.

Since Clientsand Servershave the same set of cryptographic keys they can communicate securely with each other.

These derived cryptographic keys are changed periodically so that attackers do not have unlimited time and unrestricted sequences of Messages to use to determine what the keys are.

For PubSubcommunications, the security related definitions are specified in OPC 10000-14and provide a description of how to secure messages and also how to obtain the security keys required for message security.

The Publisherwill utilize the keys provided to secure the message. It will encrypt the body of the message and sign the entire message. Subscriberswill utilize the keys to decrypt and verify the signature of the messages.

To obtain the required keys, the Publisheror Subscriber make use of ClientServercommunication. The keys may also be obtained using session-less method calls.