The following sub clauses reconcile the objectives that were described in 4.2with the OPC UA functions. Compared to the reconciliation against the threats of 5.1, this reconciliation justifies the completeness of the OPC UA security architecture.

OPC UA Applicationssupport Authenticationof the entities with which they are communicating. As specified in the GetEndpointsand OpenSecureChannelservices in OPC 10000-4, OPC UA Clientand Serverapplications identify and authenticate themselves with X.509 v3 Certificatesand associated private keys (see [X509]). Some choices of the communication stack require these Certificates to represent the machine or user instead of the application.

For publish subscribe communications Client Servercommunications is required to obtain the shared keys from a SecurityKeyService(SKS). Although the application authentication is not directly between the Subscriber and the Publisher, the SKS ensures that only authenticated applications can obtain the keys used by the Publisherand Subscriber.

OPC UA Applicationssupport Authenticationof users by providing the necessary Authenticationcredentials to the other entities. As described in the ActivateSession service in OPC 10000-4, the OPC UA Clientaccepts a UserIdentityToken from the user and passes it to the OPC UA Server. The OPC UA Serverauthenticates the user token. OPC UA Applicationsaccept tokens in any of the following forms: username/password, X.509 v3 Certificate(see [X509]), or JSON Web Token (JWT).

As specified in the CreateSession and ActivateSession Servicesin OPC 10000-4, if the UserIdentityToken is a Certificatethen this token is validated with a challenge-response process. The Serverprovides a Nonceand signing algorithm as the challenge in its CreateSession response. The Clientresponds to the challenge by signing the Server’s Nonceand providing it as an argument in its subsequent ActivateSession call.

Authorizationmaybe provided via Roles(4.12) and supplied by a GDS. In an environment of mixed vendor products, the GDS can provide a consistent Authorizationmanagement. OPC UA Applicationsthat are part of a larger industrial automation product may manage Authorizationsconsistent with the Authorizationmanagement of that product. Identification and Authenticationof users is specified in OPC UA so that Clientand Serverapplications can recognize the user in order to determine the Authorizationlevel of the user.

OPC UA Serversrespond with the Bad_UserAccessDeniederror code to indicate an Authorization or Authenticationerror as specified in the status codes defined in OPC 10000-4.

In PubSubinteractions user Authorizationcan be used as part of the key distribution (SKS). This allows the Publisherand SKS to restrict access to specific users

OPC UA uses Symmetricand Asymmetric Encryptionto protect Confidentiality as a security objective. Thereby Asymmetric Encryptionis used for key agreement and Symmetric Encryptionfor securing all other Messages sent between OPC UA Applications. Encryption mechanisms are specified in OPC 10000-6and OPC 10000-14.

OPC UA relies upon the site CSMSto protect Confidentialityon the network and system infrastructure. OPC UA relies upon the PKI(public key infrastructure) to manage keys used for Asymmetric Encryption which is then used to establishsymmetric sessionkeys. The length of the certificate chain is defined by the site CSMS(only local TrustList with self-signed Certificatesor a full CA/CRL infrastructure).

OPC UA uses Symmetricand Asymmetric Signaturesto address Integrityas a security objective. The Asymmetric Signaturesare used in the key agreement phase during the Secure Channelestablishment. The Symmetric Signaturesare applied to all other Messagesincluding PubSubmessages.

OPC UA relies upon the site CSMSto protect Integrityon the network and system infrastructure. OPC UA relies upon the PKIto manage keys used for Asymmetric Signatureswhich is then used to establishsymmetricsessionkeys.

As specified in the UA Auditingdescription in OPC 10000-4, OPC UA supports Auditlogging by providing traceability of activities through the log entries of the multiple Clients and Serversthat initiate, forward, and handle the activity. OPC UA depends upon OPC UA Applicationproducts to provide an effective Auditlogging scheme or an efficient manner of collecting the Audit Eventsof all nodes. This scheme may be part of a larger industrial automation product of which the OPC UA Applicationsare a part.

OPC UA minimizes the impact of Messageflooding as described in 5.1.2.

Some attacks on Availabilityinvolve opening more Sessions than a Servercan handle thereby causing the Serverto fail or operate poorly. Serversreject Sessions that exceed their specified maximum number. Other aspects of OPC UA such as OPC UA Secure Conversation can also affect availability and are discussed in OPC 10000-6