The RsaEncryptedSecret uses RSA based Asymmetric Cryptography.

Additional semantics for the fields in the EncryptedSecret layout for the RsaEncryptedSecret Structure are described in Table 189.

Table 189 – RsaEncryptedSecret structure

Name

Type

Description

TypeId

NodeId

The NodeId of the RsaEncryptedSecret DataType Node.

EncodingMask

Byte

See Table 187.

Length

UInt32

See Table 187.

SecurityPolicyUri

String

See Table 187.

Certificate

ByteString

The SHA1 hash of the DER form of the Certificate used to encrypt the KeyData.

SigningTime

DateTime

See Table 187.

KeyDataLength

UInt16

The length, in bytes, of the encrypted KeyData.

KeyData

The KeyData is encrypted with the PublicKey associated with the receiver of the EncryptedSecret. The creator of the EncryptedSecret generates the SigningKey, EncryptingKey and InitializationVector using a cryptographic random number generator with the lengths required by the SecurityPolicy.

SigningKey

ByteString

The key used to compute the Signature.

EncryptingKey

ByteString

The key used to encrypt payload.

InitializationVector

ByteString

The initialization vector used with the EncryptingKey.

Nonce

ByteString

A Nonce. This is the last ServerNonce returned in the CreateSession or ActivateSession Response when proving a UserIdentityToken passed in the ActivateSession Request. In other contexts, this is a Nonce created by the sender with a length between 32 and 128 bytes inclusive.

Secret

ByteString

See Table 187.

PayloadPadding

Byte[*]

See Table 187.

PayloadPaddingSize

UInt16

See Table 187.

Signature

Byte[*]

The Signature calculated with the SigningKey using the SymmetricEncryptionAlgorithm from the SecurityPolicy.

The Signature is calculated after encrypting the KeyData and the payload.

The Signature can only be checked after the KeyData is decrypted. It allows the receiver to verify that the message has not beem tampered with. It does not provide any information about who created the EncryptedSecret.