The EccEncryptedSecret uses ECC based Asymmetric Cryptography.

Additional semantics for the fields in the EncryptedSecret layout for the EccEncryptedSecret Structure are described in Table 190.

The EccEncryptedSecret uses ECC EphemeralKeys to create the symmetric key used to encrypt the Secret. The handshake required to create and use the EphemeralKeys is described in OPC 10000-6.

Table 190 – EccEncryptedSecret Layout

Name

Type

Description

TypeId

NodeId

The NodeId of the EccEncryptedSecret DataType Node.

EncodingMask

Byte

See Table 187

Length

UInt32

See Table 187

SecurityPolicyUri

String

See Table 187

Certificate

ByteString

The signing Certificate encoded in DER form.

The value shall include the entire chain.

This value may be null or empty if the SigningCertificate is known to the receiver. This is true if the structure is used to provide a UserIdentityToken to a Server over a SecureChannel and the SigningCertificate is the Client ApplicationInstance Certificate.

SigningTime

DateTime

See Table 187

KeyDataLength

UInt16

The length of the KeyData without encryption.

KeyData

The KeyData is not encrypted.

SenderPublicKey

ByteString

The Public Key for the EphemeralKey created by the sender.

ReceiverPublicKey

ByteString

The Public Key for the EphemeralKey created by the receiver.

Nonce

ByteString

A Nonce. This is the last ServerNonce returned in the CreateSession or ActivateSession Response when proving a UserIdentityToken passed in the ActivateSession Request. In other contexts, this is a Nonce created by the sender with a length equal to the ½ of the SecureChannelNonceLength.

Secret

ByteString

See Table 187

PayloadPadding

Byte [*]

See Table 187

PayloadPaddingSize

UInt16

See Table 187

Signature

Byte [*]

When using AuthenticatedEncryption the Signature has two parts: the Signature produced when the secret is encrypted using the SymmetricEncryptionAlgorithm and the Signature calculated using the Certificate and the AsymmetricSignatureAlgorithm. Both Signatures are calculated from the start of the packet. The AsymmetricSignatureAlgorithm Signature includes the SymmetricEncryptionAlgorithm Signature.

When using UnauthenticatedEncryption the Signature is only calculated using the Certificate and the AsymmetricSignatureAlgorithm.