ActivateSessionallows a Clientto provide an encrypted UserIdentityTokenusing a SecurityPolicyspecified by a UserTokenPolicysupported by the current Endpoint. With ECC, encryption requires that the Clientand Serverexchange EphemeralKeysand there is no mechanism in the current CreateSession/ActivateSessionhandshake to do this. For that reason, EphemeralKeysare returned in the AdditionalHeaderfield of the ResponseHeaderof the CreateSessionand ActivateSessionresponses. An overview of the handshake is shown in Figure 14.

image017.png

Figure 14– ECC CreateSession/ActivateSession Handshake

The UserTokenPoliciesare returned in the GetEndpointsresponse. A UserTokenPolicymay specify a SecurityPolicyUrithat is different than the SecureChannel, however, all UserTokenPoliciesin an EndpointDescriptionshall specify a SecurityPolicyUrithat is valid for all Certificatesthat are valid for SecurityPolicyUrispecified in the EndpointDescription.For example, an EndpointDescriptionproviding an ECC SecurityPolicyUrishall not specify RSA SecurityPolicyUrisin the UserTokenPolicies.

When a Clientcalls CreateSessionvia a SecureChannelbased on an ECC SecurityPolicy the Clientspecifies the SecurityPolicyUriit plans to use for the UserIdentityTokenin the RequestHeader. Serverreturns an EphemeralKeyin the ResponseHeaderthat can be used for the SecurityPolicyUri specified by theClient. If the SecurityPolicyUri is not valid theServerreturns a StatusCodein the ResponseHeaderinstead of an EphemeralKey.

When theClient callsActivateSession it creates an EccEncryptedSecret(see OPC 10000-4) using the EphemeralKeyprovided in CreateSessionresponse. The Serveralways returns a new EphemeralKeyin the ResponseHeaderwhich the Clientsaves for when it calls ActivateSessionagain. The SecurityPolicyUri passed in CreateSessionis used to determine what type of EphemeralKeyto return.

The EphemeralKeys may be used for exactly one key negotiation. After that they are discarded. Each time ActivateSessionis called the UserIdentityToken is encrypted using the last EphemeralKeyreturned by the Server. The EphemeralKeyis changed even if the Clientdid not provide an encrypted UserIdentityToken.

If the Clientdoes not provide SecurityPolicyUri in the call to CreateSessionit will not be able to use any UserIdentityTokens that require encryption with ECC SecurityProfiles.

OPC 10000-4defines AdditionalParametersTypewhich is a list of name-value pairs. An instance of this type is passed in the AdditionalHeaderfield. Instances of the EphemeralKeyTypedefined in OPC 10000-4are passed as values in the name-value pair list in the response messages. The names used for the parameters defined for the CreateSession/ActivateSessionexchange are defined in Table 63.

Table 63– Additional Header Key Names

Name

DataType

Description

ECDHPolicyUri

String

Specifies the SecurityPolicyUriused for the EphemeralKeys.

ECDHKey

EphemeralKeyType

Specifies an EphemeralKey.

If the EphemeralKeycould not be created a StatusCodeindicating the reason for the error is used instead of an instance of EphemeralKeyType.