UA Part 6: Mappings - 6.1 Security handshake

6.1 Security handshake

All SecurityProtocolsshall implement the OpenSecureChanneland CloseSecureChannelservices defined in OPC 10000-4. These Servicesspecify how to establish a SecureChanneland how to apply security to Messagesexchanged over that SecureChannel. The Messagesexchanged and the security algorithms applied to them are shown in Figure 10.

SecurityProtocolsshall support three SecurityModes: None, SignOnlyand SignAndEncrypt. If the SecurityModeis Nonethen no security is used and the security handshake shown in Figure 10is not required. However, a SecurityProtocolimplementation shall still maintain a logical channel and provide a unique identifier for the SecureChannel.

Figure 10– Security handshake

Each SecurityProtocolmapping specifies exactly how to apply the security algorithms to the Message. A set of security algorithms that shall be used together during a security handshake is called a SecurityPolicy. OPC 10000-7defines standard SecurityPoliciesas parts of the standard Profileswhich OPC UA applications are expected to support. OPC 10000-7also defines a URI for each standard SecurityPolicy.

A Stackis expected to have built in knowledge of the SecurityPoliciesthat it supports. applications specify theSecurityPolicy they wish to use by passing the URI to theStack.

Table 35defines the contents of a SecurityPolicy. EachSecurityProtocolmapping specifies how to use each of the parameters in the SecurityPolicy. A SecurityProtocol mappingmay not make use of all of the parameters.

Table 35– SecurityPolicy

Name	Description
PolicyUri	The URI assigned to the SecurityPolicy.
SymmetricSignatureAlgorithm	The symmetric signature algorithm to use.
SymmetricEncryptionAlgorithm	The symmetric encryption algorithm to use.
AsymmetricSignatureAlgorithm	The asymmetric signature algorithm to use.
AsymmetricEncryptionAlgorithm	The asymmetric encryption algorithm to use.
MinAsymmetricKeyLength	The minimum length, in bits, for an asymmetric key.
MaxAsymmetricKeyLength	The maximum length, in bits, for an asymmetric key.
KeyDerivationAlgorithm	The key derivation algorithm to use.
DerivedSignatureKeyLength	The length in bits of the derived key used for Messageauthentication.
CertificateSignatureAlgorithm	The asymmetric signature algorithm used to sign certificates.
SecureChannelNonceLength	The length, in bytes, of the Noncesexchanged when creating a SecureChannel.

The KeyDerivationAlgorithmis used to create the keys used to secure Messagessent over the SecureChannel. The length of the keys used for encryption is implied by the SymmetricEncryptionAlgorithm. The length of the keys used for creating Signaturesare specified by the DerivedSignatureKeyLength.

The CertificateSignatureAlgorithmis used to sign the Certificatesused for asymmetric cryptography. OPC 10000-7specifies the bit lengths that need to be supported for each SecurityPolicy.

The SecureChannelNonceLengthspecifies the length of the Noncesexhanged when establishing a SecureChannel(see 6.7.4).