UA Part 6: Mappings - 6.8.2 UserIdentityToken Encryption

ActivateSession allows a Client to provide an encrypted UserIdentityToken using a SecurityPolicy specified by a UserTokenPolicy supported by the current Endpoint. With ECC, encryption requires that the Client and Server exchange EphemeralKeys and there is no mechanism in the current CreateSession/ActivateSession handshake to do this. For that reason, EphemeralKeys are returned in the AdditionalHeader field of the ResponseHeader of the CreateSession and ActivateSession responses. An overview of the handshake is shown in Figure 16.

Figure 16 – ECC CreateSession/ActivateSession Handshake

The UserTokenPolicies are returned in the GetEndpoints response. A UserTokenPolicy may specify a SecurityPolicyUri that is different than the SecureChannel (see OPC 10000-4). For example, an EndpointDescription providing an ECC SecurityPolicyUri does not specify RSA SecurityPolicyUris in the UserTokenPolicies.

When a Client calls CreateSession via a SecureChannel based on an ECC or RSA_DH SecurityPolicy the Client specifies the ECDHPolicyUri it plans to use for the UserIdentityToken in the RequestHeader. The Server returns an EphemeralKey in the ResponseHeader that can be used for the ECDHPolicyUri specified by the Client. If the ECDHPolicyUri is not valid the Server returns Bad_SecurityPolicyRejected in the ResponseHeader instead of an EphemeralKey.

When the Client calls ActivateSession it creates an EccEncryptedSecret (see OPC 10000-4) using the most recent EphemeralKey provided in CreateSession or ActivateSession response.

The Server returns a new EphemeralKey in the response based on the following rules:

If the Client provides a valid ECDHPolicyUri in the ActivateSession request then the Server returns a compatible EphemeralKey.
If the Client provides an invalid ECDHPolicyUri in the ActivateSession request then the Server rejects the request with Bad_SecurityPolicyRejected.
If the Client does not provide a ECDHPolicyUri and the previous EphemeralKey was used in the request then the Server returns a new EphemeralKey that is compatible with the last ECDHPolicyUri provided by the Client.
If the Client does not provide a ECDHPolicyUri and the previous EphemeralKey was not used in the request then the Server does not return anything and retains the. previous EphemeralKey.

If ActivateSession is successful the Server shall not accept the same EphemeralKey again.

OPC 10000-4 defines AdditionalParametersType which is a list of name-value pairs. An instance of this type is passed in the AdditionalHeader field. Instances of the EphemeralKeyType defined in OPC 10000-4 are passed as values in the name-value pair list in the response messages. The names used for the parameters defined for the CreateSession/ActivateSession exchange are defined in Table 70.

Table 70 – Additional Header Key Names

Name	DataType	Description
ECDHPolicyUri	String	Specifies the SecurityPolicyUri used for the EphemeralKeys.
ECDHKey	EphemeralKeyType	Specifies an EphemeralKey. If the EphemeralKey could not be created a StatusCode indicating the reason for the error is used instead of an instance of EphemeralKeyType.