The structure of the MessageChunks exchanged after a SecureChannel is negotiated depends on whether the SecurityPolicy requires a symmetric encryption algorithm that combines encryption and authentication (e.g. AuthenticatedEncryption algorithms) used or if it requires separate symmetric algorithms for each operation.

Figure 11 shows the structure of a MessageChunk and how security is applied to the Message when not using AuthenticatedEncryption algorithms. For these SecurityPolicies any padding is appended to the message before appending the Signature. When using Sign mode, the Padding is not present.

Figure 11 – MessageChunk when not using AuthenticatedEncryption Algorithms

Figure 12 shows the structure of a MessageChunk and how security is applied to the Message when using Authenticated Encryption algorithms. For these SecurityPolicies the Signature is calculated during encryption and appended after the encrypted data.

Figure 12 – MessageChunk for Authenticated Encryption Algorithms

The OpenSecureChannel negotiations use asymmetric algorithms. The MessageChunk structure is shown in Figure 13. When using ECC or RSA-DH based algorithms there are additional steps described in 6.7.5.

Figure 13 – MessageChunk for Asymmetric Encryption Algorithms