6 Message SecurityProtocols ToC Previous Next

6.8 Elliptic Curve Cryptography (ECC) ToC Previous Next

6.8.4 ECC Encrypted Secret ToC Previous Next

OPC 10000-4 defines the layout of EccEncryptedSecret structure which is used to protect secrets with ECC SecurityPolicies. Applying security with ECC requires two EphemeralKeys generated by the sender and the receiver which are used create the symmetric keys need for encryption.

6.8.2 defines a mechanism to allows the sender to acquire the receiver EphemeralKey when using a Session. Using the EccEncryptedSecret in other contexts requires a different mechanism.

Once the sender has the receiver EphemeralKey, it creates its own EphemeralKey. The ECC curve and key length for the EphemeralKeys are specified by the SecurityPolicyUri.

The encryption uses the symmetric encryption algorithm specified by the SecurityPolicyUri. The encrypting key and initialization vector are generated by using the EphemeralKeys to create the shared secret and then derive keys using the algorithm defined in 6.8.2. Step 1 is slightly different and defined as follows:

Step 1: Calculate Salt

SecretSalt = L | UTF8(opcua-secret) | SenderPublicKey | ReceiverPublicKey


  • L is the length of derived key material needed encoded as a 16-bit little endian integer;
  • UTF8(opcua-secret) is the UTF8 encoding of the string literal ‘opcua-secret’;
  • SenderPublicKey and ReceiverPublicKey are from the PolicyHeader;
  • | concatenates sequences of bytes; Salt is a sequence of bytes.

The encryption keys are extracted from the keying material created with IKM=shared secret, Salt=SecretSalt and Info=SecretSalt as shown in Table 64.

Table 64 – Deriving Keys from Keying Material

Name Offset Length
EncryptingKey 0 EncryptionKeyLength
InitializationVector EncryptionKeyLength InitializationVectorLength

The EncryptionKeyLength and EncryptionBlockSize are specified by the Symmetric Encryption Algorithm for the SecurityPolicy. The Signature is created with the SigningCertificate and is calculated after encryption. Receivers shall validate the SigningCertificate and signature before decrypting the Secret.

Previous Next