Search

Scope: Core (OPC-10000-*) All specs

48 result(s) for SecurityPolicy

OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.6 SecurityPolicies

SecurityPolicies A SecurityPolicy specifies which security mechanisms are to be used and are derived from a Security Profile (see 4.7 for details). Security policies are used by the Server ... policy selected by other Clients . For the Publish Subscribe communications pattern, the SecurityPolicy is associated with a published DataSet and all Subscribers utilize the same SecurityPolicy . Since computing power increases
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.5.4.1 Description

ApplicationInstanceCertificate is used to secure the OpenSecureChannel request (see 5.6.2 ). The MessageSecurityMode and the SecurityPolicy tell the Client how to secure messages sent via the SecureChannel . The UserIdentityTokens tell ... sent over the network. The exact set of algorithms used depends on the SecurityPolicy for the Endpoint . OPC 10000-7 defines Profiles for common SecurityPolicies and assigns a unique
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.6.1 Overview

configuration. The exact algorithms used to sign and encrypt Messages are described in the SecurityPolicy field of the EndpointDescription . A Client shall use these algorithms when it creates a SecureChannel
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.6.2.2 Parameters

used and is described in the OPC 10000-6 . securityPolicyUri String The URI for SecurityPolicy to use when securing messages sent over the SecureChannel . The set of known URIs ... renewed. This parameter shall have a length equal to the SecureChannelNonceLength defined for the SecurityPolicy in OPC 10000-7 . The SecurityPolicy is identified by the securityPolicyUri . requestedLifetime Duration The requested
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.2.1 Description

used for any given request. The Communication Stack shall, at a minimum, provide the SecurityPolicy and SecurityMode used by the SecureChannel . It shall also provide a SecureChannelId which uniquely identifies ... create the a uthenticationToken for different types of Communication Stack . Depending upon on the SecurityPolicy and the SecurityMode of the SecureChannel, the exchange of ApplicationInstanceCertificates and Nonces may be optional
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.3.1 Description

token currently associated with the Session . Lastly, the Server shall verify that the SecurityPolicy and SecurityMode are the same as the original SecureChannel . Once the Server accepts the new SecureChannel
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.3 Determining if a Certificate is trusted

Certificate signature shall comply with the CertificateSignatureAlgorithm, MinAsymmetricKeyLength and MaxAsymmetricKeyLength requirements for the used SecurityPolicy defined in OPC 10000-7 . If this check fails on the Server side, the error
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.8 Calculating Signatures used in CreateSession and ActivateSession

HASH(ServerCertificate) | ClientNonce UserCertificate The HASH() function is specified by the CertificateThumbprintAlgorithm in the SecurityPolicy (see OPC 10000-6 ). If the Certificate argument is null or empty, function returns ... computed until the ServerSignature is validated. For UserTokenSignatures the rules above apply except the SecurityPolicy for the selected UserTokenPolicy specifies the signing algorithm. For SecurityPolicies with SecureChannelEnhancements =FALSE, the legacy
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.14 EndpointDescription

used and is described in the OPC 10000-6 . securityPolicyUri String The URI for SecurityPolicy to use when securing messages. The set of known URIs and the S ecurityPolicies associated
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.15 EphemeralKeyType

EphemeralKeys . The EphemeralKey is created based on an ECC named curve specified by a SecurityPolicy . The SecurityPolicy to use depends on the context in which this parameter is used
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.36 SignatureData

shall ignore it. Otherwise, the URI string values are defined as part of the SecurityPolicy profiles specified in OPC 10000-7 . signature ByteString This is a signature generated with
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.38.2 Common StatusCodes

type id does not refer to a valid reference type node. Bad_SecurityModeInsufficient The SecurityPolicy and/or MessageSecurityMode do not match the Server requirements to complete the operation. For example ... data can only be transferred through an encrypted channel with an appropriate SecurityPolicy . Bad_SourceNodeIdInvalid The source node id does not refer to a valid node. Bad_StructureMissing A mandatory
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.1 Overview

Endpoint shall have a UserTokenPolicy specified in the EndpointDescription . The UserTokenPolicy specifies what SecurityPolicy to use when encrypting or signing. If this SecurityPolicy is null or empty then the Client ... uses the SecurityPolicy in the EndpointDescription . If the matching SecurityPolicy is set to None then no encryption or signature is required. The possible SecurityPolicies are defined
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.3 EncryptedSecret Format

data that follows including the Signature . SecurityPolicyUri String The URI for the SecurityPolicy used to apply security. Certificate ByteString The signing and/or encrypting Certificate . SigningTime DateTime When the Signature ... Table 184 - EncryptedSecret DataTypes Type Name When to Use RsaEncryptedSecret Used when the SecurityPolicy requires the use of RSA cryptography. It is described in 7.40.2.4 . EccEncryptedSecret Used when the SecurityPolicy
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.4 RsaEncryptedSecret DataType

InitializationVector using a cryptographic random number generator with the lengths required by the SecurityPolicy . SigningKey ByteString The key used to compute the Signature . EncryptingKey ByteString The key used to encrypt ... Signature Byte[*] The Signature calculated with the SigningKey using the SymmetricEncryptionAlgorithm from the SecurityPolicy . The Signature is calculated after encrypting the KeyData and the payload. The Signature can only
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.4 UserNameIdentityToken

Server . This token shall be encrypted by the Client if required by the SecurityPolicy of the UserTokenPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel ... SecurityPolicy of None and no transport layer encryption is available. If None is specified for the UserTokenPolicy and SecurityPolicy is None then the password only contains the UTF-8 encoded
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.5 X509IdentityTokens

accompanied by a Signature in the userTokenSignature parameter of ActivateSession if required by the SecurityPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy ... None. The Server shall specify a SecurityPolicy for any UserTokenPolicy if the Server supports multiple CertificateKeyAlgorithms for SecureChannels and/or UserTokenPolicies . In addition, the Server shall provide a distinct UserTokenPolicy
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.6 IssuedIdentityToken

This token shall be encrypted by the Client if required by the SecurityPolicy of the UserTokenPolicy . The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel ... SecurityPolicy of None and no transport layer encryption is available. The SecurityPolicy of the SecureChannel is used If no SecurityPolicy is specified in the UserTokenPolic y. If the SecurityPolicy
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.41 UserTokenPolicy

SecurityMode is not None , USERNAME and ISSUEDTOKEN UserTokenPolicies should specify the same SecurityPolicy as the EndpointDescription or should not explicitly specify a SecurityPolicy . If a SecurityPolicy is specified, it shall ... each unique issuerEndpointUrl . If the tokenType is CERTIFICATE, the securityPolicyUri may be any valid SecurityPolicy. The choice of SecurityPolicy is system specific and depends on the infrastructure that issue
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

3.1.1 CertificateThumbprint

Certificate . Note 2 to entry: It uses the algorithm defined by the SecurityPolicy or SHA1 in contexts where no SecurityPolicy applies
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.1 Security Handshake and Security Policies

security algorithms that shall be used together during a security handshake is called a SecurityPolicy . OPC 10000-7 defines standard SecurityPolicies as parts of the standard Profiles which ... expected to support. OPC 10000-7 also defines a URI for each standard SecurityPolicy . The latest versions of all SecurityPolicies are available in the online Profiles website
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.2.1 Overview

MessageChunk s exchanged after a SecureChannel is negotiated depends on whether the SecurityPolicy requires a symmetric encryption algorithm that combines encryption and authentication (e.g. AuthenticatedEncryption algorithms) used
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.2.3 Security Header

asymmetric algorithms that may be used by UASC implementations. The AsymmetricKeyWrapAlgorithm element of the SecurityPolicy structure defined in Table 49 is not used by UASC implementations. Table 58 - Asymmetric algorithm
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.4 Establishing a SecureChannel

shall be cryptographic random numbers with a length specified by the SecureChannelNonceLength of the SecurityPolicy . See OPC 10000-2 for more information on the requirements for random number generators
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.6 Deriving keys

beginning of the sequence. The lengths of the keys generated depend on the SecurityPolicy used for the channel. The following information is specified by the SecurityPolicy : SigningKeyLength (from the DerivedSignatureKeyLength ... ClientSecret ServerSeed DerivedSignatureKeyLength EncryptionKeyLength ServerInitializationVector ClientSecret ServerSeed DerivedSignatureKeyLength + EncryptionKeyLength InitializationVectorLength The SymmetricEncryptionAlgorithm for the SecurityPolicy sets the DerivedSignatureKeyLength , the EncryptionKeyLength and InitializationVectorLength . All constants referenced in the table are converted
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.7 Verifying Message Security

secured with asymmetric algorithms, then the receiver shall verify that it supports the requested SecurityPolicy . If the Message is the response sent to the Client, then the SecurityPolicy shall ... same as the one specified in the request. In the Server, the SecurityPolicy shall be the same as the one used to originally create the SecureChannel . The receiver shall verify
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.8.1 Secure Channel Handshake

named curves" to allow for better interoperability. Each OPC UA SecurityPolicy defined in OPC 10000-7 specifies exactly one named curve which is used for the EphemeralKeys . Each ... Certificate is also based on a named curve. Each SecurityPolicy specifies a list of named curves which are permitted for use in the Certificate . This list always includes the named
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.8.2 UserIdentityToken Encryption

UserIdentityToken Encryption ActivateSession allows a Client to provide an encrypted UserIdentityToken using a SecurityPolicy specified by a UserTokenPolicy supported by the current Endpoint . With ECC, encryption requires that the Client ... Client calls CreateSession via a SecureChannel based on an ECC or RSA_DH SecurityPolicy the Client specifies the ECDHPolicyUri it plans to use for the UserIdentityToken in the RequestHeader
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.8.3 ECC and RSA-DH Encrypted Secret

curve and key length for the EphemeralKey s are specified by the SecurityPolicy . For RSA-DH, the key length and finite field group are specified by the SecurityPolicy . The encryption ... InitializationVectorLength The EncryptionKeyLength and EncryptionBlockSize are specified by the Symmetric Encryption Algorithm for the SecurityPolicy . The Signature is created with the SigningCertificate and is calculated after encryption. Receivers shall validate
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.9 Diffie-Hellman Key Agreement (RSA)

SecureChannel a finite field group is determined by the PublicKey lengths allowed by the SecurityPolicy . The finite field groups are defined in IETF RFC 7919 . The mapping to finite field ... PublicKey Length is the minimum key length for Certificate PublicKeys allowed by the SecurityPolicy . The choice of group determines the DH parameters to use (p and g which are constants
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

7.1.2.3 Hello Message

Shall be at least 1024 bytes if the sender intends to use an ECC SecurityPolicy . Shall be at least 8192 bytes otherwise. SendBufferSize UInt32 The largest MessageChunk that the sender ... Shall be at least 1024 bytes if the sender intends to use an ECC SecurityPolicy . Shall be at least 8192 bytes otherwise. MaxMessageSize UInt32 The maximum size for any response
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

7.4.1 Overview

communication and does not allow untrusted intermediaries or proxy servers to handle traffic. The SecurityPolicy shall be specified, however, it only affects the algorithms used for signing the Nonces during ... CreateSession / ActivateSession handshake. A SecurityPolicy of None indicates that the Nonces are not signed. The SecurityMode is set to Sign unless the SecurityPolicy is None ; in this case the SecurityMode
OPC-10000-11 – OPC Unified Architecture - Part 11: Historical Access

5.5.2 External Historical Event Node

messages in this connection. SecurityPolicyUri a string that describes the URI for SecurityPolicy used when securing messages for this connection. IdentityTokenPolicy is the type of UserIdentity token that is used
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.25 UserTokenSettingsDataType

different Token types are defined in OPC 10000-6 . SecurityPolicyUri 0:String The SecurityPolicy to use when encrypting or signing the UserIdentityToken when it is passed to the Server ... ActivateSession request. For X509 UserIdentityTokens this value shall specify the SecurityPolicy that matches the Certificates that the Server will accept. For other UserIdentityTokens this value shall specify the SecurityPolicy
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.5.5 StartRequest

required. If the SecurityPolicyUri is provided this field shall be provided. SecurityPolicyUri The SecurityPolicy used to encrypt the secret. If the certificate is provided this field shall be provided. RequestedRoles ... multiple records in the GDS. Bad_CertificateInvalid The Certificate is invalid. Bad_SecurityPolicyRejected The SecurityPolicy is unrecognized or not allowed or does not match the Certificate . Bad_UserAccessDenied The current
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.5.6 FinishRequest

SecurityPolicies . Set to NULL for ECC or RSA-DH SecurityPolicies . SecurityPolicyUri The SecurityPolicy used to create the CredentialSecret . GrantedRoles A list of Roles which have been granted to KeyCredential
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.6.6 GetEncryptingKey

String RevisedSecurityPolicyUri ); Argument Description CredentialId The unique identifier associated with the KeyCredential . RequestedSecurityPolicyUri The SecurityPolicy used to encrypt the secret. If not specified the Server chooses a suitable default. PublicKey ... used to encrypt the secret. The format depends on the SecurityPolicyUri . RevisedSecurityPolicyUri The SecurityPolicy used to encrypt the secret. It also specifies the contents of the PublicKey . This
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.6.7 UpdateCredential

field is not specified. Not specified if the secret is not encrypted. SecurityPolicyUri The SecurityPolicy used to encrypt the secret. If not specified the secret is not encrypted. Method Result ... invalid or it is not one of the Server's Certificates . Bad_SecurityPolicyRejected The SecurityPolicy is unrecognized or not allowed. Bad_UserAccessDenied The current user does not have the rights
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.6 StartRequestToken

Object . The contents of the RequestorData and ServiceData depend on the UserTokenType and the SecurityPolicy. Table 149 specifies the contents for different combinations of UserTokenType and SecurityPolicy . Table 149 - StartRequestToken ... Argument Contents UserTokenType RequestorData ServiceData UserName or IssuedToken SecurityPolicy: None Not Used Not Used UserName or IssuedToken SecurityPolicy: RSA Not Used A Certificate containing the PublicKey used to build
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

5.4.1.2 Message sending

requires message security, the SecurityGroupId (see 6.2.5.3 ) is used to fetch the SecurityPolicy and the security keys from the SKS (see 5.4.5 ). This information is used to encrypt and/or sign
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

6.2.5.4 SecurityKeyServices

SecurityMode MessageSecurityMode The value shall be SIGNANDENCRYPT. SecurityPolicyUri String ApplicationType SERVER The URI for SecurityPolicy to use to connect to the SKS. If the URI is null or empty
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

6.2.12.2 SecurityGroupDataType

KeyLifetime it shall stop processing messages with the expired key. SecurityPolicyUri String The SecurityPolicy used for the SecurityGroup . MaxFutureKeyCount UInt32 The maximum number of future keys returned by the Method
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.2.4.4.2 NetworkMessage layout

SecurityFlags is false. The content of the security footer is defined by the SecurityPolicy . Signature Byte [*] The signature of the NetworkMessage
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.2.4.4.3.1 General

length of the KeyNonce for the UADP NetworkMessage depend on the selected SecurityPolicy . The algorithms are defined by SymmetricEncryptionAlgorithm and SymmetricSignatureAlgorithm in OPC 10000-7 . The nonce length is part ... part of the key data returned from GetSecurityKeys . The SymmetricSignatureAlgorithm is defined in the SecurityPolicy. EncryptingKey Byte [SymmetricEncryptionAlgorithm Key Length] Encryption key part of the key data returned from GetSecurityKeys
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.2.4.4.3.2 AES-CTR

signature before processing the payload. If verification fails, it drops the NetworkMessage . Other SecurityPolicy may specify different key lengths or cryptography algorithms
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

8.4.1 SecurityGroupType definition

lifetime of a key in milliseconds. The Property SecurityPolicyUri is the identifier for a SecurityPolicy . SecurityPolicies define the set of algorithms and key lengths used to secure the messages exchanged
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

8.5.2 AddSecurityGroup Method

revised value by reading the KeyLifetime of the created SecurityGroup . SecurityPolicyUri The SecurityPolicy used for the SecurityGroup . If a null or empty String is passed in, the SKS sets
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.2 EndpointType

comparison if the default value is set. securityPolicyUri String The URI of the SecurityPolicy . The default value is an empty or null String. The field is ignored for comparison