7.40.2.4 RsaEncryptedSecret DataType

The RsaEncryptedSecret uses RSA based Asymmetric Cryptography.

Additional semantics for the fields in the EncryptedSecret layout for the RsaEncryptedSecret Structure are described in Table 185.

Table 185 – RsaEncryptedSecret structure
NameTypeDescription
TypeIdNodeIdThe NodeId of the RsaEncryptedSecret DataType Node.
EncodingMaskByteSee Table 183.
LengthUInt32See Table 183.
SecurityPolicyUriStringSee Table 183.
CertificateByteStringThe SHA1 hash of the DER form of the Certificate used to encrypt the KeyData.
SigningTimeDateTimeSee Table 183.
KeyDataLengthUInt16The length, in bytes, of the encrypted KeyData.
KeyDataThe KeyData is encrypted with the PublicKey associated with the receiver of the EncryptedSecret. The creator of the EncryptedSecret generates the SigningKey, EncryptingKey and InitializationVector using a cryptographic random number generator with the lengths required by the SecurityPolicy.

SigningKey

ByteStringThe key used to compute the Signature.

EncryptingKey

ByteStringThe key used to encrypt payload.

InitializationVector

ByteStringThe initialization vector used with the EncryptingKey.
NonceByteStringA Nonce. This is the last ServerNonce returned in the CreateSession or ActivateSession Response when proving a UserIdentityToken passed in the ActivateSession Request. In other contexts, this is a Nonce created by the sender with a length between 32 and 128 bytes inclusive and it is not checked by the receiver.
SecretByteStringSee Table 183.
PayloadPaddingByte[*]See Table 183.
PayloadPaddingSizeUInt16See Table 183.
SignatureByte[*]

The Signature calculated with the SigningKey using the SymmetricEncryptionAlgorithm from the SecurityPolicy.

The Signature is calculated after encrypting the KeyData and the payload.

The Signature can only be checked after the KeyData is decrypted. It allows the receiver to verify that the message has not been tampered with. It does not provide any information about who created the EncryptedSecret.