6.8.3 ECC and RSA-DH Encrypted Secret
OPC 10000-4 defines the layout of EccEncryptedSecret structure which is used to protect secrets with ECC and RSA-DH SecurityPolicies. Applying security with ECC or RSA-DH requires two EphemeralKeys generated by the sender and the receiver which are used to create the symmetric keys for encryption.
Clause 6.8.1 defines a mechanism that allows the sender to acquire the receiver EphemeralKey when using a Session. Using the EccEncryptedSecret in other contexts requires a different mechanism.
Once the sender has the receiver EphemeralKey, it creates its own EphemeralKey. For ECC algorithms, The ECC curve and key length for the EphemeralKeys are specified by the SecurityPolicy. For RSA-DH, the key length and finite field group are specified by the SecurityPolicy.
The encryption uses the symmetric encryption algorithm specified by the SecurityPolicyUri. The encrypting key and initialization vector are generated by using the EphemeralKeys to create the shared secret and then derive keys using the algorithm defined in 6.8.1. Step 1 is slightly different and defined as follows:
Step 1: Calculate Salt
SecretSalt = L | UTF8(opcua-secret) | SenderPublicKey | ReceiverPublicKey
Where:
L is the length of derived key material needed encoded as a 16-bit little endian integer;
UTF8(opcua-secret) is the UTF8 encoding of the string literal ‘opcua-secret’;
SenderPublicKey and ReceiverPublicKey are from EccEncryptedSecret;
| concatenates sequences of bytes;Salt is a sequence of bytes.
The encryption keys are extracted from the keying material created with IKM=shared secret, Salt=SecretSalt and Info=SecretSalt as shown in Table 71.
| Name | Offset | Length |
|---|---|---|
| EncryptingKey | 0 | EncryptionKeyLength |
| InitializationVector | EncryptionKeyLength | InitializationVectorLength |
The EncryptionKeyLength and EncryptionBlockSize are specified by the Symmetric Encryption Algorithm for the SecurityPolicy. The Signature is created with the SigningCertificate and is calculated after encryption. Receivers shall validate the SigningCertificate and signature before decrypting the Secret.
The PayloadPadding calculated to ensure the encrypted data is a multiple of InitializationVectorLength when using block based symmetric encryption algorithms such as AES-CBC.
When using AuthenticatedEncryption, the PayloadPadding calculated to ensure the encrypted data is a multiple of 16 bytes and the additional data part shall include all headers in the EncryptedSecret. The AuthenticatedEncryption tag is appended after the PayloadPaddingSize and is verified when the Payload is decrypted.
The PayloadPaddingSize calculated with the following formula:
BlockSize = (AuthenticatedEncryption) ? 16 : InitializationVector.Length
Data.Length = 4 + Nonce.Length + 4 + Secret.Length + 2
PayloadPaddingSize = Data.Length % BlockSize == 0
? 0 : BlockSize - Data.Length % BlockSize;
if (PayloadPaddingSize + Secret.Length < BlockSize)
PayloadPaddingSize += BlockSize;Where Data.Length includes two 4-byte values for the length of ByteString values and two bytes to store the PayloadPaddingSize. The value of all Padding bytes is the least significant byte of the PayloadPaddingSize. The calculation ensures the padding can never be zero.