4 OPC UA security architecture ToC Previous Next

The OPC UA Security Services are a group of abstract service definitions specified in OPC 10000-4 that are used for applying various security mechanisms to communication between OPC UA Clients and Servers.

The Discovery Service Set (specified in OPC 10000-4) defines services used by an OPC UA Client to obtain information about the security policies (see 4.6) and the Certificates of specific OPC UA Servers.

The services of the Secure Channel Service Set (specified in OPC 10000-4) are used to establish a Secure Channel which is responsible for securing Messages sent between a Client and a Server. The challenge of the Secure Channel establishment is that it requires the Client and the Server to securely exchange cryptographic keys and secret information in an insecure environment, therefore a specific Key Exchange Algorithm (similar to SSL Handshake protocol defined in SSL/TLS) is applied by the communication participants.

The OPC UA Client retrieves the security policies and Certificates of the OPC UA Server by the above mentioned discovery services. These Certificates contain the Public Keys of the OPC UA Server.

The OPC UA Client sends its Public Key in a Certificate and secret information with the OpenSecureChannel service Message to the Server. This Message is secured by applying Asymmetric Encryption with the Server’s Public Key and by generating Asymmetric Signatures with the Client’s Private Key. However, the Certificate is sent unencrypted so that the receiver can use it to verify the Asymmetric Signature.

The Server decrypts the Message with its Private Key and verifies the Asymmetric Signature with the Client’s Public Key. The secret information of the OPC UA Client together with the secret information of the OPC UA Server is used to derive a set of cryptographic keys that are used for securing all further Messages. Furthermore, all other service Messages are secured with Symmetric Encryption and Symmetric Signatures instead of the asymmetric equivalents.

The Server sends its secret information in the service response to the Client so that the Client can derive the same set of cryptographic keys.

Since Clients and Servers have the same set of cryptographic keys they can communicate securely with each other.

These derived cryptographic keys are changed periodically so that attackers do not have unlimited time and unrestricted sequences of Messages to use to determine what the keys are.

For PubSub communications, the security related definitions are specified in OPC 10000-14 and provide a description of how to secure messages and also how to obtain the security keys required for message security.

The Publisher will utilize the keys provided to secure the message. It will encrypt the body of the message and sign the entire message. Subscribers will utilize the keys to decrypt and verify the signature of the messages.

To obtain the required keys, the Publisher or Subscriber make use of ClientServer communication. The keys may also be obtained using session-less method calls.

Previous Next