Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
SecurityModes AES128, AES256
October 30, 2024
13:56, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline
Go to Top
1sp_EditHistory sp_Permalink sp_Print

Hi,

I’ve seen that the class com.prosysopc.ua.stack.transport.security.SecurityMode provides following SecurityModes:

* SecurityMode.AES128_SIGN
* SecurityMode.AES128_SIGN_ENCRYPT
* SecurityMode.AES256_SIGN
* SecurityMode.AES256_SIGN_ENCRYPT

I wonder if this SecurityModes are somehow outdated?

I’ve checked the OpcUa reference, but I haven’t found any useful infomation about AES128, AES256 SecurityModes.
When taking a look at the Prosys Simulation Server there is also no option to configure an endpoint for this.
And I’ve checked also some other OpcUa Servers, but there wasn’t any possibility to configure an AES128 or AES256 endpoint.

Thank you for some information on this!

October 30, 2024
14:45, EET
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

Those are actually the most up-to-date ones. Though, please note that the ‘com.prosysopc.ua.stack.transport.security.SecurityMode’ is our SDK-specific combination of com.prosysopc.ua.stack.core.MessageSecurityMode and com.prosysopc.ua.stack.transport.security.SecurityPolicy. The MessageSecurityMode is the None/Sign/signAndEncrypt and the SecurityPolicy are the policies for those (and the spec mostly talks about them separately).

The specification does specify SecurityPolicy. Related info used to be in Part 7 “Profiles”, though in later spec versions the actual data was moved unfortunately to be online only https://profiles.opcfoundation.org/ (there might be some document about these as pdf, but that is outside of this answer). If you navigate to the Security/SecurityPolicy ClientServer or use https://profiles.opcfoundation.org/profilefolder/474, you will see the

https://profiles.opcfoundation.org/profile/2058 for the Aes128 (full name is Aes128_Sha256_RsaOaep)
and
https://profiles.opcfoundation.org/profile/2060 for the Aes256 (full name is Aes256_Sha256_RsaPss)

you would see related details. Though mostly you do not need to care about that since the SDK com.prosysopc.ua.stack.transport.security.SecurityPolicy contains the relevant info (and it is mostly for SDKs e.g. bit lengths, algorithm names etc.).

Generally speaking the SecurityModes should be initialized like shown in the com.prosysopc.ua.samples.server.SampleConsoleServer.initialize(int, int, String), i.e. you will chose set of policies and messagesecurity modes and then do

server.getSecurityModes().addAll(SecurityMode.combinations(supportedMessageSecurityModes, supportedSecurityPolicies));

and the SDK will create valid combinations of them.

P.S.
Also as per the samples do note the comment
/*
* Per the 1.05 specification, only these policies should be supported and the older ones should
* be considered as deprecated. However, in practice this list only contains very new security
* policies, which most of the client applications as of today that are used might not be unable
* to (yet) use. Thus, you should build a way to select these in your application configuration.
*
* Note that the 1.05 list has the same contents as the 1.04 list.
*/
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_104);
supportedSecurityPolicies.addAll(SecurityPolicy.ALL_SECURE_105);

October 30, 2024
15:30, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Ahh, thank you, I see

so basically:

‘SecurityMode.AES128_SIGN_ENCRYPT’ is the same as ‘new SecurityMode(SecurityPolicy.AES128_SHA256_RSAOAEP, MessageSecurityMode.SignAndEncrypt)’
and
‘SecurityMode.AES256_SIGN_ENCRYPT’ is the same as ‘new SecurityMode(SecurityPolicy.AES256_SHA256_RSAPSS, MessageSecurityMode.SignAndEncrypt)’

correct?

October 30, 2024
15:42, EET
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
4sp_Permalink sp_Print

Hello,

Yes, that is exactly how the static constants in SecurityMode have been defined.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
28 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 734

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1