13:56, EEST
May 25, 2016
Dear Team,
Kindly clarify on the following queries about the OPC UA specification Part 4 Services,
1.From my understanding after the GetEndpoints Service messages, the client sends a OpenSecureChannel request to the server which means the request is signed or signed & encrypted according the security policy in the desired endpoint. I saw the following lines in the specification Part 4 Services, pg.no 33,
‘The OpenSecureChannel request and response Messages shall be signed with the sender’s Certificate. These Messages shall always be encrypted. If the transport layer does not provide encryption, then these Messages shall be encrypted with the receiver’s Certificate.’ In this it is mentioned that the messages ‘shall’ always be encrypted. How does it rely on transport layer ?
and I also see another description in the OPC Unified Architecture Book by Wolfgang Mahnke, Stefan-Helmut Leitner, Matthias Damm as follows,
‘If the certificate is considered as trustworthy, then as the second step an OpenSecureChannel request secured in accordance to the Security Policy and the Security Mode is sent to the selected Session Endpoint of the server.’ Here, it highlights that the message is secured in accordance to the Security Policy and Security Mode so I request a clarification on the scenario if the security mode is sign ? Will the message be encrypted also ?
2. When the Message Security Mode is None then the Security Policy ‘must’ be None ?
3. X509IdentityToken specification Part 4 Services section 7.35.4
‘This token shall always be accompanied by a signature in the userTokenSignature parameter of ActivateSession if required by the SecurityPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None.’ In the first line it is mentioned that ‘if required by the SecurityPolicy’, what is context of ‘if required’ when the userTokenSignature is a required field for X509IdentityToken ? In the second line it is mentioned that a explicit Security Policy is required if the SecureChannel has a SecurityPolicy of None, where ‘None’ means no certificates are exchanged and so X509IdentityToken cannot be used, referring to the following lines in the same specification (Section 5.6.3 ActvateSession, pg.no: 40) ?
‘If the token is an X509IdentityToken then the proof is a signature generated with private key associated with the Certificate. The data to sign is created by appending the last serverNonce to the serverCertificate specified in the CreateSession response.’
For your kind information I use the specification released on November 2015 to study. Please clarify.
Thanks,
Gajasri
18:50, EEST
December 21, 2011
Yes, it seems like there is a bit of unclarity.
OPC UA defines three alternative MessageSecurityModes:
None, in which case no security measures are applied and the Application Instance Certificates are not used, in general
Sign, in which case the messages are only signed
Sign&Encrypt, in which case the messages are signed and fully encrypted
SecurityPolicy defines a set of cipher algorithms to use for signing and encryption, when these are applied.
The alternative User Authentication Modes can be applied independent of the Message Security Mode. the alternatives are:
None = Anonymous access
Username&Password identification
User Certificates (X.509)
External Tokens
If passwords are sent, they will be encrypted as defined by the UserTokenPolicy (which is separate from SecurityPolicy, but similar). The Application Instance Certificates will be used for the encryption in this case – and therefore they are required to be exchanged even when MessageSecurityMode=None.
User Certificates are separate from the Application Instance Certificates.
The server application always defines which modes are available (via the Endpoints). The client application always decides which modes it will use for the connection (SecureChannel) and for the session.
Most Users Ever Online: 1919
Currently Online:
44 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 726
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1