Key Wrap Algorithm in Secure Channel

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Key Wrap Algorithm in Secure Channel

Post by Mel »

Hi,

I have a general question about the Key Wrap Algorithm
and how this algorithm gets the secret for generating the symmetric key.

I read the specifications, but this point is not clear for me.
In part 6 on page 27, the security handshake of OPC UA is described.
If I capture a communication process between a client and a slave with wireshark (Security Mode: None),
then I can see the different exchanged messages. The handshake and the theoretical usage of the described algorithms is clear.
But how does OPC UA creates the symmetric key, when security is used. Which secret is used to generate the symmetric key with the key wrap algorithm P_SHA1? And also for signing the "Create Session Request/Response": what is the Client/Server Signing Key? Where do I find hints in the message-structure?

Is there any quote in the spezifications where this part is explained?

Thank you very much,
Mel

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Key Wrap Algorithm in Secure Channel

Post by Support Team »

Hi Mel,

this shared secret is derived from the ServceNonce and the ClientNonce exchanged asymetric encrypted in the OpenSecureChanell service.

This means the shared key can only be computed if both parts are know. This way OPC UA provides forward security. Even if the private RSA key of one side get compromised a recorded encrypted session cannot be decrypted afterwards. You need both nonces to be able to compute the shared AES key.

The OpenSecureChannel service is documented in Part 4.
Part6 describes the protocol details like key derivation and signing.
in Part7 you find the SecurityPolicies which defines what crypto algorithms should be used for the different policies like Base128Rsa15, etc.
See page 33 on Part 7 1.02

Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Re: Key Wrap Algorithm in Secure Channel

Post by Mel »

Thank you very much for the answer :-)

Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Re: Key Wrap Algorithm in Secure Channel

Post by Mel »

Hi,

I have another question to this topic. There is also the Key Derivation Algorithm used which belongs to the WS-Secure-Conversation Specification.
The Link in the OPC UA specification does not work.

For the computation of P_SHA1 the following formular is used:
P_SHA(secret, label + seed)

When I compare this formular with the formular used in TLS Specification (RFC2246):
P_SHA1 (secret, seed) = HMAC_SHA1(secret, A(1) + seed)+
HMAC_SHA1(secret, A(2) + seed)+ ...
with A(): A(0)= seed and A(i)=HMAC_SHA1(secret, A(i-1))

I think label is similar with A(). What is seed? And where do I find seed in the OPC UA handshake. I understood that the secret is ClientNonce and ServerNonce.

Thanks,
Mel

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Key Wrap Algorithm in Secure Channel

Post by Support Team »

hi

a seed in crypto algorithms is used to produce different results even when the same input is used.
E.g. if a password "secret" gets hashed without a seed using a CPU intensive key derivation algorithm one could create a table of dictionary words and the resulting hashes. When performing a brute-force attack one can use this precomputed table instead of running the key derivation function for each password. This way the attacker can completely bypass the key derivation algorithm speeding up the attack.
By adding a random seed to the key derivation (which must be public), it is not possible to compute such tables as long as the seed is long enough.

In OPC UA we don't use the key derivation to hash passwords. ClientNonce and ServerNonce are random numbers, so no seed is required.
You can say label=ClientNonce and seed=ServerNonce, or label=ClientNonce+ServerNonce and seed="". They get concatenated anyway internally.

Hope this helps.
Why do you need to know that? Are you creating a new stack?

Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Re: Key Wrap Algorithm in Secure Channel

Post by Mel »

Hi,

thanks again for the detailed answer.

No, I am not creating a new stack, I am working on project which is a pre-work for my masterthesis.
There I analyze the security mechanisms of OPC UA in detail to have a deep understanding.

Therefore I am asking these questions.
Mel

Post Reply