Hi,
I have a question about the usage of server and client certificate.
The server send his certificate with its Endpoint Description to the client.
The client uses the public key for encryption and signing of his next message, the OpenSecureChannel request.
Within this messages he send his client certificate to the server.
Then the server can also use the public key for signing and encryption.
Is this right?
Does the client and server exchange one public key?
So the server, for instance, uses the same private key decryption and signing?
Another question, why does the server exchange his certificate a second time?
I think he exchanges his certificate a second time in his OpenSecureChannel Response?
What is the purpose with this second exchange?
Thank you very much for your help,
Mel
Server Certificate
Moderator: Support Team
- Support Team
- Hero Member
- Posts: 3064
- Joined: 18 Mar 2011, 15:09
Re: Server Certificate
Hi Mel,
Your description of the initial handshaking and certificate exchange is correct. GetEnpoints and the EndpointDescription is used by the client to get the server certificate. The client certificate is passed to the server with the OpenSecureChannel request.
The server does not send his certificate in the OpenSecureChannel response.
But client and server certificate are again exchanged in CreateSession request and response. This is necessary since applications may not have access to the secure channel layer, especially if the secure channel is not the standard UA TCP / UA Secure Conversation protocol. One example is OPC UA over HTTPS.
Best Regards,
Unified Automation Support Team
Your description of the initial handshaking and certificate exchange is correct. GetEnpoints and the EndpointDescription is used by the client to get the server certificate. The client certificate is passed to the server with the OpenSecureChannel request.
The server does not send his certificate in the OpenSecureChannel response.
But client and server certificate are again exchanged in CreateSession request and response. This is necessary since applications may not have access to the secure channel layer, especially if the secure channel is not the standard UA TCP / UA Secure Conversation protocol. One example is OPC UA over HTTPS.
Best Regards,
Unified Automation Support Team
-
- Sr. Member
- Posts: 10
- Joined: 04 Mar 2014, 14:19
Re: Server Certificate
Hi,
thanks for your answer.
Are you sure, that the sever does not exchange its certificate with the OpenSecureChannel response message?
If I capture the data exchange between client and server with wireshark, i can identitfy the server certificate in the OpenSecureChannel response message.
And how do I have to understand the Table 30 on page 38 of the specification part 6?
There the asymmetric security header is shown.
I thought all Secure Channel messages use this asyymetric header and therefore the certificate of the server must be in the response message.
Hope you can help me to clear up my missunderstandings.
Thanks again,
Mel
thanks for your answer.
Are you sure, that the sever does not exchange its certificate with the OpenSecureChannel response message?
If I capture the data exchange between client and server with wireshark, i can identitfy the server certificate in the OpenSecureChannel response message.
And how do I have to understand the Table 30 on page 38 of the specification part 6?
There the asymmetric security header is shown.
I thought all Secure Channel messages use this asyymetric header and therefore the certificate of the server must be in the response message.
Hope you can help me to clear up my missunderstandings.
Thanks again,
Mel
- Support Team
- Hero Member
- Posts: 3064
- Joined: 18 Mar 2011, 15:09
Re: Server Certificate
Hello Mel,
the server certificate is not sent in the OpenSecureChannelResponse - that's service level.
But you are right - the server certificate is part of the security header that is send before the OpenSecureChannelResponse in the body.
We were just talking of slightly different things.
Best Regards,
Unified Automation Support Team
the server certificate is not sent in the OpenSecureChannelResponse - that's service level.
But you are right - the server certificate is part of the security header that is send before the OpenSecureChannelResponse in the body.
We were just talking of slightly different things.
Best Regards,
Unified Automation Support Team
-
- Jr. Member
- Posts: 3
- Joined: 18 Jul 2015, 20:02
OPCUA asymmetric encryption
Hello,
In the OPCUA specification we should use an Asymmetric encryption (in my case RSA 256 oaep) to encrypt the “OpenSecureChannel request” and “OpenSecureChannel response”.
My OpenSecureChannel request/response size = 2000 octets
RSA Algorithm support bloc size of ~217 octets or something like that (RSA blocSize = RSA_Size(key) – paddingSize)
How should i do to encrypt my request and my response
Should i use an operation mode (CBC for example) to split my plainText into a small blocs ?? Am i respecting the specification by doing that
please, even if you don’t know the answer, any idea can be helpful !!
Thank you
In the OPCUA specification we should use an Asymmetric encryption (in my case RSA 256 oaep) to encrypt the “OpenSecureChannel request” and “OpenSecureChannel response”.
My OpenSecureChannel request/response size = 2000 octets
RSA Algorithm support bloc size of ~217 octets or something like that (RSA blocSize = RSA_Size(key) – paddingSize)
How should i do to encrypt my request and my response
Should i use an operation mode (CBC for example) to split my plainText into a small blocs ?? Am i respecting the specification by doing that
please, even if you don’t know the answer, any idea can be helpful !!
Thank you
- Support Team
- Hero Member
- Posts: 3064
- Joined: 18 Mar 2011, 15:09
Re: Server Certificate
Hello jessepinkman,
please read the forum rules, do not post same question in different threads !
find answer here:
http://forum.unified-automation.com/topic1585.html
Best Regards
Support Team
please read the forum rules, do not post same question in different threads !
find answer here:
http://forum.unified-automation.com/topic1585.html
Best Regards
Support Team