Allowing Anonymous User Access - A security breach in OPC-UA conversation|OPC Certification and Interoperability Testing|Forum|OPC Foundation

Avatar
sp_LogInOut Log In
sp_Search Search
Advanced Search
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Allowing Anonymous User Access - A security breach in OPC-UA conversation
Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
1
05/12/2020 - 06:15
sp_Permalink sp_Print

Hi Team,

Is allowing an anonymous user to read, subscribe & write data to Nodes available OPC address space leads to security breach ? If no, can we say an OPC client application with Anonymous user access is secured ?

Thank you

Avatar
Randy Armstrong
Admin
Forum Posts: 1445
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
05/13/2020 - 04:06
sp_Permalink sp_Print

OPC UA has "application authentication" and "user authentication".

"application authentication" means client cannot create a session unless the server has been configured to trust the client which is identified by its application instance certificate.

"user authentication" identifies the user that is using an application. In some cases, valid user credentials can be rejected because they are not valid for the client application.

So there is no security issue with anonymous access if application authentication is enabled.

If application authentication is disabled then anonymous credentials represent a security risk.

Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
3
05/14/2020 - 09:11
sp_Permalink sp_Print

Thank you Randy for quick reply.

There are many ways to connect an OPC client with OPC server e.g., using HTTPS & opc.tcp protocol. When we use HTTPS, I understand what an application authentication means. It is like integrating an OAuth2 in a client application accessible in browser for application authentication & using username/password combination for user authentication.

When we use opc.tcp protocol, we use either anonymous or username/password or client-server certificate for user authentication. But, I didn't understand how can we authenticate an application running over opc.tcp protocol using application instance certificate.

Of course, when we try to create a connection between OPC client & server using certificates very first time, client have to trust server's certificate & vise versa. Then only a secured session or connection establishes between them.

Could you please elaborate a bit more about application instance certificate ? Is my understanding of application & user authentication is correct or am I understood something ?

Thank you

Avatar
Randy Armstrong
Admin
Forum Posts: 1445
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
05/14/2020 - 11:07
sp_Permalink sp_Print

There is generally no application authentication with HTTPS because HTTPS clients do not usually have certificates.

With opc.tcp, it is automatic. You can't connect securely without doing it because opc.tcp clients are required to have certificates.

Every application has a certificate issued to it that identifies the application. This is called the application instance certificate.

I recommend you read the specification for more information:
https://reference.opcfoundatio.....rt4/5.5.1/

Avatar
Dipika Khera
Member
Members
Forum Posts: 52
Member Since:
11/15/2019
sp_UserOfflineSmall Offline
5
05/14/2020 - 11:32
sp_Permalink sp_Print

Thank you so much Randy for quick reply & providing more information about security of an application.

I'll go through the specification part-4 5.5.1 to get more understanding of this.

Thanks a lot.

sp_Feed
Go to top
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 19
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1348
Posts: 4567