Encryption of password if the SecureChannel has SecurityProfile of none|OPC UA Standard|Forum|OPC Foundation

Avatar
sp_LogInOut Log In
sp_Search Search
Advanced Search
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Encryption of password if the SecureChannel has SecurityProfile of none
Avatar
Jonas Green
Halmstad, Sweden
Member
Members
Forum Posts: 23
Member Since:
05/24/2017
sp_UserOfflineSmall Offline
sp_UserWebsite
1
10/24/2017 - 03:55
sp_Permalink sp_Print

Our device implements the Micro embedded profile and does only support SecurityPolicy of None on the SecureChannel. In Part 4 chapter 7.36.3 UserNameIdentityToken, it says the following: "If None is specified for the UserTokenPolicy and SecurityPolicy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN.".

The UA CTT test suite "Security - Security User Name Password" gives an warning and says: "User name password combination. Specific encryption of the password is required if not Message encryption is used."

The specification states that the password should not be unencrypted if the SecureChannel is not secured and the UA CTT stats it is an requirement. Is it an requirement to encrypt the password for a Micro embedded device or is it just recommendation?

Avatar
Paul Hunkar
Member
Members
Forum Posts: 27
Member Since:
07/05/2017
sp_UserOfflineSmall Offline
2
10/31/2017 - 20:01
sp_Permalink sp_Print sp_EditHistory

A Micro embedded profile typically does not provide HTTPS communication (message encryption) only TCP and the network in the certification lab does not support a VPN or other outside means, thus a server is required to support encrypting the password.  This might not be endpoint based but User Token Policy based encryption.  And at an end user facility, the device may be configured to use a VPN or other network based security - freeing the device from performing the encryption, but this is at an end user facility.

from the Profile

The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.

Profiles are available here:

https://opcfoundation-onlineap.....reporting/

 

Paul

sp_Feed
Go to top
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 37
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1351
Posts: 4579