Table of Contents
Advertisement
Deployment OPC UA
Basics OPC UA > Integrated security concept
Digital signature
Encrypting
190
OPC UA uses three types of X.509 certificates when establishing a client-to-server con-
nection:
n
OPC UA application certificates
OPC UA software certificates
n
OPC UA user certificates
n
n
Check when establishing a connection
–
When establishing a connection between client and server, the participants check
all information from the certificate that is required to establish integrity.
–
Among other things, the period of validity which is stored in the certificate is
checked. Please ensure that the date and time are set correctly for the partici-
pants, otherwise no communication can take place.
n
Sign and encrypt
–
To avoid tampering, certificates are signed.
–
Within the OPC UA Configurator, you can use the 'Server settings' to import cer-
tificates or create and sign them yourself.
n
Self-signed certificate
–
Each participant generates his own certificate and signs it.
–
Self-signed certificates are to be transferred to the CPU.
–
From a self-signed certificate no new certificates can be derived.
–
Sample applications: Static configuration with limited number of communication
participants.
n
CA certificate:
–
All certificates are created and signed by a certification authority.
–
Only the derived and signed certificate of the certification authority is to be trans-
ferred to the CPU.
–
The certification authority can generate new certificates. Adding partner devices is
possible at any time.
–
Sample applications: Dynamically growing plants.
The signature can be used to prove the integrity and origin of a message.
1.
The sender forms a hash value as a check value from the clear message.
2.
The hash value and a private key result in the digital signature.
3.
The clear message is sent to the recipient together with the digital signature.
4.
The recipient decrypts the received signature with the public key and thus gets back
the original hash value.
5.
The receiver also forms a hash value from the clear message and checks it with the
original hash value. The public key and hash method are included in the X.509 cer-
tificate.
If both hash values are identical, sender and clear message were not
n
ð
manipulated.
n
If both hash values are not identical, the clear message was manipulated or
falsified during transmission.
n
X.509 certificates are not encrypted; they are public and anyone can see them.
n
Encrypting data prevents unauthorized users from knowing the content.
When encrypting, the sender encrypts the clear message with the recipient's public
n
key from the X.509 certificate.
n
The recipient decrypts the message with his private key. Each owner of the private
key can decrypt a received message.
VIPA System SLIO
HB300 | CPU | 013-CCF0R00 | en | 19-30
Advertisement
Table of Contents
