IEC TR 62541-2 pdf download – OPC Unified Architecture – Part 2: Security Model

IEC TR 62541-2 pdf download – OPC Unified Architecture – Part 2: Security Model
1 scope
This part of lEC 62541 describes the oPC Unified Architecture (OPC UA) security model. ltdescribes the security threats of the physical,hardware and software environments in whichoPC UA is expected to run. It describes how oPC UA relies upon other standards forsecurity. lt gives an overview of the security features that are specified in other parts of theoPC UA specification. lt references services,mappings，and profiles that are specifiednormatively in other parts of this series of standards.
Note that there are many different aspects of security that have to be addressed whendeveloping applications. However since oPC UA specifies a communication protocol， thefocus is on securing the data exchanged between applications.
This does not mean that an application developer can ignore the other aspects of security likeprotecting persistent data against tampering. lt is important that the developer look into allaspects of security and decide how they can be addressed in the application.
This part of lEC 62541 is directed to readers who will develop oPC UA client or serverapplications or implement the OPC UA services layer.
lt is assumed that the reader is familiar with Web Services and XMLISOAP. Information onthese technologies can be found in SOAP Part 1 and SOAP Part 2.
2Normative references
The following referenced documents are indispensable for the application of this document.For dated references,only the edition cited applies.For undated references, the latest editionof the referenced document (including any amendments) applies.
IEC 62541 (all parts),OPc Unified Architecture
IEC 62541-1,OPC Unified Architecture – Part 1: Overview and concepts
3Terms, definitions, abbreviations and conventions
3.1Terms and definitions
For the purposes of this document the following terms and definitions as well as the terms anddefinitions given in lEC 62541-1 apply.
3.1.1
Application Instance
individual installation of a program running on one computer
NOTEThere can be several Application Instances of the same application running at the same time on severalcomputers or possibly the same computer.
3.1.2
Application lnstance Certificate
Digital Certificate of an individual instance of an application that has been installed in anindividual host
NOTE Different installations of one software product would have different Application Instance Certificates.3.1.3
Asymmetric cryptography
cryptography method that uses a pair of keys,one that is designated the Private Key andkept secret, the other is called the Public Key that is generally made available
NOTE Asymmetric Cryptography, also known as “public-key cryptography”. In an asymmetric encryption algorithmwhen an entity A wants to ensure Confrdentiaity for data it sends to another entity B, entiy A encryplts the datawith a Public Key provided by entity B , Only entity B has the matching Private Key that is needed to decrypt the
Authentication for data it sends to an entityB, entity A uses its private Key to sign the data.To verify the signature,
data. In an asymmetric digital signature algorithm when an entity A wants fo ensure integrity or provide
A and entity B each send their own Public Kay to the other entity. Then each uses their own Private Ky and theentity B uses the matching Public Key that entity A has provided. In an asymmeiric kay agreement algorthm,entityother’s Public Key to compute the new key walue.See lS Glossary.
3.1.4
Asymmetric Encryption
mechanism used by Asymmetric Cryptography for encrypting data with the Public Key of anentity and for decrypting data with the associated Private Key
NOTE See 3.1.3 for details.
3.1.5
Asymmetric Signature
mechanism used by Asymmetric Cryptography for signing data with the Private Key of anentity and for verifying the data’s signature with the associated Public Key
NOTE See 3.1.3 for details.
3.1.6
Auditability
security objective that assures that any actions or activities in a system can be recorded
3.1.7
Auditing
tracking of actions and activities in the system, including security related activities where theAudit records can be used to verify the operation of system security
3.1.8
Authentication
process of verifying the identity of an entity such as a client,server, or user
3.1.9
Authorization
process of granting the right or the permission to a system entity to access a system resource
3.1.10
Availability
running of the system with unimpeded capacity
3.1.11
confidentiality
protection of data from being read by unintended parties