0010056: Prevent Hijacking of Session by creating chain connecting back to initial OpenSecureChannel

ID	Project	Category	View Status	Date Submitted	Last Update

0010056	10000-006: Mappings	Spec	public	2024-12-04 16:50	2025-10-28 15:18

Reporter	Randy Armstrong	Assigned To	Randy Armstrong
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	assigned	Resolution	fixed
Product Version	1.05.04

Summary	0010056: Prevent Hijacking of Session by creating chain connecting back to initial OpenSecureChannel
Description	to resolve this issue for a future ECC security policy I would like to suggest the following changes to the protocol. When a ECC SecureChannel is renewed, the ECDH algoritm is used to generate the shared secret, and the key derivation uses IKM0 = the x-coordinate of the shared secret of the initial handshake IKM1 = the x-coordinate of the shared secret of the first renew IKM2 = the x-coordinate of the shared secret of the second renew etc. The key derivation algorithm as defined in part 6, 6.8.1 Secure Channel Handshake, uses for the first renew IKM = IKM0 xor IKM1 instead of deriving the session keys directly out of IKM1, and for the second renew IKM = IKM0 xor IKM1 xor IKM2 etc, etc. So it is impossible to know the session keys unless all ECDH secrets are known, including the ECDH secret from the initial handshake. This should prevent any successful session take-over attack.
Tags	No tags attached.

Commit Version	1.05.07 RC1
Fix Due Date	2025-12-01

Jim Luth 2025-02-04 16:55 administrator ~0022363	May deal with this in the next version of ECC profiles.

Randy Armstrong 2025-05-21 04:54 administrator ~0022750	Proposing to fix the problem by disabling renewals.

Randy Armstrong 2025-05-21 16:47 administrator ~0022760	Added this text to Part 6: The Server may disable renewal by setting the RevisedLifetime to 4,294,967,295 (UInt32.MaxValue). Clients that support this feature shall not send renew requests and, instead, shall periodically close the SecureChannel and force the application to reconnect by sending ActivateSession again (only needed if there is an active Session over the SecureChannel). The recommended period depends on number and size of messages sent. The minimum requirement is before the SequenceNumber rolls over and repeats. If a Server that disables renewal receives a renew request shall close the SecureChannel. Clients treat this like any other network error and follow the recovery logic specified in OPC 10000-4.

Jim Luth 2025-06-06 13:26 administrator ~0022983	Not for 1.05.06 -- reopened.

Date Modified	Username	Field	Change
2024-12-04 16:50	Randy Armstrong	New Issue
2025-02-04 16:55	Jim Luth	Note Added: 0022363
2025-02-04 16:55	Jim Luth	Assigned To	=> Jim Luth
2025-02-04 16:55	Jim Luth	Status	new => acknowledged
2025-02-04 16:55	Jim Luth	Assigned To	Jim Luth =>
2025-05-21 04:54	Randy Armstrong	Assigned To	=> Randy Armstrong
2025-05-21 04:54	Randy Armstrong	Status	acknowledged => resolved
2025-05-21 04:54	Randy Armstrong	Resolution	open => fixed
2025-05-21 04:54	Randy Armstrong	Note Added: 0022750
2025-05-21 16:47	Randy Armstrong	Note Added: 0022760
2025-06-06 13:26	Jim Luth	Status	resolved => assigned
2025-06-06 13:26	Jim Luth	Note Added: 0022983
2025-10-28 15:17	Jim Luth	Commit Version	=> 1.05.07 RC1
2025-10-28 15:18	Jim Luth	Fix Due Date	=> 2025-12-01