View Issue Details

IDProjectCategoryView StatusLast Update
000231510000-004: Servicespublic2013-11-25 18:24
ReporterPaul Hunkar Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.03 
Summary0002315: UA Part 4: 7.35.3 UserNameIdentityToken - Password Encryption
Description

CMPWG Nov-1:

There are 2 descriptions for the password:

"If the token is encrypted the password shall be converted to a UTF8 ByteString and then serialized as shown in Table 169."

...and:

"If the SecurityPolicy is None then the password only contains the UTF-8 encoded password."

The first sentence contains a policy in Part 7, but a corresponding Policy is not defined for the second sentence. With this new policy UA products will be able to legally utilize sentence 2.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0002248 closedPaul Hunkar 10000-007: Profiles UA Part 4: 7.35.3 UserNameIdentityToken - Password Encryption 

Activities

Paul Hunkar

2013-01-09 17:03

developer   ~0004406

This is the complete text in Part 4:

This token shall be encrypted if required by the SecurityPolicy.
The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None.
If the token is encrypted the password shall be converted to a UTF8 ByteString and then serialized as shown in Table 169.
The Server shall decrypt the password and verify the ServerNonce.
If the SecurityPolicy is None then the password only contains the UTF-8 encoded password.

recommended part 4 text:

This token shall be encrypted if required by the SecurityPolicy.
The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None. If None is specified for the UserTokenPolicy and Security Policy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but in actuality it would be completely insecure.

If the token is encrypted the password shall be converted to a UTF8 ByteString and then serialized as shown in Table 169.
The Server shall decrypt the password and verify the ServerNonce.

Matthias Damm

2013-08-20 16:56

developer   ~0004939

Add following clarification to 7.35.3 UserNameIdentityToken
If None is specified for the UserTokenPolicy and Security Policy is None then the password only contains the UTF-8 encoded password. This configuration should not be used unless the network is encrypted in some other manner such as a VPN. The use of this configuration without network encryption would result in a serious security fault, in that it would cause the appearance of a secure user access, but in actuality it would be completely insecure.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.02.doc

Jim Luth

2013-11-25 18:24

administrator   ~0005145

Agreed to changes in telecon.

Issue History

Date Modified Username Field Change
2013-01-09 17:00 Paul Hunkar New Issue
2013-01-09 17:00 Paul Hunkar Status new => assigned
2013-01-09 17:00 Paul Hunkar Assigned To => Paul Hunkar
2013-01-09 17:00 Paul Hunkar Issue generated from: 0002248
2013-01-09 17:00 Paul Hunkar Relationship added related to 0002248
2013-01-09 17:01 Paul Hunkar Project 10000-007: Profiles => 10000-004: Services
2013-01-09 17:03 Paul Hunkar Note Added: 0004406
2013-08-20 16:56 Matthias Damm Status assigned => resolved
2013-08-20 16:56 Matthias Damm Resolution open => fixed
2013-08-20 16:56 Matthias Damm Note Added: 0004939
2013-11-25 18:24 Jim Luth Status resolved => closed
2013-11-25 18:24 Jim Luth Note Added: 0005145
2013-11-25 18:24 Jim Luth Fixed in Version => 1.03