Server: add protection against attacks on user identity tokens
Starting from 1.04 revision of the OPC UA specification, the part 4 states in §5.6.3.1:
Servers shall take proper measures to protect against attacks on user identity tokens. Such an
attack is assumed if repeated connection attempts with invalid user identity tokens happen. One
option is to lock out an OPC UA Client for a period of time if the user identity token validation fails
several times. The OPC UA Client is either detected by IP address for unsecured connections or
by the ApplicationInstanceUri for secured connections. Another option is delaying the Service
response when the validation of a user identity fails. This delay time could be increased with
repeated failures. Sporadic failures shall not delay connections with valid tokens.
Such a protection is particularly interesting to avoid potential brute force attack on user password mechanism. The goal of this kind of attack might be to bypass the access control policy by obtaining user identity with greater permissions on the address space / services.
The following mechanisms are proposed to be implemented in the server:
-
After a configurable number of user authentication failures, the implicated session is closed by the server:
- ActiveSessionResponse is returned with the appropriate error status code
- Session is closed in Server: further attempts to use this session will lead to Bad_SessionIdInvalid. Note: the number of user authentication failures is cumulative with no consideration of the successful attempts (protection against valid and invalid alternating attempts).
-
When step 1. is triggered, the Secure Channel (SC) associated to the concerned session locks future sessions creation for a configurable period of time (compilation time). As a consequence, no more session can be created during this period of time but other existing sessions on the SC might still be used or closed.