DDS Secure Intro

Securing Your Critical Real-time
Data: Are You Ready?
©2020 Real-TimeInnovations,Inc.

Agenda
• RTI Company Overview
• Security requirements of modern distributed systems
• Step-by-step guidance on implementing a secure
connectivity model
• Considerations when upgrading to Connext DDS Secure
• Leveraging RTI’s tool suite to develop and debug DDS Secure
applications
• Wrap Up

Goals
• 3 main goals:
– Understand basic DDS Secure concepts
– Steps to move non-secure app to DDS Secure
– Learn how to use RTI tools w/ Secure
• Focus is on setting up as a CA & self-signing artifacts
• Leverage Shapes to demo the concepts & artifacts
• Wireshark to show crypto is working
• Instrument Secure
• Consider a Secure Architecture Review

RTI Overview
RTI is the largest IIoT connectivity
software vendor
– Focus on autonomous systems
– 1600+ designs, many real-world
programs across industries
– 600+ research programs
– Technology Readiness Level (TRL) 9

Evolving threats to Modern
Distributed Systems

Automotive News
Infotainment Head Unit
Execute()
CANBus
ARM V850
SPI Bus

Avionics News

DDS Security

Data-Centric- Better for Integration
Data centricity reduces complexity and enables interoperation and integration
Unstructured files
Data Centricity
Database
Data at Rest
Data Centricity Data in Motion
Databus (DDS)Connectivity software

Data-Centric Publish/Subscribe
Connext Databus
Track Topic
sensorId id
location
x float
y float
z float
velocity
x float
y float
z float
Command Topic
deviceId id
command string
location.z
< 5000
Status Topic
deviceId id
status enum

Alice: Allowed to publish topic T
Bob: Allowed to subscribe to topic T
Eve: Non-authorized eavesdropper
Trudy: Intruder
Trent: Trusted infrastructure service
Mallory: Malicious insider
1. Unauthorized subscription
2. Unauthorized publication
3. Tampering and replay
4. Unauthorized access to data by
infrastructure services
DDS Databus
Alice Bob Eve
Trudy Trent Mallory
Threats
(2)
(1)
(3, 4)

The network is the adversary
The adversary has the following capabilities:
– can obtain any message passing through the network
– is a legit user of the network and thus can initiate and participate
in a conversation with any other user
– can become the receiver of messages
– can send messages to anybody through impersonation
– any message sent will go through adversary
– any message received has gone through adversary
©2020 Real-Time Innovations, Inc.

Defense in depth
1. System edge
2. Host
– Machine/OS/Applications/Files
3. Network transport
– Media access (layer 2)
– Network (layer 3)
– Session/Endpoint (layer 4/5)
4. Dataflow
– Control observations and modifications of data
– This is addressed by DDS Security
1
2
3
4

Brokered Security vs DDS Security
App App
App
App
DDS Secure Multicast
Server
or
Broker
App App
App
AppServer-based system

RTI Connext DDS Secure
• Based on the OMG DDS Security Standard
• Built-in Plugins
– Little to no application development
• Run over any transport
– UDP, shared memory, TCP, …
• Completely decentralized
– High performance and scalability
– No single point of failure
• Connext Security Customization Package
RTI Core
Library
Authentication
Access Control
Cryptography
Data Tagging
Logging
Application
Any Transport*
(e.g., UDP uni/multicast,
shared memory, TCP, …)

Security Designed for Real-Time Systems
• Configure the right level of
security for each topic
– Unprotected for non-sensitive data
– Integrity Protection for data that must
be trusted but not private
– Additional confidentiality for data that
must be private
• Optimize tradeoffs between security,
CPU overhead, throughput and
latency
Operator
SetPoint
Data Topic Security model:
• State: Integrity
• Statistics: Unprotected
• SetPoint: Confidentiality + Integrity
Control
CBM
Analysis
Sensor
State Statistics

Security Designed for Real-Time Systems
• Apply Principle of Least Privilege
– Authorize or deny access to trusted
parties on a “need-to-know” basis
– Share symmetric keys accordingly
• Trust Participants via mutual
authentication
– Trust is the foundation of access
authorization
– Built-in authentication mechanisms
are based on PKI
Operator
SetPoint
Data Topic Security model:
• Sensor: State(w)
• CBM: State(r); Statistics(w)
• Control: State(r), SetPoint(w)
• Operator: *(r), Setpoint(w)
Control
CBM
Analysis
Sensor
State Statistics

Builtin Security Plugins
Security Plugin Plugin Description
Authentication
 X.509 Public Key Infrastructure (PKI) with a pre-configured shared
Certificate Authority (CA)
 RSA or (EC) Digital Signature Algorithm ((EC)DSA) with (EC) Diffie-
Hellman for shared secret establishment
Access Control
 Specified via permissions file signed by shared CA
 Control over ability to join systems, read or write data topics
Cryptography
 Protected symmetric key distribution
 AES-GCM-128 and AES-GCM-256 for authenticated encryption
 GMAC variants for integrity protection only
Data Tagging
 Tags specify security metadata, such as classification level
 Can be used to determine access privileges (via plugin)
Logging  Log security events to a file or distribute securely over Connext DDS

DDS Secure
Connext DDS Secure
Connext Tools
Code
Generation
3rd Party
Tools
Excel
Admin DDS Spy
MonitoringWire Shark
Ping
Connext Services
Data
Routing
Data
Queuing
Web
Integration
Recording
& Replay
Database
Integration
Persistence
Connext DDS Core
Security
API’s: C C++ C#
Java Ada
DDS Pub/Sub
Messaging/RPC
DDS XTYPES
RTPS
Pluggable
Transports
Windows, Linux,
Unix, macOS, RTOS

DDS Secure Performance

Latency and Throughput Benchmarks
• Platforms
– Intel i7 6-core CPU 3.33GHz
– Intel I350 Gigabit NIC
– 12 GB RAM
– CentOS Linux 7.1
– API: C++
• Cryptography
– OpenSSL 1.0.2o built-in algorithms
– GMAC-AES128 for MAC only (without encryption)
– AES-128-GCM for encrypt
• Network
– D-Link DXS-3350 SR Switch
– Dual 10-Gigabit stackable ports
– 4MB packet buffer size
– 10/100/1000 Base-T interfaces

Latency for 1024 Byte Samples
0
20
40
60
80
No Security HMACed RTPS HMACed RTPS, Encrypt User Data, Encrypt
Submessage
Latency(μs)

Throughput for 1024 Byte Sample
0
250
500
750
1000
No Security HMACed RTPS HMACed RTPS, Encrypt User Data, Encrypt
Submessage
Throughput(Mbps)

Discovery Benchmarks
0
20
40
60
80
100
120
140
160
50 100 150 200 250 300
DiscoveryTime(s)
No Security
Authentication Only
Discovery Encrypted
Number of Participants

DDS Secure Configuration

Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Signs

Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate

Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate

Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Common to/installed on all participants

A Sample Governance File

A Sample Permissions File

Security Configuration
<qos_profile name="SecurityExample“ base_name=“BuiltinQosLib::Generic.Security">
<participant_qos>
<property>
<value>
<element>
<name>dds.sec.auth.identity_ca</name>
<value>file:../../../dds_security/cert/cacertECdsa.pem</value>
</element>
<element>
<name>dds.sec.auth.identity_certificate</name>
<value>file:../../../dds_security/cert/peer1ECdsa.pem</value>
</element>
<element>
<name>dds.sec.auth.private_key</name>
<value>file:../../../dds_security/cert/peer1keyECdsa.pem</value>
</element>
<element>
<name>dds.sec.access.permissions_ca</name>
<value>file:../../../dds_security/cert/cacertECdsa.pem</value>
</element>
<element>
<name>dds.sec.access.governance</name>
<value>file:../../../dds_security/xml/signed/signed_Governance.p7s</value>
</element>
<element>
<name>dds.sec.access.permissions</name>
<value>file:../../../dds_security/xml/signed/signed_PermissionsA.p7s</value>
</element>
</value>
</property>
</participant_qos>
</qos_profile>

Functional Requirements
• Algorithms
• Business Logic
• Data Content
• Events and Reports
• Explicit dependencies
Transition to DDS Secure changes none of these!

Non-Functional Requirements
• Scalability – Affected?
• Performance – Affected?
• Capacity – Affected?
• Availability – Not Affected
• Reliability – Not Affected
• Resiliency – Not Affected
• Maintainability – Affected?
• Serviceability – Affected?
• Usability – Not Affected
• Interoperability – Affected?

Adding DDS Secure

Steps to add DDS Secure to your system: Phase 1
1. Download & install
2. Setup to self-sign certificates
3. Generate some certs to use for testing w/ Shapes
4. Use Shapes to setup basic governance and permissions
files
5. Start w/ basic authentication (point to certs in QoS file)
6. Add read/write permissions
7. Add crypto last

Steps to add DDS Secure to your system: Phase 2
1. Modify your build system to link w/ Secure libraries
2. and/or modify your QoS files to load Secure libs & point to
certs, etc.
3. Start w/ basic authentication
4. Add read/write permissions
5. Add crypto last
6. Benchmark performance

DDS Secure Demo

Domains used in demo
Domain Notes Effect/How to demo
0 No protections, allow unauthorized participants Share data between all apps
1 Add R access control to Squares
Add W access control to Circle
Add R/W access control on Triangle
Pub/sub all 3 topics, non-secure on the left, secure
on the right; pub on top, sub on bottom.
Have trireader try to publish triangles
2 Don’t allow unauthenticated participants Show no data flows between secure & non-secure
Shapes
3 RTPS data now signed Wireshark
4 Topic payload now encrypted Wireshark
5 Topic metadata now encrypted Wireshark
6 RTPS data now encrypted Wireshark
Topic Read access Write access
Square True False Only secure readers get data from secure writers. (L to H, not H to L)
Circle False True Readers only get data from Secure writers (H to L, not L to H)
Triangle True True Readers and writers must both be Secure (L to L, H to H, no others)

Domain 0 – No protections
Non-Secure App Secure App

Domain 1 – Write protections on Circles, Triangles

Domain 2 – Unauthenticated NOT allowed

Domain 3 – rtps_protection_kind = SIGN
HMAC added to message
No encryption

Domain 4 – Add encryption of topic data
Payload now encrypted
Metadata visible (i.e. sequence #)

Domain 5 – Encrypt topic metadata and payload
Payload encrypted
Metadata not visible

Domain 6 – rtps_protection_kind = ENCRYPT
Entire RTPS message encrypted

Free RTI Connext Evaluation
https://www.rti.com/free-trial
• Fully functional version of
Connext DDS Professional
• With monitoring, debug
and visualization tools
• Includes Shapes Demo
• Runs on Windows, Linux
and MacOS
• Runs for 30 days

RTI’s Resources
• Community.rti.com
– Complete RTI product documentation
– Best Practices
– Forum
– Knowledge Base
– Getting Started Videos
– HOWTO’s
• DDS Secure Getting Started Guide
• DDS Secure User’s Guide
• Why You Should Use TPM with RTI Connext DDS Secure
• Using Connext DDS Secure 6.0 to Protect your Data
• OMG DDS Secure site: https://www.omg.org/spec/DDS-SECURITY/1.1/PDF

RTI Account Team – VA/WV/NC
Ken McInerney, Field Application Engineer
Phone: (410) 707 - 5889| kenm@rti.com
How we help you:
• Support for Connext Product Evaluations / Proof of Concept Efforts
• Account Management – Licensing, Customer Service, Project Management
• Customer Success Meetings/Calls – Best Practices, Troubleshooting Guidance, Education on
Tools and New Products, New Platform Builds and Feature Requests, Support Case Escalation
Lisa Ray, Connext Account Manager
Phone: (919) 949 - 6115| lray@rti.com
John Breitenbach, FAE Manager
Phone: (919) 597 – 9386 johnb@rti.com

Questions?
• IIC: www.iiconsortium.org
• DDS
– DDS portal: portals.omg.org/dds/
– RTI: www.rti.com
– Email: johnb@rti.com
– Examples, forum, papers:
community.rti.com

Thank You!
John Breitenbach
johnb@rti.com
LinkedIn: https://www.linkedin.com/in/atlantex/

Non-Secure Apps Secure Apps
WritersReaders

DDS Secure Intro

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à DDS Secure Intro

Similaire à DDS Secure Intro (20)

Plus de John Breitenbach

Plus de John Breitenbach (6)

Dernier

Dernier (17)

DDS Secure Intro