SlideShare a Scribd company logo

Open splice dds security

Ramzi Karoui
Ramzi Karoui

Current implementation of Transport Security and Mandatory Access Controls for Data Distribution OMG Standard. A new Request for proposal has been issued at the OMG to make such implementation inter-operable.

TechnologyBusiness
1 of 10
Download to read offline
1 Ramzi KAROUI, Ph.D. OpenSplice DDS Security EMEA Technical Manager September 2013 Copyright © PrismTech Solutions Americas, Inc. 2008 Proprietary information – Distribution Without Expressed Written Permission is Prohibited
OpenSplice DDS Security – Mission Provide an enhanced version of OpenSplice DDS suitable for applications with high Information Assurance (IA) requirements Defense applications, e.g., combat management Mission critical applications in various domains, e.g. air-traffic control, SCADA, product automation Provide a standards-based security solution for DDS DDS Security is still an open space No DDS Security standards, yet PrismTech will be actively involved in the standardization process See joint Thales & PrismTech submission to OMG C4I Tagging & Labeling RFI Main Goal: guarantee interoperability across vendors In PT approach Portability will not be impacted. Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 2
OpenSplice DDS Security - Product Brief Key Features Transport Security providing confidentiality and integrity of data exchanged between DDS network nodes. Dedicated crypto channels can be setup for network partitions allowing for the separation of information with different classification. Dedicated Crypto channel Data origin authentication using digital signatures on message streams. Mandatory Access Control (MAC) supporting both inbound and outbound access control for DDS nodes. Outbound: Data from other nodes is rejected in Access rights does not match Inbound: Data on local node is dropped PrismTech 2009 (don’t leave) in case Access does not match Copyright © Proprietary information – Distribution Without Expressed 3
OpenSplice Transport Security Features Seamless Integration of Transport Security with the existing transport features of the OpenSplice networking service No limitation of existing OpenSplice transport features Can be used for “reliable” and “best effort” transport Different priorities can be used for secure transport channels Supports security for unicast AND multicast UDP messages No additional processing overhead for sending messages to multiple receivers or for resending reliable messages Flexible configuration Zero impact on the application code XML based configuration at deployment time Configuration of cipher algorithms and shared secret keys per “network partition” No data leakage in case of miss-configuration Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 4
OpenSplice Transport Security Features (cont‘d) Provide support for multiple pluggable crypto implementations Reference implementation based on field proven OpenSSL crypto library A crypto API will be provided to integrate other crypto provider with future releases of the product Data confidentiality and integrity Configurable cipher algorithms AES & Blowfish supported with default crypto provider Strong encryption by high performance symmetric ciphers Integrity assurance by cryptographic hash algorithms (SHA1 & SHA256 supported with default crypto provider) Dedicated Crypto channel Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 5
e.g Transport Encryption at Partition level SecurityProfile Name=”SecureSectionProfile” Cipher="blowfish" CipherKey="000102030405060708090a0b0c0d0e0f"/> … <PartitionMapping > <DCPSPartitionTopics =“MyChiphredPartition.*” NetworkPartition =“MyNetworkSecurePartition” .. <NetworkPartitions> <MyNetworkSecurePartition Address=“223.240.240.0" SecurityProfile=“SecureSectionProfile"/> Sub Pub Pub MyCiphered Partition Sub Clear Partitions Sub Pub Sub Sub Pub @1 @2 Physical Network Layer Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited DDS Logical Layer 6
OpenSplice Authentication & Access Control Features Data origin authentication X509 Digital signatures are used for originator authentication Messages from non-trusted nodes are dropped Mandatory Access Control Enforces confidentiality and Integrity requirements of information flows using a policy model based on Bell La Padula & Biba security models XML based access control policy describes resources to be accessed Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 7
Mandatory Access Control (MAC) Rules 8 Top Secret No-Read-Up, No-Write-down E.g Classified user can’t read Secret Data and can’t write Unclassified data Biba Integrity rules Secret Secret Confidential Conf Public Public Unclassified Bell-La-Padula Confidentiality rules: Top Secret Unclas sified DDS Node No-Read-down, No-Write-Up E.g Level_2 Subject can’t read Level_0 Data and can’t write Level_3 Data. Bell-La-Padula Data Object Level-2 Level-2 Level-1 Level-1 Level-0 Level-0 Biba Compartments rules The need to know rule The Data set Compartments is included in the user set of compartments Access is guaranteed if 3 rules apply Compartment rule Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited
MAC with OpenspliceDDS secure net service In Opensplice the User* Granularity is the “Node”. User*: publishing or receiving node User Identity uses SSL X509 Certificate User ID, Password certif will be considered in future Data: At DDS topic or Partition levels Currently, Access control is not enforced for Intra-node communication In Networking Secure Networking Service the following control occurs When Receiving data Is data published by a trusted node Is Receiving node allowed to read the data When Sending data Is the node authorised to publish the data Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 9
MAC configuration example <resource> … <topic>AlertMessages</topic> <user> <classification> <!-- for MAC --> <secrecyLevel>CONFIDENTIAL</secrecyLevel> <integrityLevel>LEVEL_1</integrityLevel> <compartments> <compartment>FinnishArmy</compartment> <compartment>Air Force</compartment> </compartments> </classification> </resource> 10 <id>user1</id> <clearance> <!-- for MAC -<secrecyLevel>CONFIDENTIAL</secrecyLevel> <integrityLevel>LEVEL_2</integrityLevel> <compartments> <compartment> FinnishArmy</compartment> <compartment>Air Force</compartment> <compartment>Radar</compartment> </compartments> </clearance> <authentication> <x509Authentication> <subject>DN</subject> </x509Authentication> </authentication> </user> Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited

Recommended

OpenSplice Security Module
OpenSplice Security ModuleOpenSplice Security Module
OpenSplice Security ModuleAngelo Corsaro
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex LiteAngelo Corsaro
 
DDS Security
DDS SecurityDDS Security
DDS SecurityAngelo Corsaro
 
DDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardDDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationGerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018Gerardo Pardo-Castellote
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 

Recommended

OpenSplice Security Module
OpenSplice Security ModuleOpenSplice Security Module
OpenSplice Security ModuleAngelo Corsaro
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex LiteAngelo Corsaro
 
DDS Security
DDS SecurityDDS Security
DDS SecurityAngelo Corsaro
 
DDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardDDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationGerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018Gerardo Pardo-Castellote
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
The Present and Future of DDS
The Present and Future of DDSThe Present and Future of DDS
The Present and Future of DDSAngelo Corsaro
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
Classical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDSClassical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDSAngelo Corsaro
 
DDS Everywhere
DDS EverywhereDDS Everywhere
DDS EverywhereAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitAngelo Corsaro
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web EnabledReal-Time Innovations (RTI)
 
OMG DDS Tutorial - Part I
OMG DDS Tutorial - Part IOMG DDS Tutorial - Part I
OMG DDS Tutorial - Part IAngelo Corsaro
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileAngelo Corsaro
 
Distributed Algorithms with DDS
Distributed Algorithms with DDSDistributed Algorithms with DDS
Distributed Algorithms with DDSAngelo Corsaro
 
DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)Gerardo Pardo-Castellote
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSAngelo Corsaro
 
OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityGerardo Pardo-Castellote
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009Gerardo Pardo-Castellote
 
Implementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmImplementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmIRJET Journal
 
Enabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud ServerEnabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud ServerIOSR Journals
 
Vortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity StandardVortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity StandardAngelo Corsaro
 
Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessUlf Mattsson
 
L4 vpn
L4 vpnL4 vpn
L4 vpnRushdi Shams
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lectureShaikha AlQaydi
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLKohei KaiGai
 

More Related Content

What's hot

The Present and Future of DDS
The Present and Future of DDSThe Present and Future of DDS
The Present and Future of DDSAngelo Corsaro
 
Classical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDSClassical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDSAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitAngelo Corsaro
 
OMG DDS Tutorial - Part I
OMG DDS Tutorial - Part IOMG DDS Tutorial - Part I
OMG DDS Tutorial - Part IAngelo Corsaro
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileAngelo Corsaro
 
Distributed Algorithms with DDS
Distributed Algorithms with DDSDistributed Algorithms with DDS
Distributed Algorithms with DDSAngelo Corsaro
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSAngelo Corsaro
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009Gerardo Pardo-Castellote
 
Implementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmImplementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmIRJET Journal
 
Enabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud ServerEnabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud ServerIOSR Journals
 
Vortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity StandardVortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity StandardAngelo Corsaro
 
Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessUlf Mattsson
 

What's hot (20)

The Present and Future of DDS
The Present and Future of DDSThe Present and Future of DDS
The Present and Future of DDS
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
 
Classical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDSClassical Distributed Algorithms with DDS
Classical Distributed Algorithms with DDS
 
DDS Everywhere
DDS EverywhereDDS Everywhere
DDS Everywhere
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter Kit
 
DDS Security
DDS SecurityDDS Security
DDS Security
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web Enabled
 
OMG DDS Tutorial - Part I
OMG DDS Tutorial - Part IOMG DDS Tutorial - Part I
OMG DDS Tutorial - Part I
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice Mobile
 
Distributed Algorithms with DDS
Distributed Algorithms with DDSDistributed Algorithms with DDS
Distributed Algorithms with DDS
 
DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDS
 
OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service Security
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
 
Implementation of De-Duplication Algorithm
Implementation of De-Duplication AlgorithmImplementation of De-Duplication Algorithm
Implementation of De-Duplication Algorithm
 
Enabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud ServerEnabling Integrity for the Compressed Files in Cloud Server
Enabling Integrity for the Compressed Files in Cloud Server
 
Vortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity StandardVortex II -- The Industrial IoT Connectivity Standard
Vortex II -- The Industrial IoT Connectivity Standard
 
Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital business
 
L4 vpn
L4 vpnL4 vpn
L4 vpn
 

Viewers also liked

Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLKohei KaiGai
 
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...Real-Time Innovations (RTI)
 
Access Control for Linked Data: Past, Present and Future
Access Control for Linked Data: Past, Present and FutureAccess Control for Linked Data: Past, Present and Future
Access Control for Linked Data: Past, Present and FutureSabrina Kirrane
 
FACE-ing Reality: Maintaining our Military Edge in the Modern World
FACE-ing Reality: Maintaining our Military Edge in the Modern WorldFACE-ing Reality: Maintaining our Military Edge in the Modern World
FACE-ing Reality: Maintaining our Military Edge in the Modern WorldReal-Time Innovations (RTI)
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
DDS in Action -- Part I
DDS in Action -- Part IDDS in Action -- Part I
DDS in Action -- Part IAngelo Corsaro
 

Viewers also liked (8)

Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
 
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...
Learn About the FACE Standard for Avionics Software and a Ready-to-Go COTS Pl...
 
Access Control for Linked Data: Past, Present and Future
Access Control for Linked Data: Past, Present and FutureAccess Control for Linked Data: Past, Present and Future
Access Control for Linked Data: Past, Present and Future
 
FACE-ing Reality: Maintaining our Military Edge in the Modern World
FACE-ing Reality: Maintaining our Military Edge in the Modern WorldFACE-ing Reality: Maintaining our Military Edge in the Modern World
FACE-ing Reality: Maintaining our Military Edge in the Modern World
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
DDS In Action Part II
DDS In Action Part IIDDS In Action Part II
DDS In Action Part II
 
DDS in Action -- Part I
DDS in Action -- Part IDDS in Action -- Part I
DDS in Action -- Part I
 

Similar to Open splice dds security

Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)D.Rajesh Kumar
 
Enforcing multi user access policies in cloud computing
Enforcing multi user access policies in cloud computingEnforcing multi user access policies in cloud computing
Enforcing multi user access policies in cloud computingIAEME Publication
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportKiran Girase
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyIRJET Journal
 
Cloud Auditing With Zero Knowledge Privacy
Cloud Auditing With Zero Knowledge PrivacyCloud Auditing With Zero Knowledge Privacy
Cloud Auditing With Zero Knowledge PrivacyIJERA Editor
 
Cloud gateways for regulatory compliance
Cloud gateways for regulatory complianceCloud gateways for regulatory compliance
Cloud gateways for regulatory complianceUlf Mattsson
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any AppCipherCloud
 
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...IRJET Journal
 
IJSRED-V2I3P52
IJSRED-V2I3P52IJSRED-V2I3P52
IJSRED-V2I3P52IJSRED
 
Improving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudImproving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudIJTET Journal
 
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET Journal
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET Journal
 
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET Journal
 

Similar to Open splice dds security (20)

Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)Meetup bangalore-sept5th 2020 (1)
Meetup bangalore-sept5th 2020 (1)
 
Enforcing multi user access policies in cloud computing
Enforcing multi user access policies in cloud computingEnforcing multi user access policies in cloud computing
Enforcing multi user access policies in cloud computing
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing report
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
 
1784 1788
1784 17881784 1788
1784 1788
 
1784 1788
1784 17881784 1788
1784 1788
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
 
Cloud Auditing With Zero Knowledge Privacy
Cloud Auditing With Zero Knowledge PrivacyCloud Auditing With Zero Knowledge Privacy
Cloud Auditing With Zero Knowledge Privacy
 
Cloud gateways for regulatory compliance
Cloud gateways for regulatory complianceCloud gateways for regulatory compliance
Cloud gateways for regulatory compliance
 
CipherCloud for Any App
CipherCloud for Any AppCipherCloud for Any App
CipherCloud for Any App
 
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...
IRJET- Secure Sharing of Personal Data on Cloud using Key Aggregation and...
 
IJSRED-V2I3P52
IJSRED-V2I3P52IJSRED-V2I3P52
IJSRED-V2I3P52
 
Improving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudImproving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-Cloud
 
V5 i7 0169
V5 i7 0169V5 i7 0169
V5 i7 0169
 
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
 
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
IRJET- Mutual Key Oversight Procedure for Cloud Security and Distribution of ...
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key Exposure
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Open splice dds security

  • 1. 1 Ramzi KAROUI, Ph.D. OpenSplice DDS Security EMEA Technical Manager September 2013 Copyright © PrismTech Solutions Americas, Inc. 2008 Proprietary information – Distribution Without Expressed Written Permission is Prohibited
  • 2. OpenSplice DDS Security – Mission Provide an enhanced version of OpenSplice DDS suitable for applications with high Information Assurance (IA) requirements Defense applications, e.g., combat management Mission critical applications in various domains, e.g. air-traffic control, SCADA, product automation Provide a standards-based security solution for DDS DDS Security is still an open space No DDS Security standards, yet PrismTech will be actively involved in the standardization process See joint Thales & PrismTech submission to OMG C4I Tagging & Labeling RFI Main Goal: guarantee interoperability across vendors In PT approach Portability will not be impacted. Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 2
  • 3. OpenSplice DDS Security - Product Brief Key Features Transport Security providing confidentiality and integrity of data exchanged between DDS network nodes. Dedicated crypto channels can be setup for network partitions allowing for the separation of information with different classification. Dedicated Crypto channel Data origin authentication using digital signatures on message streams. Mandatory Access Control (MAC) supporting both inbound and outbound access control for DDS nodes. Outbound: Data from other nodes is rejected in Access rights does not match Inbound: Data on local node is dropped PrismTech 2009 (don’t leave) in case Access does not match Copyright © Proprietary information – Distribution Without Expressed 3
  • 4. OpenSplice Transport Security Features Seamless Integration of Transport Security with the existing transport features of the OpenSplice networking service No limitation of existing OpenSplice transport features Can be used for “reliable” and “best effort” transport Different priorities can be used for secure transport channels Supports security for unicast AND multicast UDP messages No additional processing overhead for sending messages to multiple receivers or for resending reliable messages Flexible configuration Zero impact on the application code XML based configuration at deployment time Configuration of cipher algorithms and shared secret keys per “network partition” No data leakage in case of miss-configuration Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 4
  • 5. OpenSplice Transport Security Features (cont‘d) Provide support for multiple pluggable crypto implementations Reference implementation based on field proven OpenSSL crypto library A crypto API will be provided to integrate other crypto provider with future releases of the product Data confidentiality and integrity Configurable cipher algorithms AES & Blowfish supported with default crypto provider Strong encryption by high performance symmetric ciphers Integrity assurance by cryptographic hash algorithms (SHA1 & SHA256 supported with default crypto provider) Dedicated Crypto channel Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 5
  • 6. e.g Transport Encryption at Partition level SecurityProfile Name=”SecureSectionProfile” Cipher="blowfish" CipherKey="000102030405060708090a0b0c0d0e0f"/> … <PartitionMapping > <DCPSPartitionTopics =“MyChiphredPartition.*” NetworkPartition =“MyNetworkSecurePartition” .. <NetworkPartitions> <MyNetworkSecurePartition Address=“223.240.240.0" SecurityProfile=“SecureSectionProfile"/> Sub Pub Pub MyCiphered Partition Sub Clear Partitions Sub Pub Sub Sub Pub @1 @2 Physical Network Layer Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited DDS Logical Layer 6
  • 7. OpenSplice Authentication & Access Control Features Data origin authentication X509 Digital signatures are used for originator authentication Messages from non-trusted nodes are dropped Mandatory Access Control Enforces confidentiality and Integrity requirements of information flows using a policy model based on Bell La Padula & Biba security models XML based access control policy describes resources to be accessed Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 7
  • 8. Mandatory Access Control (MAC) Rules 8 Top Secret No-Read-Up, No-Write-down E.g Classified user can’t read Secret Data and can’t write Unclassified data Biba Integrity rules Secret Secret Confidential Conf Public Public Unclassified Bell-La-Padula Confidentiality rules: Top Secret Unclas sified DDS Node No-Read-down, No-Write-Up E.g Level_2 Subject can’t read Level_0 Data and can’t write Level_3 Data. Bell-La-Padula Data Object Level-2 Level-2 Level-1 Level-1 Level-0 Level-0 Biba Compartments rules The need to know rule The Data set Compartments is included in the user set of compartments Access is guaranteed if 3 rules apply Compartment rule Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited
  • 9. MAC with OpenspliceDDS secure net service In Opensplice the User* Granularity is the “Node”. User*: publishing or receiving node User Identity uses SSL X509 Certificate User ID, Password certif will be considered in future Data: At DDS topic or Partition levels Currently, Access control is not enforced for Intra-node communication In Networking Secure Networking Service the following control occurs When Receiving data Is data published by a trusted node Is Receiving node allowed to read the data When Sending data Is the node authorised to publish the data Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited 9
  • 10. MAC configuration example <resource> … <topic>AlertMessages</topic> <user> <classification> <!-- for MAC --> <secrecyLevel>CONFIDENTIAL</secrecyLevel> <integrityLevel>LEVEL_1</integrityLevel> <compartments> <compartment>FinnishArmy</compartment> <compartment>Air Force</compartment> </compartments> </classification> </resource> 10 <id>user1</id> <clearance> <!-- for MAC -<secrecyLevel>CONFIDENTIAL</secrecyLevel> <integrityLevel>LEVEL_2</integrityLevel> <compartments> <compartment> FinnishArmy</compartment> <compartment>Air Force</compartment> <compartment>Radar</compartment> </compartments> </clearance> <authentication> <x509Authentication> <subject>DN</subject> </x509Authentication> </authentication> </user> Copyright © PrismTech 2009 Proprietary information – Distribution Without Expressed Written Permission is Prohibited