Cryptography in DDS

5 posts / 0 new
Last post
Offline
Joined: 09/26/2013
Posts: 5
Cryptography in DDS

Good Morning,

I am having a course project this semester for the title "cryptography in DDS". I have a good knowladge of the cryptography system, however, I can't figure out how to proceed with DDS. By the way I am new to DDS and anyother real-time middleware architecture. I would like to implement my project using java. Please give me indications so that I can narrow my focus and contribute a vital work. (what to read and how to proceed throughout the implementation).

 

Regards,

Gerardo Pardo's picture
Offline
Joined: 06/02/2010
Posts: 581

Hi,

Currently the DDS specification does not specify any means to perform encryption or any cryprographic operation.  From what I know the only solution offerered by DDS vendors is based on transport-level standards, such as TLS or DTLS which perform the encryption on the TCP/UDP connection itself. But I doubt this is what you want.

That said there is an on-going effort at the Object Management Group to create a standard for "Secure DDS". This will provide a plugin architecture that would allow differnt approaches to cryptography (as well as Authentication and Access Control) to be "plugged in". In addition the standard does provide builtin Cryptographic support for things like AES-256 and the means to do secure key distribution and secure multicast.

If you are interested in this I have posted some presentations on this work-in-progress on my slideshare page:  http://www.slideshare.net/GerardoPardo but there has been an update just this week which I have not posted yet. I will upload it and post a follow up message here.

Gerardo

 

Offline
Joined: 09/26/2013
Posts: 5

Very thankful, but the encryption I am thinking would be at the application layer level not at transport layer level (as you mentioned). I will leave you a comment soon after few more litrature survey.

 

Regards

Offline
Joined: 09/26/2013
Posts: 5

Dear Gerardo,

I have read what is reported on your draft about the security issues, the possible threats, and the general requirements. I surveyed several more litratures on more or less related topics. Currently I'm planning to address the security issues mentioned just for a sample publish/subscribe scenario and measure the effects on the QoS. Would you please comment on this? will this be a good contribution for a term project? what else i've to consider?

Best Regards,

Gerardo Pardo's picture
Offline
Joined: 06/02/2010
Posts: 581

Hi,

I am not sure what you mean by "measure the effects in the QoS". Do you mean measure the impact of encryption or adding message authentication codes on the data-distribution performance? In DDS the word "QoS" is used often to indicate behavioral properties such as DURABILITY, the use of a RELIABLE protocol, Filtering, the amount of History maintained etc. This should not be impacted by security/authentication/encryption. What would be impacted are things like the throughput, latency, CPU utilization etc.

I think studying the performance impact of different cryptographic algorithms (e.g. AES-128, 192, 256), BlowFish, on DDS performance (latency, throughput, CPU usage) would be interesting. Similarly the impact of using different HMAC techniques. openssl provides tools to measure the performance of the raw crypto operations (type openssl speed to a command prompt), but this is not quite the same as seeing the impact on real DDS traffic because a lot of other things may come into play. The drawback of this kind of study is that the performance results maybe too dependent on your particular hardware of test parameters. That said I do think having a good characterization of different cryptographic and HMAC techniques would be a nice contribution for a term project
Another angle of study related to DDS security could be to not focus on cryptography, which is a fairly low-level thing, but focus instead on things like Authentication or Access control. In these areas there are many open questions like for example the best way to integrate DDS with standard authentication and identity management frameworks or single sing-on protocols such as OAuth2.0.

Gerardo