Related Governance Attributes for Cryptography

You are here:

7.1 Related Governance Attributes for Cryptography

This section describes the Cryptography attributes that appear in the Governance Document.

7.1.1 ProtectionKind

Attributes whose names end with _protection_kind share a type called ProtectionKind. The DDS Security specification lists five possible values of ProtectionKind, all of which are supported by Security Plugins.

NONE indicates that no cryptographic transformation is applied.
SIGN indicates that the cryptographic transformation is purely a Galois message authentication code (GMAC). No encryption is performed. The GMAC is placed after the content. If the receiver finds a missing or incorrect GMAC, the receiver will reject the content.
ENCRYPT indicates that the cryptographic transformation is an AES encryption followed by a GMAC computed on the ciphertext, also known as Galois/Counter Mode (GCM). The GMAC is placed after the content. If the receiver finds a missing or incorrect GMAC, the receiver will reject the content.
WITH_ORIGIN_AUTHENTICATION protection kinds. There are two protection kinds that have WITH_ORIGIN_AUTHENTICATION in their names. WITH_ORIGIN_AUTHENTICATION indicates that in addition to using the sender’s key to generate a common GMAC, the sender generates receiver-specific GMACs using keys that are specific to individual sender-receiver pairs. The additional GMACs are placed after the common GMAC. They prove to the receiver that the sender originated the message, preventing other receivers from impersonating the sender. If the receiver finds a missing or incorrect common GMAC, the receiver will reject the content. If the receiver finds a missing or incorrect receiver-specific GMAC that was computed using its own receiver-specific key, the receiver will reject the content. WITH_ORIGIN_AUTHENTICATION protection kinds are allowed only if the value of the property cryptography.max_receiver_specific_macs is greater than 1.

The WITH_ORIGIN_AUTHENTICATION protection kinds are as follows:

SIGN_WITH_ORIGIN_AUTHENTICATION indicates that a common GMAC is performed on the content, and receiver-specific GMACs are performed on the common GMAC.
ENCRYPT_WITH_ORIGIN_AUTHENTICATION indicates that a GCM is performed on the content, and receiver-specific GMACs are performed on the GMAC of the GCM.

7.1.2 domain_rule

The following attributes belong inside a <domain_rule>.

rtps_protection_kind. This ProtectionKind specifies how to protect a DomainParticipant’s outgoing messages and what kind of protection is required of incoming messages. A message consists of an RTPS header and submessages, so a message is an envelope around submessages. If allow_unauthenticated_participants is set to TRUE, rtps_protection_kind must be set to NONE. Setting rtps_protection_kind to NONE will cause the DomainParticipant to accept both protected and unprotected incoming RTPS messages. Setting rtps_protection_kind to something other than NONE will cause the DomainParticipant to reject incoming RTPS messages that have a missing or incorrect GMAC or GCM.
discovery_protection_kind. This ProtectionKind specifies the metadata_protection_kind used for the secure builtin DataWriter and DataReader entities used for discovery, Topic Queries, and Locator Reachability Responses.
liveliness_protection_kind. This ProtectionKind specifies the metadata_protection_kind used for the secure builtin DataWriter and DataReader entities used for liveliness.

7.1.3 topic_rule

The following attributes belong inside a <topic_rule>.

metadata_protection_kind. This ProtectionKind specifies how to protect a DataWriter’s or DataReader’s outgoing submessages. These submessages include, but are not limited to, DATA, HEARTBEAT, ACKNACK, and GAP. A DATA submessage is an envelope around a serialized payload, so metadata_protection_kind affects data as well as metadata. One difference between metadata_protection_kind and data_protection_kind is that for metadata_protection_kind, the submessage protection takes effect immediately before sending out the content, so a protected submessage is re-protected when it is resent.
data_protection_kind. This attribute may be NONE, SIGN, or ENCRYPT. It specifies how to protect a DataWriter’s serialized payload. The writer history stores the protected payload, so the protected payload is not re-protected when it is resent. Receiver-specific GMACs are never included in this protection, so the WITH_ORIGIN_AUTHENTICATION values are not allowed here.
enable_discovery_protection. This attribute may be TRUE or FALSE. It specifies whether to use the secure or non-secure builtin endpoints for certain outgoing traffic related to this topic. Such traffic includes endpoint discovery messages and TopicQuery messages. enable_discovery_protection also specifies whether or not to reject non-secure incoming endpoint discovery messages related to this topic.
enable_liveliness_protection. This attribute may be TRUE or FALSE. The value of this attribute matters only if the DataWriter LivelinessQosPolicy is AUTOMATIC_LIVELINESS_QOS or MANUAL_BY_PARTICIPANT_LIVELINESS_QOS. In either of these cases, enable_liveliness_protection specifies whether or not to use the secure builtin endpoints for exchanging liveliness messages for DataWriters of this topic.