.. include:: ../vars.rst

.. _chapter-pre-shared-key:

***************
|PSKProtection|
***************

This chapter describes |PSKProtection|, which expands and unifies |RTI_SP|
entry-level protection. This mechanism is scheduled to eventually replace
similar mechanisms (see the note below for details) under a common, more
capable interface.

.. note::
  The following mechanisms are planned to be replaced: 
  legacy pre-shared key used in
  HMAC-Only mode (:ref:`p3_advanced/rtps_hmac_only_mode:RTPS-HMAC-Only Mode`),
  |RTI_RWT| protection (:property:`cryptography.rtps_protection_key`), 
  |RTI_CDS| protection (:property:`authentication.participant_discovery_protection_key`,
  :ref:`p4_integrations/real-time_wan_transport:Support for RTI Real-Time WAN Transport`).

|PSKProtection| is a |CryptoPlugin| mechanism that supports basic communication
protection. It is based on a |PSK|, distributed out-of-band to |DPs|. The
|PSKProtection| does not require authentication and does not support more
sophisticated security features such as granular security and topic permissions
enforcement. A |PSK| offers metadata and data protection on the wire and restricts
communication only to |DPs| holding the pre-shared, user-configurable key
seed.

|PSKProtection| can be leveraged in two different ways:
  * As part of the |RTI_SP|: RTPS |PSKProtection| works alongside existing
    |SP| features and secures the communication happening before two
    |DPs| authenticate each other.
  * As part of |RTI_LIGHT_SP|: In this case, all traditional DDS Security
    mechanisms are disabled and the entire communication is protected with RTPS
    |PSKProtection|. |LIGHT_SP| is described in detail in
    :ref:`p3_advanced/lightweight_security:The |LIGHT_SP_HEADING|`.

.. attention::
  |PSKProtection| is being standardized and in this process the final configuration
  and functionality may change.

|PSKProtection| Motivation and Benefits
=======================================

|PSKProtection| expands the |CONNEXT| security offering and enables basic-level
protection wherever traditional DDS Security mechanisms were unavailable, or
infeasible due to limited resources or paramount performance requirements. The
|PSK| secures all the traffic from the start-up of a |DDS_ENTITY| and restricts
the communication only to |ENTITIES| holding the correct pre-shared key seed.

|PSKProtection| in |LIGHT_SP_HEADING| vs. |PSKProtection| in |SP_HEADING|
-------------------------------------------------------------------------

|PSKProtection| uses the same mechanism in both |LIGHT_SP| and the |SP|, and
offers the same level of protection. The difference is in the |PSK| area of
responsibility.

|PSKProtection| within the |SP| secures all communication that occurs before two
|DPs| authenticate each other. Once authentication completes successfully,
more sophisticated |SP| features (such as enforcement of permissions at the
topic-level) can be used. In this setting, |PSKProtection| complements
more advanced mechanisms and secures potentially sensitive information exchanged to
bootstrap the DDS system (such as topic names in the Permission Document, locators
in SPDP messages, or Participant User QoS propagated information), which would
otherwise be vulnerable to tampering and visible to unauthorized parties.
|PSKProtection| also provides an additional mitigation for potential vulnerabilities
impacting the participant discovery process.

|LIGHT_SP| are provided as a separate library. It supports |PSKProtection| only
and the entire communication is protected with it. More sophisticated security
mechanisms are unavailable. |LIGHT_SP| are recommended in systems that do not
require granular security, sophisticated authentication and permission
management, but are resource-limited or demand high performance and low latency.

.. attention::
  |PSKProtection| in |LIGHT_SP| and |PSKProtection| in |SP| are not interoperable
  because |LIGHT_SP| lacks features required by |SP|.

Configuring |PSKProtection|
===========================

The following properties are important for successfully configuring the
|PSKProtection|:

* The required property :property:`cryptography.rtps_protection_preshared_key`
  sets the value of the pre-shared key seed and enables |PSKProtection|. It must
  be identical for all the |DPs| in your system.

* An optional property determines the algorithm used to protect RTPS messages.
  For |SP|, use :property:`cryptography.encryption_algorithm`.
  For |LIGHT_SP|, use :property:`cryptography.rtps_protection_preshared_key_algorithm`.

For more information about these properties, see
:numref:`RTI Security Plugins Properties for Configuring Cryptography`.

How |PSKProtection| Works
=========================

|PSK| Material
--------------

|PSKProtection| relies on deriving unique symmetric keys for every |DP|. The
keys are based on a user-configurable, pre-shared secret key seed (common for
all |DPs|) and publicly available data that uniquely identifies a |DP| in the
network. Thanks to this architecture, every |DP| with the right pre-shared key
seed can recreate the unique key material (Master Sender Salt and Master Sender
Key) of any other |DP| in the network without the need for costly key material
exchange. The key material is used as an input parameter for a cryptographic
algorithm to encrypt or MAC RTPS messages.

The 256-bit long Master Sender Salt is derived according to this algorithm:

.. code-block:: none

  HMAC-SHA256(
    HMAC-SHA256(
      concatenate("PSK-SALT", sender's domain ID, target's RTPS header),
      pre-shared key seed),
    concatenate("master salt derivation", 0x01))

The 256-bit long Master Sender Key is derived according to this algorithm:

.. code-block:: none

  HMAC-SHA256(
    HMAC-SHA256(
      concatenate("PSK-SKEY", sender's domain ID, target's RTPS header),
      pre-shared key seed),
    concatenate("master sender key derivation", 0x01))

.. note::

  The uniqueness of every |DP|'s key material is important to ensure a high level
  of security. No two |DPs| can have the same key. The algorithm's goal is to
  ensure reliable and fast protection against external threats, and that no
  external party can forge the key material without knowledge of the pre-shared
  key seed. It is not the intent of this mechanism to protect against insider
  spoofing. If insiders are not fully trustworthy, use a different mechanism
  from the |SP| portfolio.

Key Management
--------------

A PSK-enabled |DP|, upon its creation, derives its own key material which is
stored and readily available for later use. Whenever it wants to communicate
with another |DP|, it applies the chosen protection (encryption or MAC)
to the outgoing message, using its pre-calculated key material. The recipient
of the PSK-protected message can quickly determine that the message is PSK-protected
by checking the submessage flags in the RTPS Crypto Header. If the message is
determined to be PSK-protected, the receiving |DP| checks if its internal storage
has the key corresponding to the RTPS Header received in the message. If so, it uses
that key to decode or verify the message. If the key is not found in the list, the
receiving |DP| derives the key using the algorithm and puts it in the list.

.. note::

  The remote |DPs|' keys are stored in a list of a fixed size (10 slots) during
  their initial discovery. Whenever all available key slots are used and a "new" remote
  |DP| is encountered, the oldest entry in the list is replaced with the newly derived
  one. This mechanism may have a considerable performance impact whenever we discover
  a number of nodes exceeding the number of slots in the list within a short time -
  the recipient would end up recalculating the keys frequently. After remote |DPs|
  discovery is complete, this limitation no longer exists since the keys are no longer
  stored in the list.