16. The Lightweight Security Plugins

The Lightweight Security Plugins is a separate library that includes an alternate set of Security Plugins. These plugins allow RTPS messages to be protected with a per-participant key derived from some publicly available data and a pre-shared key seed, cryptography.rtps_protection_preshared_key 1 (see Pre-Shared Key Protection). This key is used to protect the integrity and/or confidentiality of RTPS messages.

You may use this capability to avoid the discovery-time overhead of mutual authentication and key exchange, which scales quadratically with the number of DomainParticipants that discover each other. If you use this capability, then you must assume the following:

  1. If and only if a DomainParticipant has the pre-shared key seed, then it is trusted.

  2. None of the data at rest (e.g., in RTI Persistence Service) needs to be protected by the Security Plugins.

You are responsible for managing this pre-shared key seed, including changing it when you decide that a DomainParticipant needs to be ignored or revoked.

16.1. Configuring the Lightweight Security Plugins

  • You must set the cryptography.rtps_protection_preshared_key 1 to the value of a pre-shared key seed. This seed must be the same for all the DomainParticipants in your system.

  • You can optionally configure the algorithm used to protect RTPS messages by changing the value of the cryptography.rtps_protection_preshared_key_algorithm 1 property. If not set, the default value of AES256+GCM is used. The value of this property must be the same for all the DomainParticipants in your system.

  • If your application links the Lightweight Security Plugins dynamically, you must change the value of the library 1 property to nddslightweightsecurity.

  • The Lightweight Security Plugins do not read the Governance Document, the Permissions Document, Private Key, Identity Certificate, or the certificates of the Identity and Permissions CA. You should not configure the related properties.

16.2. The Lightweight Security Plugins vs HMAC-Only Mode

The Lightweight Security Plugins offer a functionality similar to the HMAC-Only mode (see RTPS-HMAC-Only Mode). However, there are some limitations of the HMAC-Only mode:

  • The HMAC-Only mode does not protect confidentiality of the RTPS messages.

  • The HMAC-Only mode is part of the full nddssecurity library. On the other hand, the size of the Lightweight Security Plugins library is smaller because it only contains the pre-shared key functionality.

As a consequence, the HMAC-Only mode is deprecated by the Lightweight Security Plugins.

Note

1(1,2,3,4)

Prefix the property name with com.rti.serv.secure.. This assumes you used com.rti.serv.secure as the alias to load the plugin. If not, change the prefix to match the string used with com.rti.serv.load_plugins, followed by the . character.