15. Pre-Shared Key Protection
This chapter describes Pre-Shared Key Protection, which expands and unifies RTI Security Plugins entry-level protection. This mechanism replaces similar mechanisms (HMAC-only and its derivatives) under a common, more capable interface.
Pre-Shared Key Protection is a Cryptography Plugin mechanism that supports basic communication protection. It is based on a Pre-Shared Key, distributed out-of-band to DomainParticipants. The Pre-Shared Key Protection does not require authentication and does not support more sophisticated security features such as granular security and topic permissions enforcement. A Pre-Shared Key offers metadata and data protection on the wire and restricts communication only to DomainParticipants holding the pre-shared, user-configurable key seed.
- Pre-Shared Key Protection can be leveraged in two different ways:
As part of the RTI Security Plugins: RTPS Pre-Shared Key Protection works alongside existing Security Plugins features and secures the communication happening before and during authentication. Post-authentication communication is protected with other security mechanisms from Security Plugins.
As part of RTI Lightweight Security Plugins: In this case, all traditional DDS Security mechanisms are disabled and the entire communication is protected with RTPS Pre-Shared Key Protection. Lightweight Security Plugins is described in detail in The Lightweight Security Plugins.
Attention
Pre-Shared Key Protection is being standardized and in this process the final configuration and functionality may change.
15.1. Pre-Shared Key Protection Motivation and Benefits
Pre-Shared Key Protection expands the Connext security offering and enables basic-level protection wherever traditional DDS Security mechanisms are unavailable or infeasible due to limited resources, paramount performance requirements, or other reasons. The Pre-Shared Key secures all the traffic from the start-up of a DDS Entity and restricts the communication only to Entities holding the correct pre-shared key seed.
15.1.1. Pre-Shared Key Protection in Lightweight Security Plugins vs. Pre-Shared Key Protection in Security Plugins
Pre-Shared Key Protection uses the same mechanism in both Lightweight Security Plugins and the Security Plugins, and offers the same level of protection. The difference is in the Pre-Shared Key area of responsibility.
Pre-Shared Key Protection within the Security Plugins secures all communication that occurs before two DomainParticipants authenticate each other. Once authentication completes successfully, more sophisticated Security Plugins features (such as enforcement of permissions at the topic-level) can be used. Authentication itself is also protected with the Pre-Shared Key. In this setting, Pre-Shared Key Protection complements more advanced mechanisms and secures potentially sensitive information exchanged to bootstrap the DDS system (such as topic names in the Permission Document, locators in SPDP messages, or Participant User QoS propagated information), which would otherwise be vulnerable to tampering and visible to unauthorized parties. Pre-Shared Key Protection also provides an additional mitigation for potential vulnerabilities in the participant discovery process.
Lightweight Security Plugins are provided as a separate library. It supports Pre-Shared Key Protection only and the entire communication is protected with it. More sophisticated security mechanisms are unavailable. Lightweight Security Plugins are recommended in systems that do not require granular security, sophisticated authentication and permission management, but are resource-limited or demand high performance and low latency.
Lightweight Security Plugins and Security Plugins can interoperate if configuration allows - see the configuration section below for details.
15.2. Configuring Pre-Shared Key Protection
Note
All Security Plugins- and Lightweight Security Plugins-related properties must be prefixed with
com.rti.serv.secure., assuming you used com.rti.serv.secure
as the alias to load the plugin. If not, change the prefix to match the string
used with com.rti.serv.load_plugins, followed by the .
character.
The following properties are important for successfully configuring the Pre-Shared Key Protection:
The required property
cryptography.rtps_protection_preshared_keysets the value of the pre-shared key seed and enables Pre-Shared Key Protection. It must start with the “str:” prefix, continue with a unique key identifier (number between 0 and 254) followed by a colon (“:”), and finish with the secret key. Both the key seed and the unique key identifier must be consistent across all DomainParticipants in the system. The key seed, combined with public information, is used to produce the key which is used to encrypt and decrypt RTPS messages. You can change this property at runtime, and the unique key identifier is used to determine if the correct key revision is used by different DomainParticipants. You have to manually update the key for at all DomainParticipants in the system. Until the key is updated across the system, decryption errors will occur.An optional property determines the algorithm used to protect RTPS messages. For Security Plugins, use
cryptography.encryption_algorithm. For Lightweight Security Plugins, usecryptography.rtps_protection_preshared_key_algorithm.
For more information about these properties, see Table 6.8.
15.2.1. Lightweight Security Plugins and Security Plugins Interoperability
Lightweight Security Plugins can interoperate with Security Plugins if all of the following is true:
The Security Plugins Governance Document is configured with
allow_unauthenticated_participants=TRUEandrtps_protection_kind=NONE. Lightweight Security Plugins do not support authentication and their RTPS messages are protected with Pre-Shared Key, which is incompatible with RTPS Origin Authentication Protection. See Participant-Level Permissions, Endpoint-Level Permissions, and Unsecure DomainParticipants and Origin Authentication Protection for details.The Security Plugins Governance Document is configured with an
rtps_preshared_secret_protection_kindthat is consistent with the Lightweight Security Plugins. See the table below for a list of compatible configurations.The Security Plugins are configured with a
cryptography.encryption_algorithm property(see Table 6.8) that is consistent with the Lightweight Security Plugins. See the table below for a list of compatible configurations.
Lightweight Security Plugins cryptography.rtps_protection_preshared_key_algorithm |
Security Plugins |
Security Plugins cryptography.encryption_algorithm property |
|---|---|---|
AES128+GMAC |
|
AES128+GCM |
AES128+GCM |
|
AES128+GCM |
AES256+GMAC |
|
AES256+GCM |
AES256+GCM (default) |
|
AES256+GCM (default) |
Note
When the Security Plugins and the Lightweight Security Plugins interoperate, topics that have metadata or data protection kinds enabled (features specific to the full Security Plugins) are unavailable to the Lightweight Security Plugins.
15.3. How Pre-Shared Key Protection Works
15.3.1. Pre-Shared Key Material
Pre-Shared Key Protection relies on deriving unique symmetric keys for every DomainParticipant. The keys are based on a user-configurable, pre-shared secret key seed (common for all DomainParticipants) and publicly available data that uniquely identifies a DomainParticipant in the network. Thanks to this architecture, every DomainParticipant with the right pre-shared key seed can recreate the unique key material (Master Sender Salt and Master Sender Key) of any other DomainParticipant in the network without the need for costly key material exchange. The key material is used as an input parameter for a cryptographic algorithm to encrypt or MAC RTPS messages.
The 256-bit long Master Sender Salt is derived according to this algorithm:
HMAC-SHA256(
HMAC-SHA256(
concatenate("PSK-SALT", sender's domain ID, target's RTPS header),
pre-shared key seed),
concatenate("master salt derivation", 0x01))
The 256-bit long Master Sender Key is derived according to this algorithm:
HMAC-SHA256(
HMAC-SHA256(
concatenate("PSK-SKEY", sender's domain ID, target's RTPS header),
pre-shared key seed),
concatenate("master sender key derivation", 0x01))
Note
The uniqueness of every DomainParticipant’s key material is important to ensure a high level of security. No two DomainParticipants can have the same key. The algorithm’s goal is to ensure reliable and fast protection against external threats, and that no external party can forge the key material without knowledge of the pre-shared key seed. It is not the intent of this mechanism to protect against insider spoofing. If insiders are not fully trustworthy, use a different mechanism from the Security Plugins portfolio.
15.3.2. Key Management
A PSK-enabled DomainParticipant, upon its creation, derives its own key material which is stored and readily available for later use. Whenever it wants to communicate with another DomainParticipant, it applies the chosen protection (encryption or MAC) to the outgoing message, using its pre-calculated key material. The recipient of the PSK-protected message can quickly determine that the message is PSK-protected by checking the submessage flags in the RTPS Crypto Header. If the message is determined to be PSK-protected, the receiving DomainParticipant checks if its internal storage has the key corresponding to the RTPS Header received in the message. If so, it uses that key to decode or verify the message. If the key is not found in the list, the receiving DomainParticipant derives the key using the algorithm and puts it in the list.
Note
The remote DomainParticipants’ keys are stored in a list of a fixed size (10 slots) during their initial discovery. Whenever all available key slots are used and a “new” remote DomainParticipant is encountered, the oldest entry in the list is replaced with the newly derived one. This mechanism may have a considerable performance impact whenever we discover a number of nodes exceeding the number of slots in the list within a short time - the recipient would end up recalculating the keys frequently. After remote DomainParticipants discovery is complete, this limitation no longer exists since the keys are no longer stored in the list.
15.3.3. Pre-Shared Key Protection and the Cloud
Pre-Shared Key Protection is the primary security mechanism for Connext cloud deployments, and can be employed to protect the discovery data and Binding Ping in RTI Cloud Discovery Service and RTI Real-Time WAN Transport. For a detailed description of these environments and configuration information see Support for RTI Real-Time WAN Transport.
When Pre-Shared Key Protection is enabled, Participant Discovery messages’ serialized data is no longer protected using the TrustedState mechanism (see Protecting Participant Discovery). Instead, the Security Plugins protect the whole Participant Discovery message (including replay attack protection information described in Protection Against a Cloud Discovery Service Participant Announcement Replay Attack). TrustedState is disabled when Pre-Shared Key Protection is enabled for the following reasons:
One of the main use cases of Pre-Shared Key Protection is to secure cloud deployments.
RTI Cloud Discovery Service-based deployments are not compatible with enforcing TrustedState or protecting Participant Discovery messages’ serialized data with the original Participant Private Key Signature (used to sign the TrustedState).
Pre-Shared Key Protection provides better protection against attacks from DDS domain outsiders (i.e. malicious agents with no access to the Pre-Shared Key seed); it protects the whole RTPS message, as opposed to just the serialized data, and protects against confidentiality threats.
While Pre-Shared Key Protection does not protect against domain insiders (i.e., malicious agents that have gained access to the Pre-Shared Key seed) flooding the network with malicious Participant Discovery messages, the eventual consistency of the Participant Discovery information is still enforced through the Authentication process and the Secure Reliable Participant Discovery topic.