3. Key New Features in 7.3.0 LTS

Security Plugins 7.3.0 LTS is a long-term support release that is built upon and includes all the features in releases 7.0.0, 7.1.0, and 7.2.0 (see Previous Releases).

See the Connext Releases page on the RTI website for more information on RTI’s software release model.

This section describes key new features and improvements in 7.3.0 LTS, compared to 6.1.2, the previous LTS release.

See also: What’s New in 7.3.0 LTS.

Table 3.1 Key Features of the Security Plugins 7.3.0 LTS (Releases 7.0.0 - 7.3.0)

	Dynamic Certificate Revocation and Renewal enables certificates to be dynamically revoked and renewed in operational systems.
	Pre-Shared Key (PSK) Protection extends existing Builtin Security Plugins capabilities to protect bootstrapping traffic (such as participant discovery).
	Lightweight Security offers a Security Plugins alternative for resource-constrained systems, leveraging Pre-Shared Key (PSK) Protection.
	New Security Algorithms protect data up to TOP-SECRET level information.
	OpenSSL Providers allow you to plug in a greater variety of external implementations for cryptographic operations without changes to your applications.

Note

For backward compatibility information between 7.3.0 LTS and previous releases, see the Migration Guide on the RTI Community Portal.

3.1. Dynamic Certificates Renewal and Revocation

When a certificate expires, certificate owners will be automatically removed, enabling long-running, uninterrupted operation of Connext secure systems. Dynamic Access Control can be created based on dynamic Identity Certificates that support renewal, Certificate Revocation Lists (CRL), or a whitelist of Identity Certificate Subject Names. Dynamic Certificates are seamlessly integrated with RTI Infrastructure Services and Admin Console.

See the following sections for more information on these features:

• Changes Related to Dynamic Participant Renewal, Revocation, and Expiration in 7.0.0
  

• Changes Related to Dynamic Participant Renewal, Revocation, and Expiration in 7.1.0
  

• Changes Related to Dynamic Participant Renewal, Revocation, and Expiration in 7.2.0

3.2. Pre-Shared Key (PSK) Protection

Pre-Shared Key (PSK) Protection expands the Security Plugins offering and enables basic-level protection wherever traditional DDS Security mechanisms are unavailable or infeasible due to limited resources, paramount performance requirements, or other reasons. The PSK secures all the traffic from the startup of a DDS Entity and restricts the communication only to Entities holding the correct pre-shared key seed.

Pre-Shared Key Protection can be leveraged in two different ways:

• As part of the Builtin Security Plugins:

  Pre-Shared Key Protection works alongside existing Builtin Security Plugins features and secures the communication happening before and during authentication (known as bootstrapping). Note: while RTPS Bootstrapping messages can only be protected through Pre-Shared Key Protection, non-bootstrapping messages can be protected either with a combination of Pre-Shared Key Protection with other security mechanisms from Builtin Security Plugins, or by using non-Pre-Shared Key Protection mechanisms exclusively.

• As part of Lightweight Builtin Security Plugins (also known as Lightweight Security):

  In this case, all traditional DDS Security mechanisms are disabled and the entire communication is protected with Pre-Shared Key Protection.

  Note

  Since Pre-Shared Key Protection by itself does not support granular security or topic permissions, Lightweight Builtin Security Plugins can only be used to provide domain-level protection from outsider adversaries.

For more information, see Pre-Shared Key Protection, in the RTI Security Plugins User’s Manual.

3.3. Lightweight Security

This release of the Security Plugins includes Lightweight Security, a lightweight solution that uses a pre-shared key (distributed out-of-band) to protect the information. This new feature can be used with the OpenSSL 3 and wolfSSL crypto libraries. The new library, nddslightweightsecurity, is included with the Security Plugins bundles.

Using Pre-Shared Key Protection, Lightweight Security can protect the confidentiality or integrity of the communication, without the overhead of authentication, key exchange, and enforcing permissions. Therefore, the Lightweight Builtin Security Plugins library can be useful in resource-constrained scenarios.

The Lightweight Builtin Security Plugins library improves performance by not using the most demanding DDS Security mechanisms such as authentication or access control. It also reduces resource consumption from the CPU and memory. As a result, Lightweight Security does not support more sophisticated security features like granular-security and topic permissions enforcement: it only protects against spoofing, tampering, and information disclosure from actors not holding the pre-shared, user-configured key.

With Lightweight Security, secure DomainParticipants skip authentication and access control. Instead, security is based on a per-participant, pre-shared key that protects all messages (including discovery). The Security Plugins derive the per-participant pre-shared key based on a seed that you must set consistently across the whole system. The property for configuring the seed is dds.sec.crypto.rtps_psk_secret_passphrase.

The entire communication is protected by default using the AES256+GCM cryptographic algorithm in ENCRYPT protection mode. You can choose another algorithm with the dds.sec.crypto.rtps_psk_symmetric_cipher_algorithm property. The available options are AES128+GCM and AES256+GCM. Likewise, you can change the protection mode with the dds.sec.access.rtps_psk_protection_kind property. The available options are NONE (do not protect), SIGN (protect the integrity), and ENCRYPT (protect the integrity and confidentiality).

The Lightweight Builtin Security Plugins library is also part of the Security Plugins SDK. This release also includes a tester for the Lightweight Builtin Security Plugins.

For more information, see:

• Lightweight Builtin Security Plugins, in the RTI Security Plugins User’s Manual

• Lightweight Builtin Security Plugins and Security Plugins Interoperability, in the RTI Security Plugins User’s Manual

3.4. New Security Algorithms

The Security Plugins can now operate at the Commercial National Security Algorithm (CNSA) Suite TOP-SECRET level. In particular, Connext 7 adds support for secp384r1 key-establishment and digital-signature algorithms. The extended algorithm support is complemented with:

• A new mechanism for early detection of cryptographic algorithms compatibility during the discovery phase.

• A new Governance Document-based mechanism to restrict which cryptographic algorithms are authorized to be used within a DDS system.

The specific new features related to this feature are described in:

• Changes Related to Cryptographic Algorithms

• Changes Related to System Extensibility and Configurability

3.5. OpenSSL Providers

OpenSSL Providers allow you to plug in a greater variety of external implementations for cryptographic operations without changes to your applications. See Security Plugins now support OpenSSL providers for more information.