3. Key New Features in 7.3.0 LTS
Security Plugins 7.3.0 LTS is a long-term support release that is built upon and includes all the features in releases 7.0.0, 7.1.0, and 7.2.0 (see Previous Releases).
See the Connext Releases page on the RTI website for more information on RTI’s software release model.
This section describes key new features and improvements in 7.3.0 LTS, compared to 6.1.2, the previous LTS release.
See also: What’s New in 7.3.0 LTS.
Dynamic Certificate Revocation and Renewal enables certificates to be dynamically revoked and renewed in operational systems. |
|
Pre-Shared Key (PSK) Protection extends existing Builtin Security Plugins capabilities to protect bootstrapping traffic (such as participant discovery). |
|
Lightweight Security offers a Security Plugins alternative for resource-constrained systems, leveraging Pre-Shared Key (PSK) Protection. |
|
New Security Algorithms protect data up to TOP-SECRET level information. |
|
OpenSSL Providers allow you to plug in a greater variety of external implementations for cryptographic operations without changes to your applications. |
Note
For backward compatibility information between 7.3.0 LTS and previous releases, see the Migration Guide on the RTI Community Portal.
3.1. Dynamic Certificates Renewal and Revocation
When a certificate expires, certificate owners will be automatically removed, enabling long-running, uninterrupted operation of Connext secure systems. Dynamic Access Control can be created based on dynamic Identity Certificates that support renewal, Certificate Revocation Lists (CRL), or a whitelist of Identity Certificate Subject Names. Dynamic Certificates are seamlessly integrated with RTI Infrastructure Services and Admin Console.
See the following sections for more information on these features:
3.3. Lightweight Security
This release of the Security Plugins includes Lightweight Security, a lightweight solution that uses a pre-shared key (distributed out-of-band) to protect the information. This new feature can be used with the OpenSSL 3 and wolfSSL crypto libraries. The new library, nddslightweightsecurity, is included with the Security Plugins bundles.
Using Pre-Shared Key Protection, Lightweight Security can protect the confidentiality or integrity of the communication, without the overhead of authentication, key exchange, and enforcing permissions. Therefore, the Lightweight Builtin Security Plugins library can be useful in resource-constrained scenarios.
The Lightweight Builtin Security Plugins library improves performance by not using the most demanding DDS Security mechanisms such as authentication or access control. It also reduces resource consumption from the CPU and memory. As a result, Lightweight Security does not support more sophisticated security features like granular-security and topic permissions enforcement: it only protects against spoofing, tampering, and information disclosure from actors not holding the pre-shared, user-configured key.
With Lightweight Security, secure DomainParticipants skip authentication
and access control. Instead, security is based on a per-participant,
pre-shared key that protects all messages (including discovery). The
Security Plugins derive the per-participant pre-shared key based on a seed
that you must set consistently across the whole system. The property for
configuring the seed is dds.sec.crypto.rtps_psk_secret_passphrase
.
The entire communication is protected by default using the AES256+GCM
cryptographic algorithm in ENCRYPT protection mode. You can choose another
algorithm with the dds.sec.crypto.rtps_psk_symmetric_cipher_algorithm
property. The available options are AES128+GCM and AES256+GCM. Likewise, you
can change the protection mode with the
dds.sec.access.rtps_psk_protection_kind
property. The available
options are NONE (do not protect), SIGN (protect the integrity), and
ENCRYPT (protect the integrity and confidentiality).
The Lightweight Builtin Security Plugins library is also part of the Security Plugins SDK. This release also includes a tester for the Lightweight Builtin Security Plugins.
For more information, see:
3.4. New Security Algorithms
The Security Plugins can now operate at the Commercial National Security Algorithm (CNSA) Suite TOP-SECRET level. In particular, Connext 7 adds support for secp384r1 key-establishment and digital-signature algorithms. The extended algorithm support is complemented with:
A new mechanism for early detection of cryptographic algorithms compatibility during the discovery phase.
A new Governance Document-based mechanism to restrict which cryptographic algorithms are authorized to be used within a DDS system.
The specific new features related to this feature are described in:
3.5. OpenSSL Providers
OpenSSL Providers allow you to plug in a greater variety of external implementations for cryptographic operations without changes to your applications. See Security Plugins now support OpenSSL providers for more information.