Security Plugins

• Available Documentation
• About This Document
  • Paths Mentioned in Documentation
  • Extensions to the DDS Standard

Part 1: Welcome to Security Plugins

• 1. Overview
  • 1.1. Description of DDS System Threats
    • 1.1.1. Unauthorized Subscription
    • 1.1.2. Unauthorized Publication
    • 1.1.3. Tampering And Replay
    • 1.1.4. Crossing Domains
  • 1.2. Applying DDS Protection
    • 1.2.1. Domain-Level Protection
      • 1.2.1.1. Domain-Level Protection Threat Model
      • 1.2.1.2. Domain-Level Protection From Outsider Adversaries
    • 1.2.2. Granular Protection Inside Domains
      • 1.2.2.1. Granular Protection Threat Model
      • 1.2.2.2. Applying Granular Protection Inside Domains
    • 1.2.3. Protecting the RTPS Protocol
      • 1.2.3.1. Protecting Bootstrapping
      • 1.2.3.2. Protecting Integrity
      • 1.2.3.3. Protecting Confidentiality
      • 1.2.3.4. Origin Authentication Protection
  • 1.3. Introduction to the Security Plugins
    • 1.3.1. Features of Security Plugins
    • 1.3.2. Supported Cryptographic Algorithms
      • 1.3.2.1. Cryptographic Algorithms Used for Data Flow Protection with Pre-Shared Key Protection
      • 1.3.2.2. Cryptographic Algorithms Used for Data Flow Protection
      • 1.3.2.3. Cryptographic Algorithms Used for Key Exchange
      • 1.3.2.4. Cryptographic Algorithms Used for Digital Signatures
    • 1.3.3. Choosing the Right Technology to Protect Your Data
• 2. Using Security Plugins
  • 2.1. Securing Distributed Systems
  • 2.2. Securing a DomainParticipant

Part 2: Core Concepts

• 3. Elements of a Security Plugins System
  • 3.1. QoS Properties
  • 3.2. Public Key Infrastructure (PKI)
    • 3.2.1. Identity Certificates
      • 3.2.1.1. Certificate Chaining
      • 3.2.1.2. Alternative CAs
      • 3.2.1.3. Dynamic Certificate Status and Revocation
      • 3.2.1.4. Multiple Certificate Revocation Lists
    • 3.2.2. Governance and Permissions
  • 3.3. Governance Document
    • 3.3.1. Specifying Domains
      • 3.3.1.1. Domain IDs
      • 3.3.1.2. Domain Tags
    • 3.3.2. Domain-Level Rules
    • 3.3.3. Topic-Level Rules
    • 3.3.4. Example Governance Document (XML)
    • 3.3.5. How the Governance Document is Interpreted
    • 3.3.6. XML Validation in the Governance Document
    • 3.3.7. Governance Compatibility Validation
  • 3.4. Permissions Document
    • 3.4.1. Example Permissions Document (XML)
    • 3.4.2. How the Permissions are Interpreted
    • 3.4.3. XML Validation in the Permissions Document
  • 3.5. Security Builtin Topics
    • 3.5.1. Authentication Builtin Topic (ParticipantStatelessMessage)
    • 3.5.2. Secure Key Exchange Builtin Topic (ParticipantVolatileMessageSecure)
    • 3.5.3. Builtin Secure Logging Topic
    • 3.5.4. Builtin Secure Discovery Topics
    • 3.5.5. Builtin Secure Liveliness Topic
    • 3.5.6. Builtin Secure ServiceRequest Topic
• 4. Authentication
  • 4.1. Handshake
    • 4.1.1. Message Exchange
      • 4.1.1.1. Handshake Request
      • 4.1.1.2. Handshake Reply
      • 4.1.1.3. Handshake Final
    • 4.1.2. General Considerations
      • 4.1.2.1. Symmetric Authentication Failure
      • 4.1.2.2. Asymmetric Authentication Failure
    • 4.1.3. Identity Certificate Validation
      • 4.1.3.1. Step 1. Verifying the certificate validity on the current date and time
      • 4.1.3.2. Step 2. Verifying the certificate is not revoked
      • 4.1.3.3. Step 3. Verifying that the Identity CA issued the remote’s Identity Certificate
    • 4.1.4. GUID Validation
    • 4.1.5. Shared Key Derivation
  • 4.2. Authentication Builtin Topic (ParticipantStatelessMessage)
    • 4.2.1. Fragmentation Support for the Authentication Topic
  • 4.3. Related Governance Rules
    • 4.3.1. Domain-level rules
      • 4.3.1.1. allow_unauthenticated_participants (domain_rule)
      • 4.3.1.2. identity_credential_authority_validation
  • 4.4. Cryptographic Algorithms
    • 4.4.1. Digital Signature Algorithms
    • 4.4.2. Key Establishment Algorithms
  • 4.5. Advanced Authentication Concepts
    • 4.5.1. Protecting Participant Discovery
    • 4.5.2. Identity Certificate Chaining
    • 4.5.3. Re-Authentication
    • 4.5.4. Guidelines for Minimizing Authentication Negotiation Times
    • 4.5.5. Dynamic Certificate Revalidation
      • 4.5.5.1. Dynamic Certificate Expiration of Remote DomainParticipants
      • 4.5.5.2. Dynamic Certificate Expiration of the Local DomainParticipant
      • 4.5.5.3. Dynamic Certificate Revocation of Remote DomainParticipants
      • 4.5.5.4. Dynamic Certificate Revocation of Local DomainParticipants
    • 4.5.6. Dynamic Certificate Revocation of Remote DomainParticipants through Whitelisting
      • 4.5.6.1. Interactions with allow_unauthenticated_participants
      • 4.5.6.2. Whitelist mutability
      • 4.5.6.3. Interactions with ignore_participant API
      • 4.5.6.4. Whitelist format
    • 4.5.7. CRL Expiration
    • 4.5.8. Dynamic Certificate Renewal of a DomainParticipant
    • 4.5.9. Online Certificate Status Protocol
  • 4.6. Properties for Configuring Authentication
    • 4.6.1. Configuration Properties Affecting Any Authentication Plugin
    • 4.6.2. Configuration Properties Affecting Connext DDS Core Libraries Behavior
• 5. Access Control
  • 5.1. Governance Document
  • 5.2. Permissions Document
    • 5.2.1. Rules for matching a subject name in the Permissions Document
    • 5.2.2. Topics
    • 5.2.3. Partitions
      • 5.2.3.1. Behavior of the partitions tag within an allow_rule
      • 5.2.3.2. Behavior of the partitions tag within a deny_rule
      • 5.2.3.3. Partition Mutability
    • 5.2.4. Data Tags
      • 5.2.4.1. Behavior of data_tags within an allow_rule
      • 5.2.4.2. Behavior of data_tags within a deny_rule
  • 5.3. Related Governance Rules
    • 5.3.1. Domain-level rules
      • 5.3.1.1. enable_join_access_control (within a domain_rule)
      • 5.3.1.2. topic_access_rules (domain_rule)
    • 5.3.2. Topic-level rules
      • 5.3.2.1. enable_read_access_control (topic_rule)
      • 5.3.2.2. enable_write_access_control (topic_rule)
      • 5.3.2.3. No Matching Rule
  • 5.4. Advanced Access-Control Concepts
    • 5.4.1. Participant-Level Permissions, Endpoint-Level Permissions, and Unsecure DomainParticipants
    • 5.4.2. Access Control and Unauthenticated Participants
  • 5.5. Properties for Configuring Access Control
• 6. Cryptography
  • 6.1. Introduction
    • 6.1.1. Cryptography Plugin as an Enabler for Other Plugins
    • 6.1.2. Overview of How Cryptography Works in DDS
  • 6.2. Cryptographic Algorithms
    • 6.2.1. Participant Symmetric Cipher Algorithms
    • 6.2.2. Endpoint Symmetric Cipher Algorithms
  • 6.3. Secure Entities
    • 6.3.1. Architecture of Secure Entities
      • 6.3.1.1. Security Mechanisms
      • 6.3.1.2. Security Attributes
      • 6.3.1.3. Local Sender’s Key Material
      • 6.3.1.4. Remote Sender’s Key Material
    • 6.3.2. Lifecycle of Secure Entities
      • 6.3.2.1. Creation of the Secure Entity
      • 6.3.2.2. Discovery of a Remote Secure Entity
      • 6.3.2.3. Key Material Exchange
      • 6.3.2.4. Secure Communication
    • 6.3.3. Algorithms Involved in Protecting Secure Entities Traffic
      • 6.3.3.1. Limiting the Usage of a Specific Session Key
      • 6.3.3.2. Limiting the Usage of Specific Key Material
      • 6.3.3.3. Automatically Banishing Ignored Participants
  • 6.4. Secure Key Exchange Channel (ParticipantVolatileMessageSecure Topic)
    • 6.4.1. Secure Key Exchange Builtin Topic Characteristics And Security Attributes
    • 6.4.2. Secure Key Exchange
    • 6.4.3. Secure Key Redistribution
  • 6.5. Securing DDS Messages on The Wire
    • 6.5.1. RTPS Protocol Changes to Support Secure Entities Traffic
      • 6.5.1.1. Serialized Data Protection
      • 6.5.1.2. Instance Key Data Protection
      • 6.5.1.3. Submessage Protection
      • 6.5.1.4. RTPS Protection
      • 6.5.1.5. Origin Authentication Protection
    • 6.5.2. Cryptographic Information Added to RTPS Messages
      • 6.5.2.1. Crypto Header
      • 6.5.2.2. Crypto Content / Serialized Payload
      • 6.5.2.3. Crypto Footer
  • 6.6. Security Protections Applied by DDS Entities
    • 6.6.1. DomainParticipants
    • 6.6.2. User-Defined Endpoints (DataWriters/DataReaders)
    • 6.6.3. Builtin Secure Discovery Endpoints
      • 6.6.3.1. Secure Topic Query and Locator Reachability Support
    • 6.6.4. Builtin Secure Liveliness Endpoints
  • 6.7. Related Governance Rules
    • 6.7.1. Understanding ProtectionKinds
    • 6.7.2. Domain-Level Rules
      • 6.7.2.1. rtps_protection_kind (domain_rule)
      • 6.7.2.2. rtps_psk_protection_kind (domain_rule)
      • 6.7.2.3. discovery_protection_kind (domain_rule)
      • 6.7.2.4. liveliness_protection_kind (domain_rule)
      • 6.7.2.5. monitoring_metrics_protection_kind (domain_rule)
      • 6.7.2.6. monitoring_logging_protection_kind (domain_rule)
      • 6.7.2.7. service_request_protection_kind (domain_rule)
      • 6.7.2.8. instance_state_consistency_protection_kind (domain_rule)
      • 6.7.2.9. allowed_security_algorithms (domain_rule)
      • 6.7.2.10. enable_key_revision (domain_rule)
    • 6.7.3. Topic-Level Rules
      • 6.7.3.1. metadata_protection_kind (topic_rule)
      • 6.7.3.2. data_protection_kind (topic_rule)
      • 6.7.3.3. enable_discovery_protection (topic_rule)
      • 6.7.3.4. enable_liveliness_protection (topic_rule)
  • 6.8. Advanced Cryptography Concepts
    • 6.8.1. Reliability Behavior When MAC Verification Fails
    • 6.8.2. Configuring Reliability Protocol Settings of the Secure Key Exchange Topic
    • 6.8.3. Securing Application-Level Acknowledgments
    • 6.8.4. Origin Authentication Protection Implications
    • 6.8.5. Reencoding Protected Data when Regenerating Keys
    • 6.8.6. Interactions with Persistence Service
    • 6.8.7. Interactions with FlatData and Zero Copy
    • 6.8.8. Lightweight Security Pre-Shared Key RTPS Protection
    • 6.8.9. Interactions with Instance State Consistency
  • 6.9. Properties for Configuring Cryptography
    • 6.9.1. Configuration Properties Affecting Any Cryptography Plugin
• 7. Security Events and Logging
  • 7.1. Connext DDS Builtin Logging System
    • 7.1.1. Logging Security Events through the Connext DDS Builtin Logging System
  • 7.2. Distributed Over DDS
    • 7.2.1. Configuring the Logging Distribution
    • 7.2.2. Builtin Secure Logging Topic
    • 7.2.3. Implementation Notes
      • 7.2.3.1. Publication of the Builtin Secure Logging Topic
      • 7.2.3.2. Custom QoS Profile for the Builtin Secure Logging Topic
  • 7.3. Advanced Logging Concepts
    • 7.3.1. Interface Between the Logging Plugin and the Connext DDS Builtin Logging System
    • 7.3.2. Subscribing to the Builtin Logging Topic
  • 7.4. Properties for Configuring Security Events and Logging
  • 7.5. Logging Messages
• 8. Data Tagging
  • 8.1. Example Use Case
  • 8.2. Limitations
• 9. Building and Running Security Plugins-Based Applications
  • 9.1. Linking Applications with the Security Plugins
    • 9.1.1. Dynamic Linking
    • 9.1.2. Static Linking
  • 9.2. Mixing Libraries Not Supported
  • 9.3. Properties for Enabling Security
  • 9.4. Advanced Concepts
    • 9.4.1. Creating/Deleting a DomainParticipant as a C++ Static Object
  • 9.5. Platform-Specific Notes
    • 9.5.1. Building Security Plugins-Based Applications for VxWorks 7
      • 9.5.1.1. Considerations for Building and Running Security Plugins in Kernel Modules
      • 9.5.1.2. Considerations for Building and Running Security Plugins in RTP Executables
  • 9.6. Libraries Required for Using the Builtin Security Plugins
  • 9.7. Libraries Required for Using the Lightweight Builtin Security Plugins

Part 3: Advanced Concepts

• 10. Using STRIDE Threat Modeling to Analyze Security Risks in DDS Systems
  • 10.1. Introduction to Threat Modeling
  • 10.2. Simplified DDS Security Threat Model
  • 10.3. Introduction to STRIDE
  • 10.4. Detailed DDS Security Threat Model
    • 10.4.1. DDS Security Trust Boundaries
    • 10.4.2. DDS Traffic Categorization
    • 10.4.3. DDS Security Threat Protection
    • 10.4.4. Domain Outsider Protection
    • 10.4.5. Domain Insider Protection
    • 10.4.6. Topic Outsider Protection
    • 10.4.7. Topic Insider Protection
  • 10.5. Configuration Examples for Common Threat Scenarios
    • 10.5.1. Automotive Network Insider
      • 10.5.1.1. Configuration
      • 10.5.1.2. Resulting protection
    • 10.5.2. Industrial Automation Malicious 3rd-Party App
      • 10.5.2.1. Configuration
      • 10.5.2.2. Resulting protection
    • 10.5.3. Medical System Malicious Device
      • 10.5.3.1. Configuration
      • 10.5.3.2. Resulting protection
    • 10.5.4. Aviation Services Malicious Device
      • 10.5.4.1. Configuration
      • 10.5.4.2. Resulting protection
• 11. Design Considerations
  • 11.1. Factors Affecting Performance and Scalability in General
    • 11.1.1. Hardware
    • 11.1.2. Algorithms Used
    • 11.1.3. Maximum Transmission Unit (MTU)
    • 11.1.4. Using OpenSSL Providers
    • 11.1.5. Security Plugins File Tracking
  • 11.2. Security Plugins’ Impact on Scalability at Startup
    • 11.2.1. Impact of the Security Plugins on the Discovery Process
      • 11.2.1.1. Differences in DomainParticipant Creation
      • 11.2.1.2. Differences in Endpoints Creation
      • 11.2.1.3. Differences in Remote DomainParticipants Discovery
      • 11.2.1.4. Differences in Remote Endpoints Discovery
      • 11.2.1.5. Participant Discovery Information Validation and Updates
    • 11.2.2. Impact of the Secure Versions of Builtin Endpoints
    • 11.2.3. Impact of Key Exchange on Scalability at Startup
      • 11.2.3.1. Participant Key Material
      • 11.2.3.2. Builtin Secure Endpoints
      • 11.2.3.3. User-Defined Secure Endpoints
      • 11.2.3.4. Receiver-Specific Keys
    • 11.2.4. Factors Impacting Performance and Scalability at Startup
      • 11.2.4.1. Impact of OCSP
      • 11.2.4.2. Number of Participants and Endpoints in Your Secure Domain
      • 11.2.4.3. Contents of the Identity Certificates
      • 11.2.4.4. Contents of Your Permissions Documents
      • 11.2.4.5. Impact of Different Protection Kinds
  • 11.3. Security Plugins Impact on Scalability and Performance During Steady State
    • 11.3.1. Overhead of the Different Protection Kinds
      • 11.3.1.1. Discovery Protection
      • 11.3.1.2. Liveliness Protection
      • 11.3.1.3. Serialized Data Protection
      • 11.3.1.4. Submessage Protection
      • 11.3.1.5. RTPS Protection
      • 11.3.1.6. Origin Authentication Protection
      • 11.3.1.7. SIGN VS ENCRYPT
      • 11.3.1.8. OCSP revalidation
    • 11.3.2. Factors Impacting Performance and Scalability During Steady State
      • 11.3.2.1. Performance Impact of Different Protection Kinds
      • 11.3.2.2. Interaction Between the Security Plugins and Batching QoS
      • 11.3.2.3. Interaction Between the Security Plugins and Multicast
      • 11.3.2.4. Interaction with Reliability
      • 11.3.2.5. Scalability Considerations for Origin Authentication Protection
      • 11.3.2.6. Interaction with Content Filtered Topics
      • 11.3.2.7. Interaction with Topic Queries
      • 11.3.2.8. Interaction with Asynchronous Publishing
      • 11.3.2.9. Interaction with Compression
      • 11.3.2.10. Interaction with CRC
      • 11.3.2.11. Interaction with Transport UDPv4_WAN
  • 11.4. Recommendations for Usage with Observability Framework
  • 11.5. Security Considerations when Enabling Compression
  • 11.6. Considerations when Enabling OCSP
    • 11.6.1. When OCSP is Not Recommended
    • 11.6.2. Responder Availability
    • 11.6.3. OCSP Token Validity Interval
    • 11.6.4. Time Synchronization Requirements
• 12. Best Practices
  • 12.1. Choosing the Granularity of Your Permissions Documents for DomainParticipants
  • 12.2. Using Serialized Data Protection Along with Submessage/RTPS Protection
  • 12.3. Using Separate Domains for Secure and Unsecure Participants
  • 12.4. Keeping Governance and Permissions Compatibility Across Different Security Plugins Versions
• 13. Support for OpenSSL Engines
  • 13.1. Properties for Configuring OpenSSL Engines
  • 13.2. Advanced Concepts
    • 13.2.1. Support for Engine Control Commands
• 14. Support for OpenSSL Providers
  • 14.1. Instructions for Loading Providers
    • 14.1.1. Constructing a Configuration File
    • 14.1.2. Setting Environment Variables
    • 14.1.3. Verifying the Usage of Providers
  • 14.2. How Providers Impact Security Plugins Behavior
  • 14.3. The FIPS Provider
• 15. What’s Different Between the Security Plugins and the OMG Security Specification
  • 15.1. Differences Affecting Builtin Plugins to be Addressed by Next DDS Security Specification
    • 15.1.1. Access Control
      • 15.1.1.1. Mutability of Publisher PartitionQosPolicy
  • 15.2. Differences Affecting Builtin Plugins
    • 15.2.1. General
      • 15.2.1.1. Support for Infrastructure Services
    • 15.2.2. Access Control
      • 15.2.2.1. Placement of the <default> rule in the Permissions Document
  • 15.3. Differences Affecting Custom Plugins
    • 15.3.1. Authentication
      • 15.3.1.1. Revocation
      • 15.3.1.2. Discovery Failure If Exchanging Fewer Than Two Handshake Messages
    • 15.3.2. Access Control
      • 15.3.2.1. check_remote_topic
      • 15.3.2.2. check_local_datawriter_register_instance
      • 15.3.2.3. check_local_datawriter_dispose_instance
      • 15.3.2.4. check_remote_datawriter_register_instance
      • 15.3.2.5. check_remote_datawriter_dispose_instance
      • 15.3.2.6. check_local_datawriter_match / check_local_datareader_match
      • 15.3.2.7. Revocation
      • 15.3.2.8. PermissionsToken
    • 15.3.3. Cryptography
      • 15.3.3.1. inline_qos for encode/decode_serialized_payload
• 16. Pre-Shared Key Protection
  • 16.1. Pre-Shared Key Protection Motivation and Benefits
    • 16.1.1. Pre-Shared Key Protection in Lightweight Builtin Security Plugins vs. Pre-Shared Key Protection in Builtin Security Plugins
  • 16.2. Configuring Pre-Shared Key Protection
    • 16.2.1. Lightweight Builtin Security Plugins and Builtin Security Plugins Interoperability
  • 16.3. How Pre-Shared Key Protection Works
    • 16.3.1. PSK Material
    • 16.3.2. Key Management
    • 16.3.3. Passphrase identifier
    • 16.3.4. Pre-Shared Key Protection and the Cloud
• 17. The Lightweight Builtin Security Plugins
  • 17.1. Configuring the Lightweight Builtin Security Plugins
    • 17.1.1. The Lightweight Builtin Security Plugins and RTI Admin Console
• 18. Relevant Connext APIs
  • 18.1. Relevant functions
    • 18.1.1. banish_ignored_participants
    • 18.1.2. discovered_participant_subject_name
    • 18.1.3. discovered_participants_from_subject_name
    • 18.1.4. discovered_participant_data
    • 18.1.5. on_invalid_local_identity_status_advance_notice
  • 18.2. Relevant types for the Governance Document
  • 18.3. Relevant types for the Security Algorithms

Part 4: Integration with other RTI Connext Products

• 19. DDS Security Data Visualization with RTI Administration Console
  • 19.1. RTI Admin Console and the Lightweight Builtin Security Plugins
• 20. Support for RTI Infrastructure Services
  • 20.1. RTI Persistence Service
  • 20.2. RTI Routing Service
  • 20.3. RTI Recording Service
  • 20.4. RTI Web Integration Service
• 21. Support for RTI Real-Time WAN Transport
  • 21.1. Binding Ping Messages Security
  • 21.2. Security Considerations when Using Cloud Discovery Service
    • 21.2.1. Protection Against a Cloud Discovery Service Participant Announcement Replay Attack
• 22. Support for RTI Observability Framework
  • 22.1. Creating a Governance Document for Observability Framework
  • 22.2. Creating a Permissions Document for Collector Service
  • 22.3. Creating a Permissions Document for Monitoring Library 2.0
  • 22.4. Enabling Security Plugins in Collector Service
    • 22.4.1. Using Docker Compose (Prepackaged)
    • 22.4.2. Using Docker (Separate Deployment)
  • 22.5. Enabling Security Plugins in Monitoring Library 2.0

• Copyrights and Notices