4. Authentication
Authentication is the process of making sure a DomainParticipant is who it claims to be. Loading any [1] security plugins will configure the DomainParticipant to request the plugins to authenticate a newly discovered remote participant before initiating Endpoint Discovery with that participant.
Note
In the case of Lightweight Builtin Security Plugins, which implements OMG DDS Security 1.2 specification (pending publication)
builtin PSK plugins, the Authentication Plugin does not perform any operation
to cryptographically enforce DomainParticipant Authentication.
Consequently, most of this chapter (with some exceptions such as the
descriptions of files_poll_interval
and
authentication.enable_custom_allocators
)
is only applicable to Builtin Security Plugins or custom security plugins implementing
3-way handshake PKI-based authentication.
In the case of Builtin Security Plugins, Authentication is done via a series of inter-participant challenge and response messages, which are exchanged during a 3-way handshake. These messages perform mutual authentication, so the end result is that this DomainParticipant authenticates the remote DomainParticipant and vice-versa.
Before a DomainParticipant is enabled, the Authentication Plugin associated with the DomainParticipant must be configured with three artifacts:
The Identity CA Certificate, which contains the public key of the Identity CA.
The Private Key of the DomainParticipant.
An Identity Certificate that chains up to the Identity CA. This certificate binds the public key of the DomainParticipant to its subject name.
If the Authentication Plugin fails to verify any of these prerequisites, participant creation fails.
To successfully authenticate a remote participant, that remote participant must present a valid Identity Certificate (this is known as Identity Certificate Validation, which we describe in Identity Certificate Validation) and prove to have access to the private key associated with the Identity Certificate’s public key (by signing challenges during the handshake).
Authentication of the remote participant takes place right after the Participant Discovery phase (see Discovery in the Core Libraries User’s Manual). Secure Endpoint Discovery will only happen between mutually authenticated participants. In other words, if a participant (let’s call it P1) fails to authenticate a different participant (P2), P1 ignores Endpoint Discovery traffic from P2. Otherwise, P1 initiates Endpoint Discovery with P2 after mutual authentication. If a participant fails to authenticate, Connext will try again by initiating a new handshake through the Authentication Plugin.
Each DomainParticipant can optionally specify a certificate revocation list (CRL) to the Authentication Plugin. The CRL is checked for revoked certificates as part of the Identity Certificate Validation (see Identity Certificate Validation). Remote participants presenting a revoked certificate will not be authenticated. This way, you can prevent a compromised DomainParticipant from joining your secure domain by revoking its Identity Certificate and adding it to the CRL.
4.1. Handshake
To perform mutual authentication, DomainParticipants exchange a series of challenge and response messages in a 3-way handshake. This handshake is the mechanism by which participants verify each other’s identity and establish a Shared Secret. After mutual authentication over an unsecure channel, a Shared Key is derived using the Shared Secret.
Handshake messages are sent over the Authentication Builtin Topic, which allows the messages to be directed to a specific recipient (see Authentication Builtin Topic (ParticipantStatelessMessage)).
The handshake establishes mutual authentication between discovered participants using the RSA or ECDSA digital signature algorithms, and determines a Shared Secret using Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) key establishment methods.
4.1.1. Message Exchange
Let’s analyze the handshake by examining the messages that two participants (P1 and P2) exchange as part of the authentication:
4.1.1.1. Handshake Request
To initiate the handshake, P1 sends a Handshake Request to P2 that includes:
P1’s Identity Certificate (Cert1), which includes P1’s public key (PubK1)
P1’s Participant data (Pdata1), which includes P1’s DomainParticipantQos and P1’s security attributes
P1’s Permissions Document (Perm1)
A challenge (Challenge1) and a Diffie-Hellman public key (DH1), which P1 randomly generates right before initiating the handshake
4.1.1.2. Handshake Reply
When P2 receives the Handshake Request, it verifies Cert1 and Perm1’s signature. At this point, P2 knows whether P1 has presented a valid Identity Certificate (that chains up to the shared Identity CA) and Permissions Document (signed by the shared Permissions CA). If it did, the handshake continues and P2 sends a Handshake Reply to P1 that includes:
P2’s Identity Certificate (Cert2), which includes P2’s public key (PubK2)
P2’s Participant data (Pdata2), which includes P2’s DomainParticipantQos and P2’s security attributes
P2’s Permissions Document (Perm2)
A challenge (Challenge2) and a Diffie-Hellman public key (DH2), which P2 randomly generates upon reception of a Handshake Request
A signature (Sign2), which P2 generates by signing some of the message contents, including Challenge1 and DH2, with its private key (PrivK2)
4.1.1.3. Handshake Final
When P1 receives the Handshake Reply, it verifies Cert2 and Perm1’s signature, thus verifying whether P2 has presented a valid Identity Certificate (that chains up to the shared Identity CA) and Permissions Document (signed by the shared Permissions CA). P1 also verifies Sign2 against PubK2. Hence, P1 can verify whether Sign2 was generated with PrivK2. At this point, P1 knows whether P2 is the legitimate holder of the private key associated with Cert2. If the verification succeeds, P2 is authenticated and P1 computes the Shared Secret from DH2 and the Diffie-Hellman private key used for DH1. At this point, P1 sends a Handshake Final to P2 that includes:
A signature (Sign1), which P1 generates by signing some of the message contents, including Challenge2 and DH1, with its private key (PrivK1)
When P2 receives this message it verifies Sign1 against PubK1. Now, P2 knows whether P1 is the legitimate holder of the private key associated with Cert1. P1 is now authenticated and P2 computes the Shared Secret from DH1 and the Diffie-Hellman private key used for DH2. At this point, the handshake concludes: P1 and P2 are mutually authenticated and have a Shared Secret they can use to derive the Shared Key they need to communicate securely.
4.1.2. General Considerations
The authentication process is secure, even if the channel where the authentication happens is not secure. As we mentioned earlier, the Handshake Request and Handshake Reply messages include a random challenge. In both cases, the purpose of this challenge is to verify that the remote participant currently holds the private key corresponding to the exchanged certificate. For clarity, let’s analyze how we achieve this using the Handshake Request.
In the Handshake Request, P1 is the challenger participant, and P2 is the challenged participant. (Note that the mechanism used in the Handshake Reply is the same, but P1 and P2 swap roles.) In this first case, P1 sends a random challenge that P2 needs to sign (along with other information) with its private key, sending the result back to P1. Then P1 verifies that the signature corresponds to the public key in P2’s certificate. Since the challenge is a random piece of information unique to the current authentication session, P1 can verify that P2 currently holds the private key corresponding to the public key claimed in the certificate. With this mechanism, it is not possible to capture a valid handshake from a previous authentication session and replay it later without it becoming invalid. Therefore, we can be sure that P2 is the legitimate holder of the exchanged certificate. In other words, this verifies that P2 is who it claims to be.
During the authentication process, things can go wrong. For example, an unauthorized participant may present an invalid certificate, an attacker trying to impersonate one of your participants will be unable to give a valid response to the challenges, or an attacker may try to break the authentication between two legitimate participants by sending invalid responses to challenges in lieu of an authorized participant halfway through the authentication process. An invalid certificate or response to a challenge will result in a VALIDATION_FAILURE for that particular handshake message, but authentication will not fail until it times out. This is to avoid denial-of-service (DoS) attacks where a third party injects messages during an authentication.
If the authentication process fails (because it times out), the participants can fall into one of the following states:
4.1.2.1. Symmetric Authentication Failure
If the authentication process is not completed and fails for both participants (P1 does not authenticate P2, and P2 does not authenticate P1), P1 cleans up all the authentication state of P2 and P2 cleans up all the authentication state of P1, so the authentication can start from scratch.
4.1.2.2. Asymmetric Authentication Failure
Let’s analyze the case where P1 successfully authenticates P2, but P2 did not authenticate P1. This can happen if P1 received the Handshake Reply that was correct, but it couldn’t deliver the Handshake Final (because of a network failure, for example). In this case, P2 cannot start authenticating from scratch because from P1’s perspective, P2 has already authenticated (in other words, P1 has not cleaned up P2’s authentication state).
Asymmetric authentication failure can also happen if authentication succeeds for both participants, then liveliness expires for just one of them.
To solve this problem, by default, P2 periodically sends Authentication Request messages to P1 after a timeout. With an Authentication Request, P2 asks P1 to open a secondary authentication process so it has the opportunity to reauthenticate. If that succeeds, P1 will replace P2’s old authentication state with the new one. At this point, P1 and P2 are mutually authenticated.
For more details, see Re-Authentication.
4.1.3. Identity Certificate Validation
Identity Certificates are signed by a CA trusted by both DomainParticipants. Therefore, DomainParticipants can verify that the received certificate is legitimate. As per the OMG DDS Security specification, Identity Certificates are in PEM format and may contain a human-readable section above the mandatory section delimited by:
---BEGIN CERTIFICATE---
---END CERTIFICATE---
The human-readable section adds no functionality and is NOT used for validating the certificate. Removing it from the Identity Certificate before the authentication process reduces the size of the messages on the network.
By default beginning in Connext DDS version 6.0.1, the human-readable part of Identity Certificates is stripped when the certificate is loaded. This behavior avoids additional overhead and can be controlled with the boolean property authentication.propagate_simplified_identity_certificate
(see Table 4.2).
Identity Certificate Validation is done when this participant receives the first handshake message from a remote participant, and implies multiple checks:
4.1.3.1. Step 1. Verifying the certificate validity on the current date and time
The Builtin Security Plugins will check the certificate’s X.509 Validity fields (Not Before and Not After). If the certificate is received outside this time frame (before it becomes valid, or after it has expired), validation fails immediately. Otherwise, the certificate is considered currently valid.
4.1.3.2. Step 2. Verifying that the certificate is not revoked
You can specify a CRL by setting the authentication.crl
property
(see Table 4.2).
By doing this, your DomainParticipant will check the certificate against the revocation
list. If the certificate is found to be revoked, validation fails immediately.
Note that each DomainParticipant is responsible for specifying its own CRL; a CRL is not
exchanged during discovery or handshaking.
Also note that the revocation list is mutable as described in
Dynamic Certificate Revocation of Remote DomainParticipants.
For further details, refer to Multiple Certificate Revocation Lists.
4.1.3.3. Step 3. Verifying that the Identity CA issued the remote’s Identity Certificate
The local DomainParticipant validates the certificate against the Identity CA specified in
the dds.sec.auth.identity_ca
property (see
Table 4.1). If the issuer
of the Identity Certificate is an intermediate CA, you should specify the full
certificate chain in the dds.sec.auth.identity_certificate
property.
In this case, the Identity Certificate will be verified to chain up to the Identity
CA, as specified in Identity Certificate Chaining.
If the Identity CA is not currently valid or cannot validate an Identity Certificate,
then the validation will be retried with the alternative certificates specified
in the authentication.alternative_ca_files
property (see
Table 4.2). If
none of the alternative CAs are currently valid and can validate the file (or
if you did not set this property), the validation process will fail.
4.1.4. GUID Validation
Note
The Builtin Security Plugins cause a DomainParticipant to have a different GUID than it would normally have.
If a secure DomainParticipant is allowed to have whatever GUID it wants, then it becomes possible for an attacker to send a storm of participant announcements with different GUIDs while using its own certificate and private key to successfully complete the handshakes with the other DomainParticipants in the domain. Legitimate DomainParticipants that have a GUID that the attacker already used will be unable to join the domain.
To prevent this denial-of-service attack, a DomainParticipant that would have had a certain
GUID when not using the Builtin Security Plugins (let’s call this the “candidate GUID”) will have
this GUID adjusted by the Builtin Security Plugins. This adjusted GUID becomes the GUID that the
DomainParticipant effectively uses for everything, and it is also the GUID that is outputted
by the API DDS_DomainParticipant_get_qos
in the
wire_protocol.rtps_host_id
, wire_protocol.rtps_app_id
, and
wire_protocol.rtps_instance_id
fields of the DomainParticipantQos. The
adjustment works as follows:
The first bit (bit 0) is set to 1.
The 47 bits following the first bit (bits 1 to 47) are set to the first 47 bits of the SHA-256 hash of the ASN.1 DER encoding of the subject name appearing in the Identity Certificate.
The following 48 bits (bits 48 to 95) are set to the first 48 bits of the SHA-256 hash of the candidate GUID.
By mixing in a value that depends on the certificate subject name, the DomainParticipant GUID selection mechanism is protected from duplication or reuse by DomainParticipants that cannot authenticate that their identity is indeed that subject name. Thus, as part of the processing of a Handshake Reply and a Handshake Final, the receiver checks that the middle 47 bits of the GUID match the hash of the subject name. If they do not match, then the validation process will fail.
4.2. Authentication Builtin Topic (ParticipantStatelessMessage)
To perform the handshake, DomainParticipants need to exchange directed messages through a unsecure communication channel. For this purpose, the OMG DDS Security specification introduces a new Authentication Builtin Topic, also known as the ParticipantStatelessMessage builtin Topic. This best-effort stateless Topic prevents the sequence-number prediction vulnerability that is present in unsecure reliable protocols.
The Authentication Builtin Topic implements the channel that DomainParticipants need to perform authentication. Data samples exchanged for this Topic include both the handshake messages (see Handshake) and the re-authentication messages (see Re-Authentication).
4.2.1. Fragmentation Support for the Authentication Topic
The Security Plugins support fragmenting Authentication Builtin Topic samples. This is useful in scenarios with a hard limit on the transport maximum message size.
This feature is enabled by default: fragmentation of Authentication Builtin Topic samples will be triggered when sending samples that exceed the message_size_max
configured in the transports used by Connext (see Setting Builtin Transport Properties with the PropertyQosPolicy in the Core Libraries User’s Manual).
4.4. Cryptographic Algorithms
The Security Plugins use different cryptographic algorithms for different purposes. Starting with version 7.0.0, the user can modify and select algorithms supported and used by Secure Entity. This section describes the relationship between the digital signature and key establishment algorithms that can be configured in the Authentication Plugin.
In this section, we also describe the relationship between the algorithms that can be configured in the Authentication Plugin and the ParticipantTrustAlgorithmInfo::signature and ParticipantTrustAlgorithmInfo::key_establishment fields, which are used to propagate the used and supported algorithms for a DomainParticipant. A complete list of values can be found in Table 18.7 and Table 18.8.
Note that a Secure Entity may not propagate through discovery the exact list of algorithms listed in the Governance Document. The reason is that the final value for a supported mask is an intersection of the algorithms allowed by the Governance Document and the list of algorithms supported by the DomainParticipant. Remember that the Governance Document is about system-wide security requirements. Even if the Governance Document allows an algorithm, the implementation of the Security Plugins for a DomainParticipant may not support it. For example, the Security Plugins for wolfSSL may support different algorithms than the Security Plugins for OpenSSL.
Finally, this section also defines discovery defaults for every field of the ParticipantBuiltinTopicData::trust_algorithm_info. Discovery defaults are the values that are assumed when no value is propagated through discovery see Discovery of a Remote Secure Entity for more details about discovery.
4.4.1. Digital Signature Algorithms
Digital Signature Algorithms collect algorithms used in the DomainParticipant trust chain as well as for authentication. The following algorithms are supported:
RSASSA-PSS-MGF1SHA256+2048+SHA256
RSASSA-PKCS1-V1_5+2048+SHA256
ECDSA-P256+SHA256
ECDSA-P384+SHA384
EDDSA+ED25519+SHA512 (<< experimental >>)
EDDSA+ED448+SHAKE256 (<< experimental >>)
Digital Signature Algorithms specify four algorithm definitions:
trust_chain.supported_mask
: A list of supported trust chain algorithms. The default value is: RSASSA-PSS-MGF1SHA256+2048+SHA256 and ECDSA-P256+SHA256.trust_chain.required_mask
: A list of algorithms used in the DomainParticipant’s identity trust chain. Identity Certificate determines which algorithm is used. The default value is: ECDSA-P256+SHA256.message_auth.supported_mask
: A list of supported authentication digital signature algorithms. The default value is: RSASSA-PSS-MGF1SHA256+2048+SHA256 and ECDSA-P256+SHA256.message_auth.required_mask
: The authentication digital signature algorithm used by a DomainParticipant. Identity Certificate determines which algorithm is used. The default value is: ECDSA-P256+SHA256.
Note
The trust_chain.supported_mask
are the list of digital signature
algorithms supported by the DomainParticipant in the context of creating a chain of trust.
This means that they are the algorithms used for verifying the Identity Certificate
against the Identity Certificate Authority. The Builtin Security Plugins enforce during
validation of the remote Identity Certificate chain that the actual used digital
signature algorithms are supported.
The message_auth.supported_mask
are the list of digital signature algorithms
supported by the DomainParticipant for checking that the remote DomainParticipant is authentic.
These are the algorithms that a DomainParticipant supports for challenging a remote DomainParticipant
to prove that it has the Private Key corresponding to its Identity Certificate.
4.4.2. Key Establishment Algorithms
Key Establishment Algorithms collect algorithms used in key establishment during DomainParticipant authentications. The following algorithms are supported:
DHE-MODP+2048+256
ECDHE-CEUM+P256
ECDHE-CEUM+P384
ECDHE-CEUM+X25519 (<< experimental >>)
ECDHE-CEUM+X448 (<< experimental >>)
Key Establishment Algorithms specify two algorithm definitions:
supported_mask
: A list of supported key establishment algorithms. The default value is: DHE-MODP+2048+256 and ECDHE-CEUM+P256.required_mask
: Indicates the algorithm the DomainParticipant will use as the key establishment algorithm if the DomainParticipant is the authentication initiator (if not, the algorithm of the other DomainParticipant will be used). It is determined by authentication.key_establishment_algorithm property (see Table 6.8). The default value is: ECDHE-CEUM+P256.
See allowed_security_algorithms (domain_rule) to learn how to configure which of these algorithms are supported.
4.5. Advanced Authentication Concepts
4.5.1. Protecting Participant Discovery
Participant Discovery is sent through an unsecure channel. Consequently, additional mechanisms need to be put in place to make sure the received information comes from a legitimate participant. In the Builtin Security Plugins, the mechanism for protecting the Participant Discovery information is known as TrustedState.
Security Plugins TrustedState is an RTI extension to the DDS Security Authentication specification that covers two limitations in the OMG DDS Security specification:
The lack of a standardized mechanism for validating that the Participant Discovery information received by DDS actually matches the information of the authenticated remote DomainParticipant.
Participant Discovery data is immutable after authentication. This prevents functionality such as updating IP addresses. (Only a limitation in DDS Security 1.0, resolved in 1.1.).
Security Plugins TrustedState is a digest of the Participant Discovery data, plus information that unambiguously identifies the current local participant state and the current authentication session. TrustedState is exchanged as part of the authentication process as a vendor extension. More specifically, TrustedState is included as a binary property in the Handshake Reply and Handshake Final messages. Once the authentication completes, involved participants will validate received Participant Discovery information against the received TrustedState. This way, participants can be sure that the received Participant Discovery comes from the authenticated participant.
The Participant Discovery channel is also used to propagate changes in the DomainParticipant’s QoS or in the locators. In order to securely propagate Participant Discovery changes after authenticating the remote participant, the Builtin Security Plugins use the participant’s identity private key to sign the Participant Discovery data plus some additional information identifying the local participant state (and which is consistent with the one serialized in the TrustedState). This signature is then serialized as a property in the Participant Discovery data. This way, other participants can validate that the update is legitimate by verifying the received Participant Discovery against the participant’s public key.
Please note that in DDS Security 1.0 (which Connext 5.3.x implements), the DomainParticipantQos for remote DomainParticipants is immutable. To overcome this limitation, 5.3.x uses the TrustedState extension. Non-RTI participants do not implement TrustedState; therefore, they cannot update DomainParticipantQos Discovery information after authentication. This limitation is solved by DDS Security 1.1, which is adopted in Connext 6.0.0+.
To increase compatibility with other vendors, Secure DomainParticipants that use the Security Plugins will successfully authenticate remote participants that do not provide TrustedState. Non-RTI participants should ignore the TrustedState property in the Handshake since it is a vendor extension.
Caution
The TrustedState mechanism is disabled when Pre-Shared Key Protection is enabled. Participant announcements are protected with symmetric cryptography and there is no need for TrustedState. For details, see Pre-Shared Key Protection and the Cloud.
4.5.2. Identity Certificate Chaining
This section assumes you are familiar with the concept of a Certificate Chain, as described in Public Key Infrastructure (PKI).
You may specify a certificate chain in the dds.sec.auth.identity_certificate
property (see Table 4.1). You can create the certificate chain by concatenating individual certificates and specifying the concatenated result as a single file or string. The local Identity Certificate will be verified before creating the local DomainParticipant. It will also be sent on the network as part of the handshake. If a certificate chain is specified, then the whole chain will be sent on the network, which may cause significant overhead.
To avoid additional overhead, beginning in Connext version 6.1.0, the human-readable part of Identity Certificates is stripped by default when the certificate is loaded. You can control this behavior with the authentication.propagate_simplified_identity_certificate
property (see Table 4.2).
The CRLs specified in the authentication.crl
property will be used throughout the verification process (see Table 4.2). This property may contain any number of CRLs, each one signed by either the Identity CA (dds.sec.auth.identity_ca
), one of the alternative CAs (authentication.alternative_ca_files
), or one of the intermediate CAs in the Identity Certificate chain.
The Identity Certificate will be verified against the Identity CA using the following procedure:
The current certificate is the first certificate in the Identity Certificate chain.
Check that the current certificate is valid for the current date. Otherwise, the verification fails immediately.
If the current certificate is signed and unrevoked by the Identity CA (
dds.sec.auth.identity_ca
) or any of the alternative CAs listed inauthentication.alternative_ca_files
, then the verification succeeds immediately. Otherwise:If a next certificate exists in the chain and the current certificate is signed and unrevoked by that next certificate, then the next certificate becomes the current certificate.
If none of the certificates in the Identity Certificate chain lead to the Identity CA (or any of the alternative Identity CAs), then the verification fails. For details on certificate validation, see Identity Certificate Validation.
4.5.3. Re-Authentication
The Security Plugins support securely re-authenticating remote participants as described in the OMG DDS Security specification. This is needed in scenarios where there is an asymmetric liveliness loss.
As depicted in Figure 4.1, asymmetric liveliness loss occurs between two participants, P1 and P2, when P1 loses liveliness with P2. When this happens, P1 cleans up all the associated states, while P2 still keeps the authenticated state. Because P2 keeps an authenticated state from P1, it will not accept new authentication messages from P1. Without the ability to re-authenticate, asymmetric liveliness loss will lead to communication not recovering. The same occurs in the case of an asymmetric authentication failure. The Builtin Security Plugins address this problem by including a re-authentication capability as described in the OMG DDS Security specification.
If P1 has not completed an ongoing authentication with P2 after a specific
period, it will send an Authentication Request (dds.sec.auth_request
) message that
includes a nonce to P2. This message will give a hint to P2 that P1 is
pending authentication with P2. This specific period is configured by the
property dds.participant.trust_plugins.authentication_request_delay.sec
,
see Table 4.3.
When P2 receives an Authentication Request message, it will check if it already has a valid
completed authentication with P1. If so, that could mean that an asymmetric
liveliness loss has occurred. To verify that the Authentication Request is legitimate, the
two participants will now conduct a whole authentication process that includes
the nonce received as part of the triggering dds.sec.auth_request
message.
Only if this secondary authentication succeeds, the old state will be removed
in P2 and replaced with the new one, allowing discovery to complete again and
communication to recover. If this secondary authentication fails (this is,
if P2 triggers the timeout configured through the
dds.participant.trust_plugins.authentication_request_timeout.sec
property), no change will be made in P2 and the old authenticated session will
be kept.
Because the old authenticated state is kept until the new authentication has successfully completed, the Builtin Security Plugins re-authentication is robust against attackers trying to bring down an existing authentication.
Note
When running Builtin Security Plugins in constrained devices, or when the number of total
DomainParticipants simultaneously created under the same Domain is high, you may get the
following error during system startup for a subset of the ongoing
authentications: failed to verify challenge signature
.
This error could trigger as a result of inadequate configuration of the
authentication process for the system size, leading to mismatched
authentication processes between DomainParticipant pairs.
When this error triggers, it will generate unnecessary CPU
load and network traffic overhead. See section
Guidelines for Minimizing Authentication Negotiation Times
for a set of guidelines for minimizing authentication negotiation times.
4.5.4. Guidelines for Minimizing Authentication Negotiation Times
To minimize authentication negotiation times during system startup, follow these guidelines:
Set
dds.participant.trust_plugins.authentication_timeout.sec
to a value that is twice the time it takes to authenticate all of the DomainParticipants during the system startup. A too short value will trigger additional authentication negotiations, generating additional CPU load and network traffic, and generally slowing down the system startup.Set
dds.participant.trust_plugins.authentication_request_delay.sec
to a value that is higher than the time it takes to authenticate all of the DomainParticipants during the system startup. A too short value will generate additional traffic and potentially additional unnecessary authentication negotiations.Set
dds.participant.trust_plugins.authentication_request_timeout.sec
to the average time it takes to authenticate a DomainParticipant in your system at startup.Make sure that the sum of the configured values for
dds.participant.trust_plugins.authentication_request_delay.sec
anddds.participant.trust_plugins.authentication_request_timeout.sec
is lower than thedds.participant.trust_plugins.authentication_timeout.sec
.
4.5.5. Dynamic Certificate Revalidation
A valid Identity Certificate or Identity CA may not stay valid forever. When one of them becomes invalid, the Builtin Security Plugins should take appropriate action on the corresponding DomainParticipant. Currently, the Builtin Security Plugins support taking actions based on a certificate’s expiration time (the Not After X.509 Validity field) and presence in a CRL, and the actions differ between remote DomainParticipants and the local DomainParticipant.
4.5.5.1. Dynamic Certificate Expiration of Remote DomainParticipants
If the Identity Certificate of a remote DomainParticipant is successfully validated during
handshaking (see Identity Certificate Validation),
the Security Plugins note the earliest expiration time among the chain of
certificates that were involved in the validation. At that time,
the Security Plugins performs the
Identity Certificate Validation steps again. If
this revalidation fails, then the Security Plugins will remove the remote DomainParticipant.
Note that the remote DomainParticipant is only removed, not ignored, so it will be allowed to
rejoin the system if it can be recreated with the same GUID and with a valid
Identity Certificate. If the property
dds.participant.trust_plugins.key_revision_max_history_depth
is set
to a value other than 0
, then the Security Plugins will also create
a new Key Revision (see
Limiting the Usage of Specific Key Material) in
order to render the remote DomainParticipant’s Key Material outdated. If this property is
unset or set to 0
, then the Security Plugins will generate this log
message at the SECURITY
category and the WARNING
verbosity:
Precondition not met because the participant has not enabled key regeneration using the "dds.participant.trust_plugins.key_revision_max_history_depth" property. You must enable this property to prevent removed or ignored participants from reading your encrypted data or writing data that looks like it came from you!!!
4.5.5.2. Dynamic Certificate Expiration of the Local DomainParticipant
If the Identity Certificate of the local DomainParticipant is successfully validated during DomainParticipant
creation, and the local DomainParticipant is configured with a DomainParticipantListener
and a StatusMask that includes
INVALID_LOCAL_IDENTITY_ADVANCE_NOTICE_STATUS, then
the Builtin Security Plugins note the earliest expiration time among the chain of certificates that
were involved in the validation. The Builtin Security Plugins subtract the value of the
dds.participant.trust_plugins.certificate_expiration_advance_notice_duration.sec
property from that earliest expiration time. At that notification time,
the Builtin Security Plugins perform the Identity Certificate Validation
steps again for the local DomainParticipant. If this revalidation determines that a
certificate has already expired or will expire within the advance notice
duration, then the Security Plugins will notify the user by invoking the
on_invalid_local_identity_status_advance_notice
callback function. After the first notification, the Security Plugins will continue
notifying the user at a configurable period until the certificate chain has
finally expired. The property for configuring this period is
dds.participant.trust_plugins.certificate_expiration_advance_notice_reminder_period.sec
.
4.5.5.3. Dynamic Certificate Revocation of Remote DomainParticipants
If the Identity Certificate of a remote DomainParticipant does not appear in the local DomainParticipant’s CRL when the remote DomainParticipant is first discovered, it’s still possible for the Identity Certificate to appear in the CRL later. The CRL is mutable in two ways:
Changing the value of the
authentication.crl
property using the DomainParticipantset_qos
API. If the new CRL is invalid, thenset_qos
will return DDS_RETCODE_ERROR, and the old CRL, if it exists, will remain in use.Leaving the value of the
authentication.crl
property unchanged and instead changing the contents of the actual CRL file. The Builtin Security Plugins enforce these changes as long asfile:
is the prefix of the property value andfiles_poll_interval
is set to a value other than0
. In this case, the Security Plugins use a separate thread dedicated to periodically checking if any of the following have occurred:The CRL file has been deleted.
The CRL file modification timestamp has changed.
The MD5 hash of the file contents has changed.
If any of those events have occurred, then the Builtin Security Plugins will reload the CRL file. If the reloaded CRL is invalid or if the CRL file is actually deleted, then the previous version of the CRL will remain in use.
As soon as a CRL change is detected, the Security Plugins will remove any newly revoked
remote DomainParticipants. Note that the DomainParticipants are removed but not ignored. So if a later
CRL change results in any remote DomainParticipants becoming unrevoked, then communication
with those DomainParticipants will resume after any in-progress authentications are timed
out (the timeout is configurable using the property
dds.participant.trust_plugins.authentication_timeout.sec
) and after
the local DomainParticipant receives participant announcements from the remote DomainParticipants (the
announcement period is configurable using the field
DomainParticipantQos::discovery_config::participant_announcement_period
).
If the property
dds.participant.trust_plugins.key_revision_max_history_depth
is set
to a value other than 0
, then the Builtin Security Plugins will also create a new
Key Revision (see
Limiting the Usage of Specific Key Material) in
order to render the remote DomainParticipant’s Key Material outdated. If this property is
unset or set to 0
, then the Builtin Security Plugins will generate the same log message as
the one described in
Dynamic Certificate Expiration of Remote DomainParticipants.
Of course, you may combine these two ways of mutability. For example, you may
change the CRL filename from one.crl
to two.crl
, change the value of
authentication.crl
from file:one.crl
to file:two.crl
, and
change the contents of file:two.crl
.
4.5.5.4. Dynamic Certificate Revocation of Local DomainParticipants
Creation of the local DomainParticipant will fail with DDS_RETCODE_ERROR if its Identity Certificate appears in the CRL. However, even if the Identity Certificate of the local DomainParticipant is not in the CRL upon DomainParticipant creation, it’s still possible for the Identity Certificate to appear in the CRL later. This is because the CRL is mutable, as described in Dynamic Certificate Revocation of Remote DomainParticipants.
The Security Plugins will detect a change in either the CRL contents (when
files_poll_interval
is set to a value other than 0
) or in
the value of the authentication.crl
property itself (through the
DomainParticipant set_qos
API). If the new value is invalid, then the Builtin Security Plugins will keep using
the previous version of the CRL. If the new value is valid, then the Builtin Security Plugins will
update the CRL.
The set_qos
API returns DDS_RETCODE_ERROR if the new CRL value is invalid.
Otherwise, the set_qos
API returns DDS_RETCODE_OK. This return code is
independent of whether the Identity Certificate of the local DomainParticipant appears in the
updated CRL or not.
When the Identity Certificate of the local DomainParticipant appears in the updated CRL, then the Builtin Security Plugins will log an exception message due to a change in the security status. In particular, the message indicates that the Identity Certificate of the local DomainParticipant has been revoked.
4.5.6. Dynamic Certificate Revocation of Remote DomainParticipants through Whitelisting
The Builtin Security Plugins support defining a whitelist of allowed subject names (enabled when
dds.participant.trust_plugins.subject_name_whitelist
is set).
This whitelist provides a way to dynamically allow/deny access to
DomainParticipants into a domain.
The whitelist configures a set of (semicolon-separated) allowed subject names for authenticated DomainParticipants. If set (even if empty), authenticated DomainParticipants will be allowed into the system only if their subject name matches one of the ones in the whitelist.
Any authenticated DomainParticipant not matching the whitelist will be ignored automatically upon authentication completion, before it has access to any secure topic data. The whitelist has no effect on intraparticipant communication: a DomainParticipant will always be able to communicate with itself independently of the contents of the whitelist.
Warning
The subject names in the whitelist must be exactly as returned in the
Subject
field by the following OpenSSL command:
$ openssl x509 -in <certificate> -text -nameopt sep_comma_plus_space,sname,esc_2253
where <certificate>
is the path to the certificate file. Changing the
order of the attributes is not allowed.
4.5.6.1. Interactions with allow_unauthenticated_participants
Since the whitelist is enforced only on authenticated DomainParticipants, this property does
not impact allowed non-authenticated DomainParticipants: if
allow_unauthenticated_participants
is set to TRUE
, DomainParticipants not
using security and DomainParticipants failing authentication early will still be allowed into
the system.
4.5.6.2. Whitelist mutability
The whitelist allows for dynamic changes in the set of allowed subject names
without restarting the local DomainParticipant. If the list is modified once the DomainParticipant is
enabled, any previously ignored DomainParticipant will be unignored, which will create an
opportunity to successfully authenticate if it is now part of the updated
whitelist (if not, the DomainParticipant will be ignored as usual). The new authentication
will happen after the local DomainParticipant receives a participant announcement from the
remote DomainParticipant (the announcement period is configurable using the field
DomainParticipantQos::discovery_config::participant_announcement_period
).
Additionally, any previously trusted DomainParticipant that becomes ignored as a result of a
whitelist update will trigger an immediate key regeneration as long as key
regeneration is enabled through the
“dds.participant.trust_plugins.key_revision_max_history_depth” property.
4.5.6.3. Interactions with ignore_participant API
Connext keeps the state about whitelist-based ignored DomainParticipants independent from
the state about the DomainParticipants ignored through a call to the
ignore_participant
method. Consequently, DomainParticipants ignored through the
ignore_participant
method will remain ignored independently of the
whitelist configuration.
Still, whitelist-based ignored DomainParticipants still count towards the limit set by the
ignored_entity_allocation
resource limit.
4.5.6.4. Whitelist format
The whitelist expects a set of subject names separated by the semicolon ‘;’
character. In order to evaluate a DomainParticipant’s subject name as a match against the
list, one of the elements in the list must be evaluated as equal (based on the
result of strcmp
) against the subject name returned by a call to
DDS_DomainParticipant_get_discovered_participant_subject_name
for
that DomainParticipant’s InstanceHandle
.
Whitelist elements are tokenized based on the semicolon ‘;’ delimiter character. Any whitespace, including whitespace around the semicolons, will be considered part of the subject names. If any of the subject names in the list uses a semicolon, you need to escape this character by adding \ before it. Example:
C=US, ST=CA, O=Real Time Innovations\; CN=as one, CN=RTI ECDSA01\; (p256) PEER11, emailAddress=ecdsa01\;Peer\,11@rti.com
4.5.7. CRL Expiration
It is possible for a CRL to expire if it is still being used by the time the
value of its Next Update
field (see https://www.ietf.org/rfc/rfc5280.txt)
is reached. When a CRL expires, the behavior is as follows:
For any DomainParticipants that are discovered after the CRL expires, if the DomainParticipant Identity Certificate chain includes a certificate that is signed by the same CA that signed the CRL, then the DomainParticipant will fail authentication and be rejected. It doesn’t matter if the DomainParticipant’s certificate does not appear in the CRL. If checking the CRL is required for checking the certificate’s validity and the CRL is expired, then the Builtin Security Plugins will assume that the certificate is invalid.
For any DomainParticipants that are discovered before the CRL expires, the Builtin Security Plugins do nothing. The Builtin Security Plugins do not retroactively reject any previously discovered DomainParticipant whose Identity Certificate was signed by the same CA that signed the CRL. If a DomainParticipant changes its Identity Certificate and checking the certificate’s validity requires checking the expired CRL, then the Builtin Security Plugins will reject the new certificate and continue using the old one without ceasing communication with the DomainParticipant. If a DomainParticipant’s Identity Certificate expires, then communication will still cease as described in Dynamic Certificate Expiration of Remote DomainParticipants.
4.5.8. Dynamic Certificate Renewal of a DomainParticipant
When you get notified in advance that your Identity Certificate is about to expire (see Dynamic Certificate Expiration of the Local DomainParticipant), you may want to update your Identity Certificate to have a later expiration date. Currently, the Builtin Security Plugins supports updating the local DomainParticipant’s Identity Certificate (but not its Identity CA) without deleting and recreating the local DomainParticipant. The Identity Certificate is mutable in two ways, as long as the public key and subject name of the leaf certificate (the first certificate in the chain) remain the same and the digital signature algorithms are allowed according to allowed_security_algorithms (domain_rule) in the Governance Document:
Changing the value of the
dds.sec.auth.identity_certificate
property using the DomainParticipantset_qos
API. If the new Identity Certificate is invalid, thenset_qos
will return DDS_RETCODE_ERROR. If the new Identity Certificate violates the aforementioned mutability restrictions, thenset_qos
will return DDS_RETCODE_NOT_ALLOWED_BY_SECURITY. Ifset_qos
returns a value other than DDS_RETCODE_OK, then the old Identity Certificate will remain in use.Leaving the value of the
dds.sec.auth.identity_certificate
property unchanged and instead changing the contents of the actual Identity Certificate file. The Builtin Security Plugins enforce these changes as long asfile:
is the prefix of the property value andfiles_poll_interval
is set to a value other than0
. In this case, the Security Plugins use a separate thread dedicated to periodically checking if any of the following have occurred:The Identity Certificate file has been deleted.
The Identity Certificate file modification timestamp has changed.
The MD5 hash of the Identity Certificate file contents has changed.
If any of those events have occurred, then the Builtin Security Plugins will reload the Identity Certificate file. If the reloaded Identity Certificate is invalid or if the Identity Certificate file is actually deleted, then the previous version of the Identity Certificate will remain in use. If the reloaded Identity Certificate does not have any changes in the section between
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
, then no further action is taken.
Once the Builtin Security Plugins detect that you have successfully updated your Identity Certificate to a different one, the Builtin Security Plugins will propagate your new Identity Certificate to other DomainParticipants via the Secure Key Exchange Channel. The remote DomainParticipants will try to validate your new Identity Certificate. If this validation is successful for a remote DomainParticipant, then the remote DomainParticipant will recognize the expiration time of your new Identity Certificate, and communication with the remote DomainParticipant will not stop when your old Identity Certificate expires. If, for some reason, this validation is unsuccessful for a remote DomainParticipant, then the remote DomainParticipant will treat you as if you are still using your old Identity Certificate, and you can expect communication with the remote DomainParticipant to cease once your old Identity Certificate expires. Notice that this Identity Certificate renewal process does not involve a whole new handshake because since the public key is immutable, you do not have to prove again that you have the corresponding private key, and since the subject name is also immutable, you do not have to use a new Permissions Document. If you update your Identity Certificate while you are in the middle of an authentication handshake with a remote DomainParticipant, then you will finish the handshake using your old Identity Certificate and then send your new Identity Certificate to the remote DomainParticipant once the Secure Key Exchange Channel has been established with the remote DomainParticipant.
4.6. Properties for Configuring Authentication
Table 4.1 and Table 4.2 list the properties that you can set for authentication. These properties are configured through the DomainParticipant’s PROPERTY QosPolicy (see QoS Properties).
Property Name |
Property Value Description |
---|---|
|
Required Identity CA certificate. This certificate is used for verifying the Identity Certificates of local and remote DomainParticipants (see Public Key Infrastructure (PKI)). Two participants that want to securely communicate with each other must use the same Identity CA. You may specify either the file name or the document contents. See the note below for details. String. Default: |
|
Required The private key associated with the first certificate that appears in
You may specify either the file name or the document contents. See the note below for details. String. Default: |
|
Required Identity Certificate signed by the Identity CA. Other participants will request this certificate to verify the identity of the local participant. This is an X.509 certificate in PEM format. You may put a chain of certificates in the Identity Certificate by concatenating individual certificates and specifying the concatenated result as a single file or string. See Identity Certificate Chaining and Public Key Infrastructure (PKI).
This property is mutable through the DomainParticipant String. Default: |
|
Only required if The password used to decrypt the $ openssl req -new -newkey ec:ecdsaparam2 \
-config example2ECdsa.cnf -keyout peer2keyECdsa.pem \
-passout pass:MyPassword -out peer2reqECdsa.pem
you should specify the Base64 encoding of MyPassword, therefore the value of the password property should be If the String. Default: |
Note regarding document format
The Identity CA, Private Key, and Identity Certificate documents in Table 4.1 must be in PEM format. You may specify either the file name or the document contents. If specifying the file name, the property value must have the fully qualified path and name of the file, and a prefix file:
(no space after the colon) is optional. If specifying the contents of the document, the property value must have the prefix data:,
(no space after the comma), followed by the contents inside the document.
Some examples:
"data:,-----BEGIN CERTIFICATE-----\nabcdef\n-----END CERTIFICATE-----"
"data:,-----BEGIN PRIVATE KEY-----\nabcdef\n-----END PRIVATE KEY-----"
"data:,-----BEGIN CERTIFICATE-----\nabcdef\n-----END CERTIFICATE-----"
Notice that the two n
characters are required.
"file:../../../dds_security/cert/ecdsa01/identities/ecdsa01Peer01Cert.pem"
"C:\Users\Name\dds_security\cert\ecdsa01\identities\ecdsa01Peer01Cert.pem"
Property Name (prefix with |
Property Value Description |
---|---|
|
Optional The algorithm used to establish the Shared Secret during authentication.
The options are Diffie-Hellman Ephemeral with 2048-bit MODP Group
parameters ( If two participants, that specify different property values, discover each
other, they will use the algorithm that belongs to the participant with
the lower-valued Enum:
Default: |
|
Optional Same as
Enum:
|
|
Optional A comma-separated list of alternative Identity CA Certificates. If the verification of a file fails with the main certificate ( Each of the elements in the list must be the fully qualified path to the certificate file. This property value may optionally contain String. Default: |
|
Optional A Certificate Revocation List to keep track of untrusted X.509 certificates. If If If A signed CRL that lists no certificates is considered valid. See Hands-on 4 in the RTI Security Plugins Getting Started Guide for example OpenSSL commands to generate a CRL. The document should be in PEM format. You may specify either the file name or the document contents. See the “Note regarding document format” above for details. This property is mutable through the DomainParticipant String. Default: |
|
Optional Same as
String. Default: |
|
Optional The interval at which the Security Plugins check for any changes in the files it tracks.
The Security Plugins can currently track CRL, Identity Certificate, and pre-shared key seed
files, provided that each of them is configured with the prefix To track all the files, the Security Plugins will create a separate thread dedicated to
periodically checking if the contents of any of the files have changed.
The This property is not mutable. Integer: Default: |
|
Optional How to enforce the presence of the X.509 v3 extension This property has three possible values (case-insensitive):
Enum: Default: |
|
Optional If Identity Certificates in PEM format may contain a human-readable section above the mandatory section delimited by: ---BEGIN CERTIFICATE---
---END CERTIFICATE---
The human-readable section adds no functionality and is not protected in any way. Removing it from the Identity Certificate before the authentication process reduces the size of the messages on the network. Boolean. Default: |
|
Optional If If Boolean. Default: |
|
Optional The format of the private key specified by The value of this property can be one of the following:
Enum: Default: |
|
Optional The kind of padding that the DomainParticipant uses and supports for RSA digital signatures. This property has three possible values:
If the value of the property is either If the value of the property is Enum.
Default: |
|
Optional << DEPRECATED >> Attention This feature is deprecated and will be removed in the future. Please use Pre-Shared Key Protection (described in Pre-Shared Key Protection) instead. In this release, this feature remains functional with intention to use only when interoperability with legacy systems is necessary. This description is provided for high-level reference only. For detailed information, please refer to Security Plugins 6.1.2 documentation. If this property is set, then ParticipantBuiltinTopicData messages will be protected with an HMAC operation. DomainParticipants must set this property to the same value in order to communicate with each other. When this property is set, the DomainParticipants will not interoperate with other DomainParticipants unless they are running Builtin Security Plugins using the same configuration for this property. The purpose of this pre-shared key is to protect against certain DoS attacks against RTI Cloud Discovery Service. The value of this property is not used to protect any traffic other than ParticipantBuiltinTopicData messages. All other RTPS traffic still gets protected by the standard Cryptography Plugin, which uses dynamically-generated keys that are exchanged after authentication completes. String. Default: not set |
|
Optional << EXPERIMENTAL >> Configures whether to enable custom cryptographic algorithms for the Authentication plugin. When enabled, the Builtin Security Plugins will enable additional digital signature and key establishment algorithms that are not part of the OMG DDS Security specification (EDDSA+ED25519+SHA512, EDDSA+ED448+SHAKE256, ECDHE-CEUM+X25519, ECDHE-CEUM+X448). Currently only supported in combination with OpenSSL: this property will have no effect when used in combination with wolfSSL. Two DomainParticipants with different configurations of this property will still interoperate as long as neither of them is using one of the custom algorithms. Default: |
|
Optional Configures whether to set custom crypto library (e.g., OpenSSL) allocators. When enabled (not the default), the Security Plugins will configure custom allocator functions (alloc, realloc, free) to the loaded crypto library with the goal of reducing memory fragmentation at the cost of a minimum performance impact. This is currently only supported in combination with OpenSSL. This property is only effective the first time a DomainParticipant loads the Security Plugins within the same process: subsequent DomainParticipant creations will ignore this property and leave the existing configuration unchanged. Moreover, this property is only effective if no allocation has been done with the crypto library builtin allocators before the Security Plugins have been loaded, otherwise a warning will be logged and no change will be made. For example, if you are using a dynamically linked VxWorks application and the kernel has the IPCRYPTO component, then the kernel will make some allocations at startup, and this property will not be effective. Important: Since the allocator functions live within the Security Plugins library, your application must not make any calls to the crypto library once the Security Plugins have been unloaded from memory. If your application uses heap monitoring: You should call
Default: |
Assuming you used com.rti.serv.secure
as the alias to load the
plugin. If not, change the prefix to match the string used with
com.rti.serv.load_plugins
, followed by the .
character.
4.6.1. Configuration Properties Affecting Any Authentication Plugin
Table 4.3 lists a set of properties that are not exclusive to the shipped Builtin Security Plugins, but that will affect any Authentication Plugin.
Property Name (prefix with |
Property Value Description |
---|---|
|
Optional Controls the maximum time (in seconds) that an ongoing authentication can remain without completing. After this timeout expires, the authentication process is cancelled, and associated resources are released. For more details, see General Considerations, and Guidelines for Minimizing Authentication Negotiation Times. A DomainParticipant should set its own Integer: Default: |
|
Optional Controls the delay (in seconds) before sending an Authentication Request to the remote DomainParticipant. For more information, please see Re-Authentication, and Guidelines for Minimizing Authentication Negotiation Times. Integer: Default: |
|
Optional Controls the timeout (in seconds) for authentication negotiations started from an authentication request message. For more information, please see Re-Authentication, and Guidelines for Minimizing Authentication Negotiation Times. Integer: Default: |
|
Optional Controls how much time (in seconds) in advance the on_invalid_local_identity_status_advance_notice DomainParticipantListener callback function should notify the user when the local DomainParticipant’s Identity Certificate or Identity CA is about to expire. For more information, please see Dynamic Certificate Expiration of the Local DomainParticipant. Integer: Default: |
|
Optional Once it’s time to start the advance notifications of the local DomainParticipant’s impending certificate expiration, this property controls how often these notifications happen. Notifications will happen at this period until the certificate finally expires or the certificate gets updated such that its expiration date is beyond the current time plus the advance notice duration. For more information, please see Dynamic Certificate Expiration of the Local DomainParticipant. Integer: Default: |
|
Optional Configures a (semicolon-separated) whitelist of subject names for authenticated DomainParticipants. If set (even if empty), authenticated DomainParticipants will be allowed into the system only if their subject name matches one of the ones in the whitelist. For more information, please see Dynamic Certificate Revocation of Remote DomainParticipants through Whitelisting. String. Default: |
4.6.2. Configuration Properties Affecting Connext DDS Core Libraries Behavior
Table 4.4 lists other properties affecting the Connext Core Libraries’ behavior.
Property Name |
Property Value Description |
---|---|
|
Optional If Boolean. Default: |