SlideShare a Scribd company logo

DDS Security

Real-Time Innovations (RTI)
Real-Time Innovations (RTI)

Security – Presentation by Gerardo Pardo-Castellote, CTO, RTI

Technology
1 of 37
Download to read offline
DDS DDS Security Gerardo Pardo-­‐Castellote, Ph.D. Chief Technology Officer, RTI October 2014
© 2014 Real-­‐Time InnovaFons, Inc.
Data-­‐Centric Qos-­‐Aware Pub-­‐Sub Model Virtual, decentralized global data space Persistence Service Recording Service © 2014 Real-­‐Time InnovaFons, Inc. CRUD operaFons Source (Key) Speed Power Phase WPT1 37.4 122.0 -12.20 WPT2 10.7 74.0 -12.23 WPTN 50.2 150.07 -11.98
Is there a Conflict? • Security… © 2014 Real-­‐Time InnovaFons, Inc. – desires to restrict communicaFon to only happen between authorized subjects – requires to confidenFality so that only communicaFng subjects see the informaFon • PubSub/DDS – aWempts to create a ‘global informaFon space’ where anybody can access the informaFon it needs – de-­‐couples communicaFons so publishers are unaware of subscribers and vice-­‐versa 4
No Conflict: Security in the Global InformaFon Space The key is to use a net-­‐centric security model © 2014 Real-­‐Time InnovaFons, Inc. • Publishers are decoupled from subscribers via the Global InformaFon Space – This does not mean loss of access control to the informaFon – It means that the InformaFon Space must have an associated security model • DDS can use standard PKI and cryptographic techniques to enforce the security policies • The situaFon is analogous to access control policies in a file system
Security Terms: a Safe-­‐Deposit Box • AuthenFcaFon: The bank knows who you are; © 2014 Real-­‐Time InnovaFons, Inc. you must show ID. • Access Control: The bank only lets those on an access list into your box. • ConfidenFality: You are alone in the room Nobody can see the contents of the box. • Integrity: The box is sealed. If anybody touches it you will know. • Non repudiaFon: You sign when you come in and out so you can’t claim that you weren’t there. • Availability: The bank is always open.
Threats 1. Unauthorized subscripFon 2. Unauthorized publicaFon 3. Tampering and replay 4. Unauthorized access to data by infrastructure services 10/30/14 7 © 2014 Real-­‐Time InnovaFons, Inc. Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-­‐authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider
Data-­‐centric/mulFcast Insider Threats • Two insider threats affecFng (mulFcast) data-­‐ centric systems are of unique significance 1. Reader mis-­‐behaves as unauthorized writer An applicaFon uses knowledge gained as authorized reader to spoof the system as a writer 2. Compromise of Infrastructure Service A service that is trusted to read and write data on behalf of others (e.g. a persistence service ) becomes compromised 10/30/14 8 © 2014 Real-­‐Time InnovaFons, Inc.
Session Sequence Number AWack • Background: © 2014 Real-­‐Time InnovaFons, Inc. – Reliable protocols rely on a session_id and a sequence number to avoid duplicates and detect message loss – RTPS protocol can use GAP messages and HeartBeat messages to advance the session (DataWriter) sequence number • Vulnerability: – An aWacker can spoof a packet with the session ID and Hearbeat/GAP causing the DataReader to advance the session sequence-­‐numbers blocking future messages recepFon – AWacker only needs GUID of the DataWriter to aWack, which can be obtained from snooping traffic. – AWack can be used to prevent the AuthenFcaFon of legiFmate ParFcipants
Squakng AWack on GUID • Background: © 2014 Real-­‐Time InnovaFons, Inc. – DDS DomainParFcipants are idenFfied by unique GUID, Readers/Writers derive their GUID from it. – GUID used to uniquely idenFfies the RTPS sessions and the locaFon of each parFcipant • Vulnerability: – An aWacker with legit IdenFty can authenFcate using the GUID of another ParFcipant – AWacker with be accepted with “cuckooed” GUID blocking legiFmate ParFcipant from using its GUID – AWacker only needs GUID of the ParFcipant to aWack, which can be obtained from snooping traffic.
DDS Security covers 4 related concerns Security Model © 2014 Real-­‐Time InnovaFons, Inc. Security Plugin APIs & Behavior DDS & RTPS support for Security BuilHn Plugins
Security Model Example: UNIX FileSystem (simplified) • Subjects: Users, specifically processes execuFng on behalf of a specific userid © 2014 Real-­‐Time InnovaFons, Inc. • Protected Objects: Files and Directories • Protected OperaFons on Objects: – Directory.list, Directory.createFile, Directory.createDir, Directory.removeFile, Directory.removeDir, Directory.renameFile – File.view, File.modify, File.execute • Access Control Model: – A subject is given a userId and a set of groupId – Each object is assigned a OWNER and a GROUP – Each Object is given a combinaFon of READ, WRITE, EXECUTE permissions for the assigned OWNER and GROUP – Each protected operaFon is mapped to a check, for example • File.view is allowed if and only if – File.owner == Subject.userId AND File.permissions(OWNER) includes READ – OR File.group IS-­‐IN Subject.groupId[] AND File.permissions(GROUP) includes READ
© 2014 Real-­‐Time InnovaFons, Inc. DDS Security Model 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 13 Concept Unix Filesystem Security Model DDS Security Model Subject User Process execuFng for a user DomainParFcipant ApplicaFon joining a DDS domain Protected Objects Directories Files Domain (by domain_id) Topic (by Topic name) DataObjects (by Instance/Key) Protected OperaFons Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write, File.execute Domain.join Topic.create Topic.read (includes QoS) Topic.write (includes QoS) Data.createInstance Data.writeInstance Data.deleteInstance Access Control Policy Control Fixed in Kernel Configurable via Plugin BuilFn Access Control Mode Per-­‐File/Dir Read/Write/ Execute permissions for OWNER, GROUP, USERS Per-­‐DomainParFcipant Permissions : What Domains and Topics it can JOIN/READ/WRITE
Support for Security in DDS & RTPS • DDS ParFcipants need to exchange security informaFon © 2014 Real-­‐Time InnovaFons, Inc. – CerFficates for AuthenFcaFon & Permissions – Handshake messages for mutual authenFcaFon and shared-­‐ secret establishment – KeyTokens for key-­‐exchange (Including MulFcast Key Exchange) • Some reuse of exisFng DDS mechanisms – BuilFn ParFcipant data readers / writers – Discovery topic-­‐types • AddiFon of secure discovery topics • AddiFon of a InterparFcipantStatelessWriter/Reader • EncrypFon and signatures introduce new RTPS Submessage and Submessage elements – SecureSubMessage – SecuredData 10/30/14 14
Pluggable Security Architecture Transport (e.g. UDP) Crypto Module (e.g. TPM ) © 2014 Real-­‐Time InnovaFons, Inc. App. AApppp. . Other DDS System Secure DDS middleware AuthenFcaFon Plugin Access Control Plugin Cryptographic Plugin Secure Kernel cerFficates applicaFon component ? Data cache Protocol Engine Kernel Policies DDS EnFFes ? Network Driver Network Encrypted Data Other DDS System Other DDS System Logging Plugin DataTagging Plugin MAC
Plaworm Independent IntercepFon Pts + SPIs © 2014 Real-­‐Time InnovaFons, Inc. 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 16 Service Plugin Purpose Interactions Authentication Authenticate the principal that is joining a DDS Domain. Handshake and establish shared secret between participants The principal may be an application/process or the user associated with that application or process. Participants may messages to do mutual authentication and establish shared secret Access Control Decide whether a principal is allowed to perform a protected operation. Protected operations include joining a specific DDS domain, creating a Topic, reading a Topic, writing a Topic, etc. Cryptography Perform the encryption and decryption operations. Create & Exchange Keys. Compute digests, compute and verify Message Authentication Codes. Sign and verify signatures of messages. Invoked by DDS middleware to encrypt data compute and verify MAC, compute & verify Digital Signatures Logging Log all security relevant events Invoked by middleware to log Data Tagging Add a data tag for each data sample
© 2014 Real-­‐Time InnovaFons, Inc. BuilFn Plugins SPI BuilHn Plungin Notes AuthenFcaFon DDS:Auth:PKI-­‐RSA/DSA-­‐DH Uses PKI with a pre-­‐configured shared CerFficate Authority. DSA and Diffie-­‐Hellman for authenFcaFon and key exchange Establishes shared secret AccessControl DDS:Access:PKI-­‐Signed-­‐ XML-­‐Permissions Governance Document and Permissions Document Each signed by shared CerFficate Authority Cryptography DDS:Crypto:AES-­‐CTR-­‐ HMAC-­‐RSA/DSA-­‐DH Protected key distribuFon AES128 and AES256 for encrypFon (in counter mode) SHA1 and SHA256 for digest HMAC-­‐SHA1 and HMAC-­‐256 for MAC DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery Logging DedicatedDDS_LogTopic
DDS Security Flow Domain ParFcipant Create Fails AuthenFcate AuthenFcate DP? © 2014 Real-­‐Time InnovaFons, Inc. Yes DP? No Ignore Remote DP AuthenFcate Remote DP? No Yes No Yes Access OK? Ignore remote endpoint Message security Endpoint Create Fails Yes Access OK? No Create Domain ParFcipant Create Endpoints Discover remote DP Discover remote Endpoints Send/ Receive data
Cryptographic SPI at the wire-­‐protocol level Message TransformaFon © 2014 Real-­‐Time InnovaFons, Inc. RTPS Header RTPS SubMessage SerializedData RTPS SubMessage SerializedData RTPS Header RTPS SubMessage (*) RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData Secure encoding Secure decoding
Crypto-­‐AES-­‐CTR-­‐HMAC-­‐RSA/DSA-­‐DH • EncrypFon uses AES in counter mode © 2014 Real-­‐Time InnovaFons, Inc. – Similar to SRTP, but enhanced to support mulFple topics within a single RTPS message and infrastructure services like a relay or persistence • Use of counter mode turns the AES block cipher into a stream cipher – Each DDS sample is separately encrypted and can be decrypted without process the previous message • This is criFcal to support DDS QoS like history, content filters, best-­‐efforts etc. • DSA and Diffie-­‐Hellman used for mutual authenFcaFon and secure key exchange MR# 6.5.3
BuilFn DDS:Auth:PKI-­‐DSA-­‐DH • Uses shared CerFficate Authority (CA) © 2014 Real-­‐Time InnovaFons, Inc. – All ParFcipants pre-­‐configured with shared-­‐CA • Performs mutual authenFcaFon between discovered parFcipants using the Digital Signature Algorithm (DSA) • Establishes a shared secret using Diffie-­‐Hellman.
Remote ParFcipant AuthenFcaFon ParFcipants detect each other via discovery and exchange IdenFty and Permission Tokens (Hashes) © 2014 Real-­‐Time InnovaFons, Inc.
Remote ParFcipant AuthenFcaFon Each ParFcipant calls validate_remote_idenFty(). ParFcipant with highest GUID returns PENDING_HANDSHAKE_REQUEST, the other PENDING_HANDSHAKE_MESSAGE © 2014 Real-­‐Time InnovaFons, Inc.
Remote ParFcipant AuthenFcaFon ParFcipant1 creates CHALLENGE1 = “CHALLENGE:<nonce> and sends message via ParFcipantMessageWriter with messageToken1:= {CHALLENGE1, IdenFty1, Permissions1} © 2014 Real-­‐Time InnovaFons, Inc.
Remote ParFcipant AuthenFcaFon ParFcipant2 validates IdenFty of ParFcipant1 against CA ParFcipant2 creates CHALLENGE2 := CHALLENGE:<nonce> ParFcipant2 sends to ParFcipant1 message with messageToken2:= { SIGN(HASH(CHALLENGE1#IdenFty1#Permissions1)), CHALLENGE2, IdenFty2, © 2014 Permissions2} Real-­‐Time InnovaFons, Inc.
Part1 validates IdenFty of ParFcipant2 against CA Part1 verifies SIGN(CHALLENGE1) using ParFcipant2’s PK Part1 computes a SharedSecret Part1 sends message with contents: messageToken3 := { ENCRYPT(SharedSecret), SIGN( HASH(CHALLENGE2 # IdenFty2 # Permissions2 # ENCRYPT(SharedSecret))) } 10/30/14 26 © 2014 Real-­‐Time InnovaFons, Inc. Encrypt uses Part2’s PK. Remote ParFcipant AuthenFcaFon
Remote ParFcipant AuthenFcaFon Part2 verifies SIGN( HASH(CHALLENGE2 #IdenFty2#Permissions2# ENCRYPT(SharedSecret))) 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 27 © 2014 Real-­‐Time InnovaFons, Inc. using Part1’s PK Part2 decrypts ENCRYPT(SharedSecret) using its own PK We have Mutual AuthenHcaHon and a SharedSecret
BuilFn DDS:AC:PKI SPI • Configured © 2014 Real-­‐Time InnovaFons, Inc. with: – X.509 CerFficate of shared Permissions CA – The Domain governance signed by the Permissions CA – The DomainParFcipant permissions signed by the Permissions CA • The Domain governance configures – Which topics shall be secured and how – Whether discovery is secured and how • DomainParFcipant permissions – Specifies what Domains Id can be joined by the DomainParFcipant – Specified which Topics and be Read/WriWen by the DomainParFcipant on each DomainId – Ties to the SubjectName matching the one on IdenFtyCerFficate 10/30/14 28
Example Domain Governance © 2014 Real-­‐Time InnovaFons, Inc.
ConfiguraFon possibiliFes • Are “legacy” or un-­‐idenFfied applicaFons allowed in the © 2014 Real-­‐Time InnovaFons, Inc. Domain? Yes or No. – If yes an UnauthenFcated applicaFons will: • See the “unsecured” discovery Topics • Be allowed to read/write the “unsecured” Topics • Is a parFcular Topic discovered over protected discovery? – If so it can only be seen by “authenFcated applicaFons” • Is a access parFcular Topic protected? – If so only authenFcated applicaFons with the correct permissions can read/write • Is data on a parFcular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenFcated applicaFons with right permissions will see anything
Example Permissions © 2014 Real-­‐Time InnovaFons, Inc.
Secure discovery • AddiFonal built-­‐in endpoints: – DCPSPublicaFonsSecure – DCPSSubscripFonsSecure • Same discovery topic-­‐data but encrypted & signed • OperaFon AccessControl::get_endpoint_security_attributes() controls which Topics use Secure Discovery 10/30/14 32 © 2014 Real-­‐Time InnovaFons, Inc.
ConfiguraFon PossibiliFes © 2014 Real-­‐Time InnovaFons, Inc. • Is the access to a parFcular Topic protected? – If so only authenFcated applicaFons with the correct permissions can read/write • Is data on a parFcular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenFcated applicaFons with right permissions will see anything
More Powerful Than Other Secure Middleware Technologies • Standard & Interoperable © 2014 Real-­‐Time InnovaFons, Inc. • Scalable: Supports mulFcast • Fine-­‐grain: Control Topic-­‐level aspect • Flexible: Build your own plugins • Generic: Works over any Transport • Transparent: No changes to ApplicaFon Code!
DDS-­‐Secure Standard Status © 2014 Real-­‐Time InnovaFons, Inc. • The specificaFon was adopted in March 2014. – Considered “Beta” for 1 year – RTI chairing the FinalizaFon Task Force • This specificaFon provides a framework for securing DDS systems. The builFn plugins provide a “common” approach for applicaFons without specialized requirements – It is expected that plugins will be developed to match more specialized deployments and integrate with exisFng infrastructure. 10/30/14 35
QuesFons? © 2014 Real-­‐Time InnovaFons, Inc.
© 2014 Real-­‐Time InnovaFons, Inc. Find out more… dds.omg.org www.omg.org www.rF.com community.rF.com demo.rF.com www.youtube.com/realFmeinnovaFons blogs.rF.com www.twiWer.com/RealTimeInnov www.facebook.com/RTIsoƒware www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovaFons

Recommended

Component Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSComponent Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSRemedy IT
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
DDS over Low Bandwidth Data Links - Connext Conf London October 2014
DDS over Low Bandwidth Data Links - Connext Conf London October 2014DDS over Low Bandwidth Data Links - Connext Conf London October 2014
DDS over Low Bandwidth Data Links - Connext Conf London October 2014Jaime Martin Losa
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Sumant Tambe
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsComparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsReal-Time Innovations (RTI)
 
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingDDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingJaime Martin Losa
 

Recommended

Component Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSComponent Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSRemedy IT
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
DDS over Low Bandwidth Data Links - Connext Conf London October 2014
DDS over Low Bandwidth Data Links - Connext Conf London October 2014DDS over Low Bandwidth Data Links - Connext Conf London October 2014
DDS over Low Bandwidth Data Links - Connext Conf London October 2014Jaime Martin Losa
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Standardizing the Data Distribution Service (DDS) API for Modern C++
Standardizing the Data Distribution Service (DDS) API for Modern C++Sumant Tambe
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsComparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsReal-Time Innovations (RTI)
 
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingDDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingJaime Martin Losa
 
Introduction to DDS
Introduction to DDSIntroduction to DDS
Introduction to DDSRick Warren
 
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial SystemsThe Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial SystemsReal-Time Innovations (RTI)
 
Vortex Tutorial Part 2
Vortex Tutorial Part 2Vortex Tutorial Part 2
Vortex Tutorial Part 2ADLINK Technology IoT
 
Communication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/SubscribeCommunication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/SubscribeSumant Tambe
 
RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011Gerardo Pardo-Castellote
 
DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)Gerardo Pardo-Castellote
 
DDS for JMS Programmers
DDS for JMS ProgrammersDDS for JMS Programmers
DDS for JMS ProgrammersAngelo Corsaro
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSAngelo Corsaro
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010Gerardo Pardo-Castellote
 
Demo of RTI DDS toolkit for LabVIEW
Demo of RTI DDS toolkit for LabVIEWDemo of RTI DDS toolkit for LabVIEW
Demo of RTI DDS toolkit for LabVIEWReal-Time Innovations (RTI)
 
Introduction to RTI DDS
Introduction to RTI DDSIntroduction to RTI DDS
Introduction to RTI DDSReal-Time Innovations (RTI)
 
Best Practices Using RTI Connext DDS
Best Practices Using RTI Connext DDSBest Practices Using RTI Connext DDS
Best Practices Using RTI Connext DDSReal-Time Innovations (RTI)
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
Integrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approachIntegrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approachRemedy IT
 
Building Reactive Applications with DDS
Building Reactive Applications with DDSBuilding Reactive Applications with DDS
Building Reactive Applications with DDSAngelo Corsaro
 
Two Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsTwo Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsReal-Time Innovations (RTI)
 
Micro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part IMicro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part IAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitAngelo Corsaro
 
System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...Real-Time Innovations (RTI)
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web EnabledReal-Time Innovations (RTI)
 
DDS Security
DDS SecurityDDS Security
DDS SecurityAngelo Corsaro
 

More Related Content

What's hot

Introduction to DDS
Introduction to DDSIntroduction to DDS
Introduction to DDSRick Warren
 
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial SystemsThe Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial SystemsReal-Time Innovations (RTI)
 
Communication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/SubscribeCommunication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/SubscribeSumant Tambe
 
RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011Gerardo Pardo-Castellote
 
DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)Gerardo Pardo-Castellote
 
DDS for JMS Programmers
DDS for JMS ProgrammersDDS for JMS Programmers
DDS for JMS ProgrammersAngelo Corsaro
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSAngelo Corsaro
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010Gerardo Pardo-Castellote
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
Integrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approachIntegrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approachRemedy IT
 
Building Reactive Applications with DDS
Building Reactive Applications with DDSBuilding Reactive Applications with DDS
Building Reactive Applications with DDSAngelo Corsaro
 
Two Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsTwo Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsReal-Time Innovations (RTI)
 
Micro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part IMicro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part IAngelo Corsaro
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitAngelo Corsaro
 
System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...Real-Time Innovations (RTI)
 

What's hot (20)

Introduction to DDS
Introduction to DDSIntroduction to DDS
Introduction to DDS
 
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial SystemsThe Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
 
Vortex Tutorial Part 2
Vortex Tutorial Part 2Vortex Tutorial Part 2
Vortex Tutorial Part 2
 
Communication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/SubscribeCommunication Patterns Using Data-Centric Publish/Subscribe
Communication Patterns Using Data-Centric Publish/Subscribe
 
RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011RTI Data-Distribution Service (DDS) Master Class 2011
RTI Data-Distribution Service (DDS) Master Class 2011
 
DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)DDS Interoperability Demo 2013 (Washington DC)
DDS Interoperability Demo 2013 (Washington DC)
 
DDS for JMS Programmers
DDS for JMS ProgrammersDDS for JMS Programmers
DDS for JMS Programmers
 
Reactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDSReactive Data Centric Architectures with DDS
Reactive Data Centric Architectures with DDS
 
RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010RTI Data-Distribution Service (DDS) Master Class - 2010
RTI Data-Distribution Service (DDS) Master Class - 2010
 
Demo of RTI DDS toolkit for LabVIEW
Demo of RTI DDS toolkit for LabVIEWDemo of RTI DDS toolkit for LabVIEW
Demo of RTI DDS toolkit for LabVIEW
 
Introduction to RTI DDS
Introduction to RTI DDSIntroduction to RTI DDS
Introduction to RTI DDS
 
Best Practices Using RTI Connext DDS
Best Practices Using RTI Connext DDSBest Practices Using RTI Connext DDS
Best Practices Using RTI Connext DDS
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
Integrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approachIntegrating DDS into AXCIOMA, the component approach
Integrating DDS into AXCIOMA, the component approach
 
Building Reactive Applications with DDS
Building Reactive Applications with DDSBuilding Reactive Applications with DDS
Building Reactive Applications with DDS
 
Two Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar SystemsTwo Approaches You Must Consider when Architecting Radar Systems
Two Approaches You Must Consider when Architecting Radar Systems
 
Micro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part IMicro services Architecture with Vortex -- Part I
Micro services Architecture with Vortex -- Part I
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter KitBuilding IoT Applications with Vortex and the Intel Edison Starter Kit
Building IoT Applications with Vortex and the Intel Edison Starter Kit
 
System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...System integration in offshore supply vessels – how we applied DDS and redefi...
System integration in offshore supply vessels – how we applied DDS and redefi...
 

Viewers also liked

DDS in Action -- Part I
DDS in Action -- Part IDDS in Action -- Part I
DDS in Action -- Part IAngelo Corsaro
 
OMG DDS Security Specification - 4th revised submission document
OMG DDS Security Specification - 4th revised submission documentOMG DDS Security Specification - 4th revised submission document
OMG DDS Security Specification - 4th revised submission documentGerardo Pardo-Castellote
 
Hello World in OMG DDS and ZeroMQ
Hello World in OMG DDS and ZeroMQHello World in OMG DDS and ZeroMQ
Hello World in OMG DDS and ZeroMQSander Mertens
 
Application of DDS on modular Hardware-in-the-loop test benches at Audi
Application of DDS on modular Hardware-in-the-loop test benches at AudiApplication of DDS on modular Hardware-in-the-loop test benches at Audi
Application of DDS on modular Hardware-in-the-loop test benches at AudiReal-Time Innovations (RTI)
 
DDS and OPC UA Explained
DDS and OPC UA ExplainedDDS and OPC UA Explained
DDS and OPC UA ExplainedAngelo Corsaro
 
DDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS ConferenceDDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS ConferenceGerardo Pardo-Castellote
 
"Hello World" in OMG DDS and MQTT
"Hello World" in OMG DDS and MQTT"Hello World" in OMG DDS and MQTT
"Hello World" in OMG DDS and MQTTSander Mertens
 
sDDS: An Adaptable DDS Solution for Wireless Sensor Networks
sDDS: An Adaptable DDS Solution for Wireless Sensor NetworkssDDS: An Adaptable DDS Solution for Wireless Sensor Networks
sDDS: An Adaptable DDS Solution for Wireless Sensor NetworksReal-Time Innovations (RTI)
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsReal-Time Innovations (RTI)
 
Practical Security with MQTT and Mosquitto
Practical Security with MQTT and MosquittoPractical Security with MQTT and Mosquitto
Practical Security with MQTT and Mosquittonbarendt
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesDominik Obermaier
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...Real-Time Innovations (RTI)
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domainamiable_indian
 

Viewers also liked (20)

DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web Enabled
 
DDS Security
DDS SecurityDDS Security
DDS Security
 
RPC Over DDS
RPC Over DDSRPC Over DDS
RPC Over DDS
 
DDS Over Low Bandwidth Data Links
DDS Over Low Bandwidth Data LinksDDS Over Low Bandwidth Data Links
DDS Over Low Bandwidth Data Links
 
DDS in Action -- Part I
DDS in Action -- Part IDDS in Action -- Part I
DDS in Action -- Part I
 
OMG DDS Security Specification - 4th revised submission document
OMG DDS Security Specification - 4th revised submission documentOMG DDS Security Specification - 4th revised submission document
OMG DDS Security Specification - 4th revised submission document
 
Hello World in OMG DDS and ZeroMQ
Hello World in OMG DDS and ZeroMQHello World in OMG DDS and ZeroMQ
Hello World in OMG DDS and ZeroMQ
 
Experiencing the Live IIoT
Experiencing the Live IIoTExperiencing the Live IIoT
Experiencing the Live IIoT
 
Application of DDS on modular Hardware-in-the-loop test benches at Audi
Application of DDS on modular Hardware-in-the-loop test benches at AudiApplication of DDS on modular Hardware-in-the-loop test benches at Audi
Application of DDS on modular Hardware-in-the-loop test benches at Audi
 
DDS and OPC UA Explained
DDS and OPC UA ExplainedDDS and OPC UA Explained
DDS and OPC UA Explained
 
DDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS ConferenceDDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS Conference
 
"Hello World" in OMG DDS and MQTT
"Hello World" in OMG DDS and MQTT"Hello World" in OMG DDS and MQTT
"Hello World" in OMG DDS and MQTT
 
Is Your Distributed System Secure?
Is Your Distributed System Secure?Is Your Distributed System Secure?
Is Your Distributed System Secure?
 
sDDS: An Adaptable DDS Solution for Wireless Sensor Networks
sDDS: An Adaptable DDS Solution for Wireless Sensor NetworkssDDS: An Adaptable DDS Solution for Wireless Sensor Networks
sDDS: An Adaptable DDS Solution for Wireless Sensor Networks
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger Systems
 
Practical Security with MQTT and Mosquitto
Practical Security with MQTT and MosquittoPractical Security with MQTT and Mosquitto
Practical Security with MQTT and Mosquitto
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slides
 
The Industrial Internet of Things and RTI
The Industrial Internet of Things and RTIThe Industrial Internet of Things and RTI
The Industrial Internet of Things and RTI
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
 

Similar to DDS Security

DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...Gerardo Pardo-Castellote
 
The 5 most dangerous proxies
The 5 most dangerous proxiesThe 5 most dangerous proxies
The 5 most dangerous proxiesseldridgeD9
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Real-Time Innovations (RTI)
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
Fog Computing:The Justifying Insider Data Stealing Attacks in the Cloud
Fog Computing:The Justifying Insider Data Stealing Attacks in the CloudFog Computing:The Justifying Insider Data Stealing Attacks in the Cloud
Fog Computing:The Justifying Insider Data Stealing Attacks in the CloudIJSRD
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...Chrysostomos Christofi
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoopNiel Dunnage
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing presentJames Sutter
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptxMarioCruz664886
 

Similar to DDS Security (20)

OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service Security
 
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
 
OMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submissionOMG DDS Security, 3rd revised submission
OMG DDS Security, 3rd revised submission
 
The 5 most dangerous proxies
The 5 most dangerous proxiesThe 5 most dangerous proxies
The 5 most dangerous proxies
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised Submission
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
secued cloud
secued cloud secued cloud
secued cloud
 
Fog Computing:The Justifying Insider Data Stealing Attacks in the Cloud
Fog Computing:The Justifying Insider Data Stealing Attacks in the CloudFog Computing:The Justifying Insider Data Stealing Attacks in the Cloud
Fog Computing:The Justifying Insider Data Stealing Attacks in the Cloud
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
1784 1788
1784 17881784 1788
1784 1788
 
1784 1788
1784 17881784 1788
1784 1788
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing present
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
 

More from Real-Time Innovations (RTI)

Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...Real-Time Innovations (RTI)
 
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...Real-Time Innovations (RTI)
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkReal-Time Innovations (RTI)
 
ISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsReal-Time Innovations (RTI)
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesReal-Time Innovations (RTI)
 
How to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsHow to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsReal-Time Innovations (RTI)
 
Fog Computing is the Future of the Industrial Internet of Things
Fog Computing is the Future of the Industrial Internet of ThingsFog Computing is the Future of the Industrial Internet of Things
Fog Computing is the Future of the Industrial Internet of ThingsReal-Time Innovations (RTI)
 
Space Rovers and Surgical Robots: System Architecture Lessons from Mars
Space Rovers and Surgical Robots: System Architecture Lessons from MarsSpace Rovers and Surgical Robots: System Architecture Lessons from Mars
Space Rovers and Surgical Robots: System Architecture Lessons from MarsReal-Time Innovations (RTI)
 
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...Real-Time Innovations (RTI)
 
How the fusion of time sensitive networking, time-triggered ethernet and data...
How the fusion of time sensitive networking, time-triggered ethernet and data...How the fusion of time sensitive networking, time-triggered ethernet and data...
How the fusion of time sensitive networking, time-triggered ethernet and data...Real-Time Innovations (RTI)
 
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...Real-Time Innovations (RTI)
 
Data Distribution Service Security and the Industrial Internet of Things
Data Distribution Service Security and the Industrial Internet of ThingsData Distribution Service Security and the Industrial Internet of Things
Data Distribution Service Security and the Industrial Internet of ThingsReal-Time Innovations (RTI)
 
Developing Mission-Critical Avionics and Defense Systems with Ada and DDS
Developing Mission-Critical Avionics and Defense Systems with Ada and DDSDeveloping Mission-Critical Avionics and Defense Systems with Ada and DDS
Developing Mission-Critical Avionics and Defense Systems with Ada and DDSReal-Time Innovations (RTI)
 
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity SoftwareSlash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity SoftwareReal-Time Innovations (RTI)
 

More from Real-Time Innovations (RTI) (20)

A Tour of RTI Applications
A Tour of RTI ApplicationsA Tour of RTI Applications
A Tour of RTI Applications
 
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
Precise, Predictive, and Connected: DDS and OPC UA – Real-Time Connectivity A...
 
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...
The Inside Story: How the IIC’s Connectivity Framework Guides IIoT Connectivi...
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
 
ISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software ComponentsISO 26262 Approval of Automotive Software Components
ISO 26262 Approval of Automotive Software Components
 
The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
 
How to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsHow to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control Systems
 
Fog Computing is the Future of the Industrial Internet of Things
Fog Computing is the Future of the Industrial Internet of ThingsFog Computing is the Future of the Industrial Internet of Things
Fog Computing is the Future of the Industrial Internet of Things
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car
 
Space Rovers and Surgical Robots: System Architecture Lessons from Mars
Space Rovers and Surgical Robots: System Architecture Lessons from MarsSpace Rovers and Surgical Robots: System Architecture Lessons from Mars
Space Rovers and Surgical Robots: System Architecture Lessons from Mars
 
Advancing Active Safety for Next-Gen Automotive
Advancing Active Safety for Next-Gen AutomotiveAdvancing Active Safety for Next-Gen Automotive
Advancing Active Safety for Next-Gen Automotive
 
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...
Learn About FACE Aligned Reference Platform: Built on COTS and DO-178C Certif...
 
How the fusion of time sensitive networking, time-triggered ethernet and data...
How the fusion of time sensitive networking, time-triggered ethernet and data...How the fusion of time sensitive networking, time-triggered ethernet and data...
How the fusion of time sensitive networking, time-triggered ethernet and data...
 
Secrets of Autonomous Car Design
Secrets of Autonomous Car DesignSecrets of Autonomous Car Design
Secrets of Autonomous Car Design
 
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...
Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardenin...
 
Data Distribution Service Security and the Industrial Internet of Things
Data Distribution Service Security and the Industrial Internet of ThingsData Distribution Service Security and the Industrial Internet of Things
Data Distribution Service Security and the Industrial Internet of Things
 
Developing Mission-Critical Avionics and Defense Systems with Ada and DDS
Developing Mission-Critical Avionics and Defense Systems with Ada and DDSDeveloping Mission-Critical Avionics and Defense Systems with Ada and DDS
Developing Mission-Critical Avionics and Defense Systems with Ada and DDS
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
 
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity SoftwareSlash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
Slash Avionics Integration Costs with DO-178C Certifiable Connectivity Software
 
Tech Mahindra - Connected Engineering
Tech Mahindra - Connected EngineeringTech Mahindra - Connected Engineering
Tech Mahindra - Connected Engineering
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

DDS Security

  • 1. DDS DDS Security Gerardo Pardo-­‐Castellote, Ph.D. Chief Technology Officer, RTI October 2014
  • 2. © 2014 Real-­‐Time InnovaFons, Inc.
  • 3. Data-­‐Centric Qos-­‐Aware Pub-­‐Sub Model Virtual, decentralized global data space Persistence Service Recording Service © 2014 Real-­‐Time InnovaFons, Inc. CRUD operaFons Source (Key) Speed Power Phase WPT1 37.4 122.0 -12.20 WPT2 10.7 74.0 -12.23 WPTN 50.2 150.07 -11.98
  • 4. Is there a Conflict? • Security… © 2014 Real-­‐Time InnovaFons, Inc. – desires to restrict communicaFon to only happen between authorized subjects – requires to confidenFality so that only communicaFng subjects see the informaFon • PubSub/DDS – aWempts to create a ‘global informaFon space’ where anybody can access the informaFon it needs – de-­‐couples communicaFons so publishers are unaware of subscribers and vice-­‐versa 4
  • 5. No Conflict: Security in the Global InformaFon Space The key is to use a net-­‐centric security model © 2014 Real-­‐Time InnovaFons, Inc. • Publishers are decoupled from subscribers via the Global InformaFon Space – This does not mean loss of access control to the informaFon – It means that the InformaFon Space must have an associated security model • DDS can use standard PKI and cryptographic techniques to enforce the security policies • The situaFon is analogous to access control policies in a file system
  • 6. Security Terms: a Safe-­‐Deposit Box • AuthenFcaFon: The bank knows who you are; © 2014 Real-­‐Time InnovaFons, Inc. you must show ID. • Access Control: The bank only lets those on an access list into your box. • ConfidenFality: You are alone in the room Nobody can see the contents of the box. • Integrity: The box is sealed. If anybody touches it you will know. • Non repudiaFon: You sign when you come in and out so you can’t claim that you weren’t there. • Availability: The bank is always open.
  • 7. Threats 1. Unauthorized subscripFon 2. Unauthorized publicaFon 3. Tampering and replay 4. Unauthorized access to data by infrastructure services 10/30/14 7 © 2014 Real-­‐Time InnovaFons, Inc. Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-­‐authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider
  • 8. Data-­‐centric/mulFcast Insider Threats • Two insider threats affecFng (mulFcast) data-­‐ centric systems are of unique significance 1. Reader mis-­‐behaves as unauthorized writer An applicaFon uses knowledge gained as authorized reader to spoof the system as a writer 2. Compromise of Infrastructure Service A service that is trusted to read and write data on behalf of others (e.g. a persistence service ) becomes compromised 10/30/14 8 © 2014 Real-­‐Time InnovaFons, Inc.
  • 9. Session Sequence Number AWack • Background: © 2014 Real-­‐Time InnovaFons, Inc. – Reliable protocols rely on a session_id and a sequence number to avoid duplicates and detect message loss – RTPS protocol can use GAP messages and HeartBeat messages to advance the session (DataWriter) sequence number • Vulnerability: – An aWacker can spoof a packet with the session ID and Hearbeat/GAP causing the DataReader to advance the session sequence-­‐numbers blocking future messages recepFon – AWacker only needs GUID of the DataWriter to aWack, which can be obtained from snooping traffic. – AWack can be used to prevent the AuthenFcaFon of legiFmate ParFcipants
  • 10. Squakng AWack on GUID • Background: © 2014 Real-­‐Time InnovaFons, Inc. – DDS DomainParFcipants are idenFfied by unique GUID, Readers/Writers derive their GUID from it. – GUID used to uniquely idenFfies the RTPS sessions and the locaFon of each parFcipant • Vulnerability: – An aWacker with legit IdenFty can authenFcate using the GUID of another ParFcipant – AWacker with be accepted with “cuckooed” GUID blocking legiFmate ParFcipant from using its GUID – AWacker only needs GUID of the ParFcipant to aWack, which can be obtained from snooping traffic.
  • 11. DDS Security covers 4 related concerns Security Model © 2014 Real-­‐Time InnovaFons, Inc. Security Plugin APIs & Behavior DDS & RTPS support for Security BuilHn Plugins
  • 12. Security Model Example: UNIX FileSystem (simplified) • Subjects: Users, specifically processes execuFng on behalf of a specific userid © 2014 Real-­‐Time InnovaFons, Inc. • Protected Objects: Files and Directories • Protected OperaFons on Objects: – Directory.list, Directory.createFile, Directory.createDir, Directory.removeFile, Directory.removeDir, Directory.renameFile – File.view, File.modify, File.execute • Access Control Model: – A subject is given a userId and a set of groupId – Each object is assigned a OWNER and a GROUP – Each Object is given a combinaFon of READ, WRITE, EXECUTE permissions for the assigned OWNER and GROUP – Each protected operaFon is mapped to a check, for example • File.view is allowed if and only if – File.owner == Subject.userId AND File.permissions(OWNER) includes READ – OR File.group IS-­‐IN Subject.groupId[] AND File.permissions(GROUP) includes READ
  • 13. © 2014 Real-­‐Time InnovaFons, Inc. DDS Security Model 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 13 Concept Unix Filesystem Security Model DDS Security Model Subject User Process execuFng for a user DomainParFcipant ApplicaFon joining a DDS domain Protected Objects Directories Files Domain (by domain_id) Topic (by Topic name) DataObjects (by Instance/Key) Protected OperaFons Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write, File.execute Domain.join Topic.create Topic.read (includes QoS) Topic.write (includes QoS) Data.createInstance Data.writeInstance Data.deleteInstance Access Control Policy Control Fixed in Kernel Configurable via Plugin BuilFn Access Control Mode Per-­‐File/Dir Read/Write/ Execute permissions for OWNER, GROUP, USERS Per-­‐DomainParFcipant Permissions : What Domains and Topics it can JOIN/READ/WRITE
  • 14. Support for Security in DDS & RTPS • DDS ParFcipants need to exchange security informaFon © 2014 Real-­‐Time InnovaFons, Inc. – CerFficates for AuthenFcaFon & Permissions – Handshake messages for mutual authenFcaFon and shared-­‐ secret establishment – KeyTokens for key-­‐exchange (Including MulFcast Key Exchange) • Some reuse of exisFng DDS mechanisms – BuilFn ParFcipant data readers / writers – Discovery topic-­‐types • AddiFon of secure discovery topics • AddiFon of a InterparFcipantStatelessWriter/Reader • EncrypFon and signatures introduce new RTPS Submessage and Submessage elements – SecureSubMessage – SecuredData 10/30/14 14
  • 15. Pluggable Security Architecture Transport (e.g. UDP) Crypto Module (e.g. TPM ) © 2014 Real-­‐Time InnovaFons, Inc. App. AApppp. . Other DDS System Secure DDS middleware AuthenFcaFon Plugin Access Control Plugin Cryptographic Plugin Secure Kernel cerFficates applicaFon component ? Data cache Protocol Engine Kernel Policies DDS EnFFes ? Network Driver Network Encrypted Data Other DDS System Other DDS System Logging Plugin DataTagging Plugin MAC
  • 16. Plaworm Independent IntercepFon Pts + SPIs © 2014 Real-­‐Time InnovaFons, Inc. 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 16 Service Plugin Purpose Interactions Authentication Authenticate the principal that is joining a DDS Domain. Handshake and establish shared secret between participants The principal may be an application/process or the user associated with that application or process. Participants may messages to do mutual authentication and establish shared secret Access Control Decide whether a principal is allowed to perform a protected operation. Protected operations include joining a specific DDS domain, creating a Topic, reading a Topic, writing a Topic, etc. Cryptography Perform the encryption and decryption operations. Create & Exchange Keys. Compute digests, compute and verify Message Authentication Codes. Sign and verify signatures of messages. Invoked by DDS middleware to encrypt data compute and verify MAC, compute & verify Digital Signatures Logging Log all security relevant events Invoked by middleware to log Data Tagging Add a data tag for each data sample
  • 17. © 2014 Real-­‐Time InnovaFons, Inc. BuilFn Plugins SPI BuilHn Plungin Notes AuthenFcaFon DDS:Auth:PKI-­‐RSA/DSA-­‐DH Uses PKI with a pre-­‐configured shared CerFficate Authority. DSA and Diffie-­‐Hellman for authenFcaFon and key exchange Establishes shared secret AccessControl DDS:Access:PKI-­‐Signed-­‐ XML-­‐Permissions Governance Document and Permissions Document Each signed by shared CerFficate Authority Cryptography DDS:Crypto:AES-­‐CTR-­‐ HMAC-­‐RSA/DSA-­‐DH Protected key distribuFon AES128 and AES256 for encrypFon (in counter mode) SHA1 and SHA256 for digest HMAC-­‐SHA1 and HMAC-­‐256 for MAC DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery Logging DedicatedDDS_LogTopic
  • 18. DDS Security Flow Domain ParFcipant Create Fails AuthenFcate AuthenFcate DP? © 2014 Real-­‐Time InnovaFons, Inc. Yes DP? No Ignore Remote DP AuthenFcate Remote DP? No Yes No Yes Access OK? Ignore remote endpoint Message security Endpoint Create Fails Yes Access OK? No Create Domain ParFcipant Create Endpoints Discover remote DP Discover remote Endpoints Send/ Receive data
  • 19. Cryptographic SPI at the wire-­‐protocol level Message TransformaFon © 2014 Real-­‐Time InnovaFons, Inc. RTPS Header RTPS SubMessage SerializedData RTPS SubMessage SerializedData RTPS Header RTPS SubMessage (*) RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData Secure encoding Secure decoding
  • 20. Crypto-­‐AES-­‐CTR-­‐HMAC-­‐RSA/DSA-­‐DH • EncrypFon uses AES in counter mode © 2014 Real-­‐Time InnovaFons, Inc. – Similar to SRTP, but enhanced to support mulFple topics within a single RTPS message and infrastructure services like a relay or persistence • Use of counter mode turns the AES block cipher into a stream cipher – Each DDS sample is separately encrypted and can be decrypted without process the previous message • This is criFcal to support DDS QoS like history, content filters, best-­‐efforts etc. • DSA and Diffie-­‐Hellman used for mutual authenFcaFon and secure key exchange MR# 6.5.3
  • 21. BuilFn DDS:Auth:PKI-­‐DSA-­‐DH • Uses shared CerFficate Authority (CA) © 2014 Real-­‐Time InnovaFons, Inc. – All ParFcipants pre-­‐configured with shared-­‐CA • Performs mutual authenFcaFon between discovered parFcipants using the Digital Signature Algorithm (DSA) • Establishes a shared secret using Diffie-­‐Hellman.
  • 22. Remote ParFcipant AuthenFcaFon ParFcipants detect each other via discovery and exchange IdenFty and Permission Tokens (Hashes) © 2014 Real-­‐Time InnovaFons, Inc.
  • 23. Remote ParFcipant AuthenFcaFon Each ParFcipant calls validate_remote_idenFty(). ParFcipant with highest GUID returns PENDING_HANDSHAKE_REQUEST, the other PENDING_HANDSHAKE_MESSAGE © 2014 Real-­‐Time InnovaFons, Inc.
  • 24. Remote ParFcipant AuthenFcaFon ParFcipant1 creates CHALLENGE1 = “CHALLENGE:<nonce> and sends message via ParFcipantMessageWriter with messageToken1:= {CHALLENGE1, IdenFty1, Permissions1} © 2014 Real-­‐Time InnovaFons, Inc.
  • 25. Remote ParFcipant AuthenFcaFon ParFcipant2 validates IdenFty of ParFcipant1 against CA ParFcipant2 creates CHALLENGE2 := CHALLENGE:<nonce> ParFcipant2 sends to ParFcipant1 message with messageToken2:= { SIGN(HASH(CHALLENGE1#IdenFty1#Permissions1)), CHALLENGE2, IdenFty2, © 2014 Permissions2} Real-­‐Time InnovaFons, Inc.
  • 26. Part1 validates IdenFty of ParFcipant2 against CA Part1 verifies SIGN(CHALLENGE1) using ParFcipant2’s PK Part1 computes a SharedSecret Part1 sends message with contents: messageToken3 := { ENCRYPT(SharedSecret), SIGN( HASH(CHALLENGE2 # IdenFty2 # Permissions2 # ENCRYPT(SharedSecret))) } 10/30/14 26 © 2014 Real-­‐Time InnovaFons, Inc. Encrypt uses Part2’s PK. Remote ParFcipant AuthenFcaFon
  • 27. Remote ParFcipant AuthenFcaFon Part2 verifies SIGN( HASH(CHALLENGE2 #IdenFty2#Permissions2# ENCRYPT(SharedSecret))) 10/30/14 © 2012 Real-­‐Time InnovaFons, Inc. -­‐ All rights reserved 27 © 2014 Real-­‐Time InnovaFons, Inc. using Part1’s PK Part2 decrypts ENCRYPT(SharedSecret) using its own PK We have Mutual AuthenHcaHon and a SharedSecret
  • 28. BuilFn DDS:AC:PKI SPI • Configured © 2014 Real-­‐Time InnovaFons, Inc. with: – X.509 CerFficate of shared Permissions CA – The Domain governance signed by the Permissions CA – The DomainParFcipant permissions signed by the Permissions CA • The Domain governance configures – Which topics shall be secured and how – Whether discovery is secured and how • DomainParFcipant permissions – Specifies what Domains Id can be joined by the DomainParFcipant – Specified which Topics and be Read/WriWen by the DomainParFcipant on each DomainId – Ties to the SubjectName matching the one on IdenFtyCerFficate 10/30/14 28
  • 29. Example Domain Governance © 2014 Real-­‐Time InnovaFons, Inc.
  • 30. ConfiguraFon possibiliFes • Are “legacy” or un-­‐idenFfied applicaFons allowed in the © 2014 Real-­‐Time InnovaFons, Inc. Domain? Yes or No. – If yes an UnauthenFcated applicaFons will: • See the “unsecured” discovery Topics • Be allowed to read/write the “unsecured” Topics • Is a parFcular Topic discovered over protected discovery? – If so it can only be seen by “authenFcated applicaFons” • Is a access parFcular Topic protected? – If so only authenFcated applicaFons with the correct permissions can read/write • Is data on a parFcular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenFcated applicaFons with right permissions will see anything
  • 31. Example Permissions © 2014 Real-­‐Time InnovaFons, Inc.
  • 32. Secure discovery • AddiFonal built-­‐in endpoints: – DCPSPublicaFonsSecure – DCPSSubscripFonsSecure • Same discovery topic-­‐data but encrypted & signed • OperaFon AccessControl::get_endpoint_security_attributes() controls which Topics use Secure Discovery 10/30/14 32 © 2014 Real-­‐Time InnovaFons, Inc.
  • 33. ConfiguraFon PossibiliFes © 2014 Real-­‐Time InnovaFons, Inc. • Is the access to a parFcular Topic protected? – If so only authenFcated applicaFons with the correct permissions can read/write • Is data on a parFcular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenFcated applicaFons with right permissions will see anything
  • 34. More Powerful Than Other Secure Middleware Technologies • Standard & Interoperable © 2014 Real-­‐Time InnovaFons, Inc. • Scalable: Supports mulFcast • Fine-­‐grain: Control Topic-­‐level aspect • Flexible: Build your own plugins • Generic: Works over any Transport • Transparent: No changes to ApplicaFon Code!
  • 35. DDS-­‐Secure Standard Status © 2014 Real-­‐Time InnovaFons, Inc. • The specificaFon was adopted in March 2014. – Considered “Beta” for 1 year – RTI chairing the FinalizaFon Task Force • This specificaFon provides a framework for securing DDS systems. The builFn plugins provide a “common” approach for applicaFons without specialized requirements – It is expected that plugins will be developed to match more specialized deployments and integrate with exisFng infrastructure. 10/30/14 35
  • 36. QuesFons? © 2014 Real-­‐Time InnovaFons, Inc.
  • 37. © 2014 Real-­‐Time InnovaFons, Inc. Find out more… dds.omg.org www.omg.org www.rF.com community.rF.com demo.rF.com www.youtube.com/realFmeinnovaFons blogs.rF.com www.twiWer.com/RealTimeInnov www.facebook.com/RTIsoƒware www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovaFons