SlideShare a Scribd company logo
DDS Security 1.2,
What’s new?
Gerardo Pardo
CTO, Real-Time Innovations (RTI)
May 2, 2024
www.rti.com/
2
DDS Foundation
Vendor-neutral, collaborative nonprofit formed to grow DDS usage
● Collaborative initiative with the OMG DDS Special Interest Group (SIG)
● DDS Users, Government Institutions, Researchers, Universities,
Vendors
Mission: Promote the adoption, interoperability and success of DDS family
of standards to a wider user community
Goals:
● Drive future requirements for the DDS standard
● Define industry-specific data models and adaptations of DDS
● Test vendor interoperability
● Provide industry education and resources
www.dds-foundation.org
3
Upcoming DDS Foundation Events
● June 10 - 15th Updated DDS Interoperability Test results
● August 24th, (Webinar) The Past, Present and Future of the
DDS Standard
www.dds-foundation.org
© 2024 Object Management Group 4
Agenda
• Opening Comments
• DDS Security Background
• What’s new in DDS Security 1.2?
• Q&A
DDS Security background
Expanding and Improving specification family
D
D
S
D
D
S
-
R
T
P
S
2
.
0
D
D
S
-
X
T
Y
P
E
S
O
P
C
U
A
/
D
D
S
G
a
t
e
w
a
y
D
D
S
-
X
R
C
E
,
D
D
S
-
S
e
c
u
r
i
t
y
b
e
t
a
D
D
S
-
C
+
+
D
D
S
-
-
J
a
v
a
D
D
S
-
R
P
C
D
D
S
-
X
M
L
D
D
S
-
W
E
B
D
D
S
-
R
T
P
S
2
.
2
D
D
S
-
R
T
P
S
2
.
1
D
D
S
1
.
2
I
D
L
4
.
1
D
D
S
1
.
1
2004 2006 2007 2008 2010 2012 2014 2016 2018
2017
2015
2013
2005 2009 2011 2019
D
D
S
-
T
S
N
I
D
L
4
-
J
A
V
A
,
I
D
L
4
-
C
#
,
D
D
S
-
J
S
O
N
,
D
D
S
-
X
T
Y
P
E
S
1
.
3
2020 2021
D
D
S
-
R
T
P
S
2
.
5
2022 2023 2024
I
D
L
4
.
2
D
D
S
-
S
e
c
u
r
i
t
y
1
.
1
D
D
S
O
P
C
U
A
I
D
L
4
-
C
+
+
Real-Time Innovations, Inc.
Source: Real-Time Innovations (RTI)
D
D
S
-
S
e
c
u
r
i
t
y
1
.
2
D
D
S
-
S
e
c
u
r
i
t
y
1
.
0
7
DDS Communication Model (Pub/Sub)
Topic A
QoS
Topic C
QoS
Topic D
QoS
DDS DOMAIN
Topic B : “Turbine State”
Source (Key) Speed Power Phase
WPT1 37.4 122.0 -12.20
WPT2 10.7 74.0 -12.23
WPTN 50.2 150.07 -11.98
QoS
Topic-Based
Data-Centric
- Instance Lifecycle
- Data Cache
Content awareness and filters
Filter
8
DDS Communication Model (RPC)
Service A
Service B
Service C
DDS DOMAIN
Implements
Uses
Uses
Implements
Uses
- Styles: Request/Reply Style or Functional (Interface/operations)
- One-to-One or One-to-Many
DDS: Data-Centric, Fine-Grained Security
©2017 Real-Time Innovations, Inc.
• Per-Data-Topic Security
• Control read/write access for each
Topic
• Uses different keys per Topic
• Per topic selection of encrypt vs sign
• Complete Protection
• Discovery authentication
• Data-centric access control
• Cryptography
• Tagging & logging
• Non-repudiation
• Secure multicast
• 100% standards compliant
Analysis
ECU Control Operator
State Alarms SetPoint
Data Topic Security model:
• ECU: State(w)
• Analysis: State(r); Alarms(w)
• Control: State(r), SetPoint(w)
• Operator: *(r), SetPoint(w)
Data Topics
Applications
10
Zero-Trust, End to End Security
• Participants use self-generated keys for each
of their own Data Writers/Readers
• Participants mutually authenticate each other
• Use of signed certificates and PKI
• Signed Permissions establish access
• Signed governance established policy
• Participant Pairwise Ephemeral Key is
Established
• Perfect Forward Secrecy
• Participants Share their own keys with
authorized receivers
• Zero trust
• End-to-end security is achieved without needing
to trust or share keys with any intermediary
RTPS
What’s New?
• New Cryptographic Algorithms (NSA approved for TOP SECRET)
• Pre-Shared Keys (Hardening against DoS)
• Key Revisions
• Other Enhancements
(DDS-Security 1.2)
12
New Cryptographic Algorithms
Meets CNSSP-15 standard for NSS, NSA TOP-SECRET
DDS SEC 1.0 – 1.2
✓
DDS SEC 1.2
DDS SEC 1.2
DDS SEC 1.2
✓
✓
✓
DDS SEC 1.2
✓
download link
13
DDS-Security 1.2 Built-in Algorithms
Family Purpose Algorithms Notes
Symmetric Cypher Authenticated Encryption with
Additional Authenticated Data (AEAD)
AES128+ GCM
AES256+GCM
128 and 256 bit strength
Digital Signature Mutual Authentication
Certificate (Identity, Permissions)
Authenticity
RSASSA-PSS-MGF1SHA256+2048+SHA256
RSASSA-PKCS1-V1_5+2048+SHA256
ECDSA+P256+SHA256
ECDSA+P384+SHA384
RSA with 2048 bit keys
(112 bit strength)
Elliptic-Curve (ECC) with
256 and 384 bit keys
(128 and 192 bit strength)
Key Establishment Establish a shared/secret
Provide encrypted point-to-point
channel with perfect Forward Secrecy
DHE+MODP-2048-256
ECDHE-CEUM+P256
ECDHE-CEUM+P384
Diffie-Hellman and Elliptic-
Curve Diffie-Hellman with
256 and 384 bit keys
(128 and 192 bit strength)
Hashing Cryptographically strong Hashing SHA256
SHA384
256 and 384 bit hash
functions
(128 and 192 bit strength)
• Meets CNSS policy to protect National Security Systems (NSS)
• Satisfy NSA requirements for TOP SECRET
• Framework for algorithm support
• Control over which algorithms
may be used in a system
• Determines algorithm
compatibility between
participants
• Plugins may support per-writer
configuration of the algorithm
• Support for future algorithm
additions
Framework for Crypto Algorithm Support
<allowed_crypto_algorithms>
<digital_signature>
<algorithm>RSASSA-PSS-
MGF1SHA256+2048+SHA256</algorithm>
<algorithm>ECDSA+P256+SHA256</algorithm>
<algorithm>ECDSA+P384+SHA384</algorithm>
</digital_signature>
<digital_signature_identity_trust_chain>
<algorithm>ECDSA+P256+SHA256</algorithm>
<algorithm>ECDSA+P384+SHA384</algorithm>
</digital_signature_identity_trust_chain>
<key_establishment>
<algorithm>DHE+MODP-2048-256</algorithm>
<algorithm>ECDHE-CEUM+P256</algorithm>
<algorithm>ECDHE-CEUM+P384</algorithm>
</key_establishment>
<symmetric_cipher>
<algorithm>AES128+GCM</algorithm>
<algorithm>AES256+GCM</algorithm>
</symmetric_cipher>
</allowed_crypto_algorithms>
Snippet from example Governance.xml configuration
What’s New?
• New Cryptographic Algorithms (NSA approved for TOP SECRET)
• Pre-Shared Keys (Hardening against DoS)
• Key Revisions
• Other Enhancements
Builtin Security Plugins (DDS Security 1.1)
Bootstrap traffic is
unencrypted & unsigned:
• IP addresses sent in
ParticipantBootstrap may be
exploited by Denial of Service
(DoS) attacks
• Permissions document may leak
information about the system
architecture and deployment
ParticipantBootstrap
Previously
Unencrypted
Signed Permissions
App App
Authentication/Key Exchange
…
User Data Samples
Protected by
Security Plugins
Simplified Traffic Flow All PKI authentication protocols are subject to similar DoS attacks. But
DDS being peer-to-peer increases the attack surface
Builtin Security Plugins (DDS Security 1.2, with PSK)
All traffic protected with
some secret key:
• Bootstrap traffic uses PSK
• Post-Authentication traffic uses
the Participant-generated Keys
• No DoS weakness
• No system architecture or
deployment config leaks
Simplified Traffic Flow
ParticipantBootstrap
Protected by
PSK
Signed Permissions
App App
Authentication/Key Exchange
…
User Data Samples
Protected by
Security Plugins
PSK = Pre-Shared Key
DDS Security 1.1 can’t protect unauthenticated Participants
DDS Security can be
configured to allow
unauthenticated Participants
• Unauth. Participant can only
publish or subscribe Topics that
configured to be “unprotected”
• Data on unprotected Topics is
subject to tampering and
eavesdropping
Subscriber
Unauthenticated
DDS Secure Databus
Publisher
Authenticated
Subscriber
Authenticated
Protected Topic
Unprotected Topic
DDS Security 1.2 can protect unauthenticated Participants
DDS Security 1.2 can be configured
to allow unauthenticated Participants
and protect them with PSK
• Unauth. Participant can only
publish or subscribe Topics that
configured to be “unprotected”
• Data on unprotected Topics is
nevertheless protected by PSK
avoiding tampering and
eavesdropping
Subscriber
Unauthenticated
DDS Secure Databus
Publisher
Authenticated
Subscriber
Authenticated
Protected Topic (by Writer Key)
Protected Topic (by PSK)
PSK complements the existing mechanisms
• PSK provides additional security to protect traffic that otherwise
cannot be protected
• Bootstrapping traffic (DoS weakness, meta-data leak)
• Topics enabled for unauthenticated participants (confidentiality and
tampering weakness)
• PSK does not replace the writer-generated keys
• Corse-grained, cannot differentiate different flows
• Weaker as it needs to be pre-shared: Subject to leaking by any
compromised participant
• PSK adds deployment complexity
• Deploying a shared secret is hard
• While the PSK can be revised, the mechanism to trigger and re-distribute
the revised keys has to be built by the application
What’s New?
• New Cryptographic Algorithms (NSA approved for TOP SECRET)
• Pre-Shared Keys (Hardening against DoS)
• Key Revisions
• Other Enhancements
Continuously Operating Systems: Key Revisions
• Certificates (Identity, Permissions) may expire or be updated
• Certificates may be explicitly revoked
• Access policy changes
• Preventive measures on abnormal behavior
• Countermeasures: Vulnerability detection
Publisher Subscriber
Subscriber
DDS Databus
Certificate Expires
Or Revoked
Publisher
Any of these require
revoking previously
authorized access.
Can only be achieved by
changing all previously-
shared keys
DDS-Security 1.2 provides
the means to revise the
previously-shared keys
What’s New?
• New Cryptographic Algorithms (NSA approved for TOP SECRET)
• Pre-Shared Keys (Hardening against DoS)
• Key Revisions
• Other Enhancements
24
Finer grain DDS Domain Isolation
• DDS Domains are identified by Domain ID and Tag
• Domain ID is a number. Typically in the range 0-232
• Domain Tag is a string
• Independent DDS systems may be deployed on the
same Shared networks
• Use of Domain Tag is recommended to prevent accidental
reuse of the Domain ID resulting in authentication errors
• DDS-Security 1.2 allows specification of the Domain
Tag in security configuration
• Specification of Domain Tag can be a value or an expression
• Governance and Permissions can be narrowed to each
specific Domain Id and Tag
<domains>
<id>5</id>
<tag>Robot1</tag>
</domains>
DDS Databus
Domain: (Id=5, Tag=“Robot1”)
DDS Databus1
Domain: (Id=5, Tag=“Robot2”)
Domain
Governance
Document
Participant
Permissions
Document
Certificates for groups of Participants
• Each Participant has an Identity Cert
• Specifies the (PKI) Public Key and Subject Name of the Participant
• Each Participant has a Permissions document
• List the (read/write) Topic Permissions
• Specifies the Subject Name of the Participant to which it applies
• Systems may contain 1000s of similar Participants
• Some Permission documents may differ only in the Subject Name
• E.g. Sensor device with permission to publish a specific Topic
• DDS Security 1.2 Permissions supports Subject Name
expressions
• Single Certificate can be shared across all similar devices
• E.g.
“CN=Robot/*, O=ACME Inc., L=Sunnyvale, ST=CA, C=US”
Identity Certificate
Private Key
Permissions
Document
Subject Name
& Public Key
Participant
Robustness enhancements
• Protection of RTPS Header and HdrExtension as AAD
• In DDS Security 1.1 only the Header could be protected
• Robustness to Year 2038 problem in SecureLog topic
• Security for Type Service
• Type Information may be considered sensitive by some
applications
• DDS Security 1.2 can protect the exchange of type information,
similar to how discovery is protected.
• Governance and Permission document extensibility
• Allows future versions of the specification to add extensions
without breaking existing applications
Summary
• In today’s interconnected systems Security is a must shall
• DDS-Security integrates modern best practices
• PKI, Zero-Trust, End to end, Perfect Forward Secrecy, Authenticated Encryption
• DDS Security 1.2 adds important enhancements for long-running systems
• Algorithms that are NSA-approved for TOP SECRET
• Pre-Shared Keys to harden against DoS
• Key Revisions supporting certificate revocation, expiration, and access rights changes
• Robustness improvements
• Better ways to manage permissions for large systems
Q&A
www.rti.com/
www.dds-foundation.org/
Thank you!
www.dds-foundation.org/

More Related Content

Similar to DDS-Security 1.2 - What's New? Stronger security for long-running systems

F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
Denodo
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
 
DDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy,  and the Need for Distributed SoftwareDDS, the US Navy,  and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed Software
Gerardo Pardo-Castellote
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Kamal Spring
 
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Kamal Spring
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdf
Alex446314
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
 
Hexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data MaskingHexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data Masking
Scott Uhrick
 
Data Services Marketplace
Data Services MarketplaceData Services Marketplace
Data Services Marketplace
Denodo
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier ProxyAdding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Scott Uhrick
 
Secure Data - Why Encryption and Access Control are Game Changers
Secure Data - Why Encryption and Access Control are Game ChangersSecure Data - Why Encryption and Access Control are Game Changers
Secure Data - Why Encryption and Access Control are Game Changers
Cloudera, Inc.
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
Rocket Software
 
Data Architectures for Robust Decision Making
Data Architectures for Robust Decision MakingData Architectures for Robust Decision Making
Data Architectures for Robust Decision Making
Gwen (Chen) Shapira
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
PLUMgrid
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 

Similar to DDS-Security 1.2 - What's New? Stronger security for long-running systems (20)

F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
Product Keynote: Advancing Denodo’s Logical Data Fabric with AI and Advanced ...
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 
DDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy,  and the Need for Distributed SoftwareDDS, the US Navy,  and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed Software
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
 
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
Secure and-verifiable-policy-update-outsourcing-for-big-data-access-control-i...
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdf
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
Hexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data MaskingHexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data Masking
 
Data Services Marketplace
Data Services MarketplaceData Services Marketplace
Data Services Marketplace
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier ProxyAdding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
 
Secure Data - Why Encryption and Access Control are Game Changers
Secure Data - Why Encryption and Access Control are Game ChangersSecure Data - Why Encryption and Access Control are Game Changers
Secure Data - Why Encryption and Access Control are Game Changers
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Data Architectures for Robust Decision Making
Data Architectures for Robust Decision MakingData Architectures for Robust Decision Making
Data Architectures for Robust Decision Making
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

More from Gerardo Pardo-Castellote

Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.
Gerardo Pardo-Castellote
 
DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)
Gerardo Pardo-Castellote
 
A Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial AutomationA Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial Automation
Gerardo Pardo-Castellote
 
Overview of the DDS-XRCE specification
Overview of the DDS-XRCE specificationOverview of the DDS-XRCE specification
Overview of the DDS-XRCE specification
Gerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018
Gerardo Pardo-Castellote
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Gerardo Pardo-Castellote
 
OPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 BetaOPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 Beta
Gerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 BetaDDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 Beta
Gerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017
Gerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017
Gerardo Pardo-Castellote
 
Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2
Gerardo Pardo-Castellote
 
DDS-Security version 1.1
DDS-Security version 1.1DDS-Security version 1.1
DDS-Security version 1.1
Gerardo Pardo-Castellote
 
Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2 Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2
Gerardo Pardo-Castellote
 
DDS Security Specification version 1.0
DDS Security Specification version 1.0DDS Security Specification version 1.0
DDS Security Specification version 1.0
Gerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained EnvironmentsDDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained Environments
Gerardo Pardo-Castellote
 
DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)
Gerardo Pardo-Castellote
 
DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)
Gerardo Pardo-Castellote
 
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
Gerardo Pardo-Castellote
 
Industrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity StandardIndustrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity Standard
Gerardo Pardo-Castellote
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
Gerardo Pardo-Castellote
 

More from Gerardo Pardo-Castellote (20)

Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.
 
DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)
 
A Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial AutomationA Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial Automation
 
Overview of the DDS-XRCE specification
Overview of the DDS-XRCE specificationOverview of the DDS-XRCE specification
Overview of the DDS-XRCE specification
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
 
OPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 BetaOPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 Beta
 
DDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 BetaDDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 Beta
 
DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017
 
DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017
 
Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2
 
DDS-Security version 1.1
DDS-Security version 1.1DDS-Security version 1.1
DDS-Security version 1.1
 
Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2 Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2
 
DDS Security Specification version 1.0
DDS Security Specification version 1.0DDS Security Specification version 1.0
DDS Security Specification version 1.0
 
DDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained EnvironmentsDDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained Environments
 
DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)
 
DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)
 
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
 
Industrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity StandardIndustrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity Standard
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 

Recently uploaded

High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
singhlata50dh
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
simran hot girls
 
04. Ruby Operators Slides - Ruby Core Teaching
04. Ruby Operators Slides - Ruby Core Teaching04. Ruby Operators Slides - Ruby Core Teaching
04. Ruby Operators Slides - Ruby Core Teaching
quanhoangd129
 
Empowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - GrawlixEmpowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - Grawlix
Aarisha Shaikh
 
TEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with YouTEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with You
marcofolio
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
DEMONDUOS
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
Nextskill Technologies
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
attueb
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
bahubalikumar09988
 
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
dream girl
 
Hotel Management Software Development Company
Hotel Management Software Development CompanyHotel Management Software Development Company
Hotel Management Software Development Company
XongoLab Technologies LLP
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
neshakor5152
 
07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching
quanhoangd129
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
Inflectra
 
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
andrehoraa
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
quanhoangd129
 
Tour and travel website management in odoo,
Tour and travel website management in odoo,Tour and travel website management in odoo,
Tour and travel website management in odoo,
Axis Technolabs
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
3610stuck
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
rachitkumar09887
 

Recently uploaded (20)

High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
 
04. Ruby Operators Slides - Ruby Core Teaching
04. Ruby Operators Slides - Ruby Core Teaching04. Ruby Operators Slides - Ruby Core Teaching
04. Ruby Operators Slides - Ruby Core Teaching
 
Empowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - GrawlixEmpowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - Grawlix
 
TEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with YouTEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with You
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
 
ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
 
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
Russian Girls Call Mumbai 🛵🚡9833363713 💃 Choose Best And Top Girl Service And...
 
Hotel Management Software Development Company
Hotel Management Software Development CompanyHotel Management Software Development Company
Hotel Management Software Development Company
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
 
07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
 
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
 
Tour and travel website management in odoo,
Tour and travel website management in odoo,Tour and travel website management in odoo,
Tour and travel website management in odoo,
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
 

DDS-Security 1.2 - What's New? Stronger security for long-running systems

  • 1. DDS Security 1.2, What’s new? Gerardo Pardo CTO, Real-Time Innovations (RTI) May 2, 2024 www.rti.com/
  • 2. 2 DDS Foundation Vendor-neutral, collaborative nonprofit formed to grow DDS usage ● Collaborative initiative with the OMG DDS Special Interest Group (SIG) ● DDS Users, Government Institutions, Researchers, Universities, Vendors Mission: Promote the adoption, interoperability and success of DDS family of standards to a wider user community Goals: ● Drive future requirements for the DDS standard ● Define industry-specific data models and adaptations of DDS ● Test vendor interoperability ● Provide industry education and resources www.dds-foundation.org
  • 3. 3 Upcoming DDS Foundation Events ● June 10 - 15th Updated DDS Interoperability Test results ● August 24th, (Webinar) The Past, Present and Future of the DDS Standard www.dds-foundation.org
  • 4. © 2024 Object Management Group 4 Agenda • Opening Comments • DDS Security Background • What’s new in DDS Security 1.2? • Q&A
  • 6. Expanding and Improving specification family D D S D D S - R T P S 2 . 0 D D S - X T Y P E S O P C U A / D D S G a t e w a y D D S - X R C E , D D S - S e c u r i t y b e t a D D S - C + + D D S - - J a v a D D S - R P C D D S - X M L D D S - W E B D D S - R T P S 2 . 2 D D S - R T P S 2 . 1 D D S 1 . 2 I D L 4 . 1 D D S 1 . 1 2004 2006 2007 2008 2010 2012 2014 2016 2018 2017 2015 2013 2005 2009 2011 2019 D D S - T S N I D L 4 - J A V A , I D L 4 - C # , D D S - J S O N , D D S - X T Y P E S 1 . 3 2020 2021 D D S - R T P S 2 . 5 2022 2023 2024 I D L 4 . 2 D D S - S e c u r i t y 1 . 1 D D S O P C U A I D L 4 - C + + Real-Time Innovations, Inc. Source: Real-Time Innovations (RTI) D D S - S e c u r i t y 1 . 2 D D S - S e c u r i t y 1 . 0
  • 7. 7 DDS Communication Model (Pub/Sub) Topic A QoS Topic C QoS Topic D QoS DDS DOMAIN Topic B : “Turbine State” Source (Key) Speed Power Phase WPT1 37.4 122.0 -12.20 WPT2 10.7 74.0 -12.23 WPTN 50.2 150.07 -11.98 QoS Topic-Based Data-Centric - Instance Lifecycle - Data Cache Content awareness and filters Filter
  • 8. 8 DDS Communication Model (RPC) Service A Service B Service C DDS DOMAIN Implements Uses Uses Implements Uses - Styles: Request/Reply Style or Functional (Interface/operations) - One-to-One or One-to-Many
  • 9. DDS: Data-Centric, Fine-Grained Security ©2017 Real-Time Innovations, Inc. • Per-Data-Topic Security • Control read/write access for each Topic • Uses different keys per Topic • Per topic selection of encrypt vs sign • Complete Protection • Discovery authentication • Data-centric access control • Cryptography • Tagging & logging • Non-repudiation • Secure multicast • 100% standards compliant Analysis ECU Control Operator State Alarms SetPoint Data Topic Security model: • ECU: State(w) • Analysis: State(r); Alarms(w) • Control: State(r), SetPoint(w) • Operator: *(r), SetPoint(w) Data Topics Applications
  • 10. 10 Zero-Trust, End to End Security • Participants use self-generated keys for each of their own Data Writers/Readers • Participants mutually authenticate each other • Use of signed certificates and PKI • Signed Permissions establish access • Signed governance established policy • Participant Pairwise Ephemeral Key is Established • Perfect Forward Secrecy • Participants Share their own keys with authorized receivers • Zero trust • End-to-end security is achieved without needing to trust or share keys with any intermediary RTPS
  • 11. What’s New? • New Cryptographic Algorithms (NSA approved for TOP SECRET) • Pre-Shared Keys (Hardening against DoS) • Key Revisions • Other Enhancements (DDS-Security 1.2)
  • 12. 12 New Cryptographic Algorithms Meets CNSSP-15 standard for NSS, NSA TOP-SECRET DDS SEC 1.0 – 1.2 ✓ DDS SEC 1.2 DDS SEC 1.2 DDS SEC 1.2 ✓ ✓ ✓ DDS SEC 1.2 ✓ download link
  • 13. 13 DDS-Security 1.2 Built-in Algorithms Family Purpose Algorithms Notes Symmetric Cypher Authenticated Encryption with Additional Authenticated Data (AEAD) AES128+ GCM AES256+GCM 128 and 256 bit strength Digital Signature Mutual Authentication Certificate (Identity, Permissions) Authenticity RSASSA-PSS-MGF1SHA256+2048+SHA256 RSASSA-PKCS1-V1_5+2048+SHA256 ECDSA+P256+SHA256 ECDSA+P384+SHA384 RSA with 2048 bit keys (112 bit strength) Elliptic-Curve (ECC) with 256 and 384 bit keys (128 and 192 bit strength) Key Establishment Establish a shared/secret Provide encrypted point-to-point channel with perfect Forward Secrecy DHE+MODP-2048-256 ECDHE-CEUM+P256 ECDHE-CEUM+P384 Diffie-Hellman and Elliptic- Curve Diffie-Hellman with 256 and 384 bit keys (128 and 192 bit strength) Hashing Cryptographically strong Hashing SHA256 SHA384 256 and 384 bit hash functions (128 and 192 bit strength) • Meets CNSS policy to protect National Security Systems (NSS) • Satisfy NSA requirements for TOP SECRET
  • 14. • Framework for algorithm support • Control over which algorithms may be used in a system • Determines algorithm compatibility between participants • Plugins may support per-writer configuration of the algorithm • Support for future algorithm additions Framework for Crypto Algorithm Support <allowed_crypto_algorithms> <digital_signature> <algorithm>RSASSA-PSS- MGF1SHA256+2048+SHA256</algorithm> <algorithm>ECDSA+P256+SHA256</algorithm> <algorithm>ECDSA+P384+SHA384</algorithm> </digital_signature> <digital_signature_identity_trust_chain> <algorithm>ECDSA+P256+SHA256</algorithm> <algorithm>ECDSA+P384+SHA384</algorithm> </digital_signature_identity_trust_chain> <key_establishment> <algorithm>DHE+MODP-2048-256</algorithm> <algorithm>ECDHE-CEUM+P256</algorithm> <algorithm>ECDHE-CEUM+P384</algorithm> </key_establishment> <symmetric_cipher> <algorithm>AES128+GCM</algorithm> <algorithm>AES256+GCM</algorithm> </symmetric_cipher> </allowed_crypto_algorithms> Snippet from example Governance.xml configuration
  • 15. What’s New? • New Cryptographic Algorithms (NSA approved for TOP SECRET) • Pre-Shared Keys (Hardening against DoS) • Key Revisions • Other Enhancements
  • 16. Builtin Security Plugins (DDS Security 1.1) Bootstrap traffic is unencrypted & unsigned: • IP addresses sent in ParticipantBootstrap may be exploited by Denial of Service (DoS) attacks • Permissions document may leak information about the system architecture and deployment ParticipantBootstrap Previously Unencrypted Signed Permissions App App Authentication/Key Exchange … User Data Samples Protected by Security Plugins Simplified Traffic Flow All PKI authentication protocols are subject to similar DoS attacks. But DDS being peer-to-peer increases the attack surface
  • 17. Builtin Security Plugins (DDS Security 1.2, with PSK) All traffic protected with some secret key: • Bootstrap traffic uses PSK • Post-Authentication traffic uses the Participant-generated Keys • No DoS weakness • No system architecture or deployment config leaks Simplified Traffic Flow ParticipantBootstrap Protected by PSK Signed Permissions App App Authentication/Key Exchange … User Data Samples Protected by Security Plugins PSK = Pre-Shared Key
  • 18. DDS Security 1.1 can’t protect unauthenticated Participants DDS Security can be configured to allow unauthenticated Participants • Unauth. Participant can only publish or subscribe Topics that configured to be “unprotected” • Data on unprotected Topics is subject to tampering and eavesdropping Subscriber Unauthenticated DDS Secure Databus Publisher Authenticated Subscriber Authenticated Protected Topic Unprotected Topic
  • 19. DDS Security 1.2 can protect unauthenticated Participants DDS Security 1.2 can be configured to allow unauthenticated Participants and protect them with PSK • Unauth. Participant can only publish or subscribe Topics that configured to be “unprotected” • Data on unprotected Topics is nevertheless protected by PSK avoiding tampering and eavesdropping Subscriber Unauthenticated DDS Secure Databus Publisher Authenticated Subscriber Authenticated Protected Topic (by Writer Key) Protected Topic (by PSK)
  • 20. PSK complements the existing mechanisms • PSK provides additional security to protect traffic that otherwise cannot be protected • Bootstrapping traffic (DoS weakness, meta-data leak) • Topics enabled for unauthenticated participants (confidentiality and tampering weakness) • PSK does not replace the writer-generated keys • Corse-grained, cannot differentiate different flows • Weaker as it needs to be pre-shared: Subject to leaking by any compromised participant • PSK adds deployment complexity • Deploying a shared secret is hard • While the PSK can be revised, the mechanism to trigger and re-distribute the revised keys has to be built by the application
  • 21. What’s New? • New Cryptographic Algorithms (NSA approved for TOP SECRET) • Pre-Shared Keys (Hardening against DoS) • Key Revisions • Other Enhancements
  • 22. Continuously Operating Systems: Key Revisions • Certificates (Identity, Permissions) may expire or be updated • Certificates may be explicitly revoked • Access policy changes • Preventive measures on abnormal behavior • Countermeasures: Vulnerability detection Publisher Subscriber Subscriber DDS Databus Certificate Expires Or Revoked Publisher Any of these require revoking previously authorized access. Can only be achieved by changing all previously- shared keys DDS-Security 1.2 provides the means to revise the previously-shared keys
  • 23. What’s New? • New Cryptographic Algorithms (NSA approved for TOP SECRET) • Pre-Shared Keys (Hardening against DoS) • Key Revisions • Other Enhancements
  • 24. 24 Finer grain DDS Domain Isolation • DDS Domains are identified by Domain ID and Tag • Domain ID is a number. Typically in the range 0-232 • Domain Tag is a string • Independent DDS systems may be deployed on the same Shared networks • Use of Domain Tag is recommended to prevent accidental reuse of the Domain ID resulting in authentication errors • DDS-Security 1.2 allows specification of the Domain Tag in security configuration • Specification of Domain Tag can be a value or an expression • Governance and Permissions can be narrowed to each specific Domain Id and Tag <domains> <id>5</id> <tag>Robot1</tag> </domains> DDS Databus Domain: (Id=5, Tag=“Robot1”) DDS Databus1 Domain: (Id=5, Tag=“Robot2”) Domain Governance Document Participant Permissions Document
  • 25. Certificates for groups of Participants • Each Participant has an Identity Cert • Specifies the (PKI) Public Key and Subject Name of the Participant • Each Participant has a Permissions document • List the (read/write) Topic Permissions • Specifies the Subject Name of the Participant to which it applies • Systems may contain 1000s of similar Participants • Some Permission documents may differ only in the Subject Name • E.g. Sensor device with permission to publish a specific Topic • DDS Security 1.2 Permissions supports Subject Name expressions • Single Certificate can be shared across all similar devices • E.g. “CN=Robot/*, O=ACME Inc., L=Sunnyvale, ST=CA, C=US” Identity Certificate Private Key Permissions Document Subject Name & Public Key Participant
  • 26. Robustness enhancements • Protection of RTPS Header and HdrExtension as AAD • In DDS Security 1.1 only the Header could be protected • Robustness to Year 2038 problem in SecureLog topic • Security for Type Service • Type Information may be considered sensitive by some applications • DDS Security 1.2 can protect the exchange of type information, similar to how discovery is protected. • Governance and Permission document extensibility • Allows future versions of the specification to add extensions without breaking existing applications
  • 27. Summary • In today’s interconnected systems Security is a must shall • DDS-Security integrates modern best practices • PKI, Zero-Trust, End to end, Perfect Forward Secrecy, Authenticated Encryption • DDS Security 1.2 adds important enhancements for long-running systems • Algorithms that are NSA-approved for TOP SECRET • Pre-Shared Keys to harden against DoS • Key Revisions supporting certificate revocation, expiration, and access rights changes • Robustness improvements • Better ways to manage permissions for large systems