Gerardo Pardo-Castellote, profile picture
Uploaded byGerardo Pardo-Castellote
396 views

DDS-Security Interoperability Demo - March 2018

The document describes a demonstration of interoperability between 5 vendor DDS security implementations using a shapes demo application. The demo consists of 6 scenarios that illustrate different aspects of DDS security configuration and functionality, including controlling access to the domain, enabling open access to selected topics, comparing data integrity vs encryption, protecting metadata, securing discovery, and fine-grained access control at the topic level. Each scenario varies the security governance and permission files to achieve the desired access control configuration.

Embed presentation

Downloaded 16 times
3/19/2018 Copyright © 2018 OMG. All rights reserved. 1 DDS Security Interoperability Demo DDS™ – The Proven Data Connec9vity Standard for IIoT™ dds/2018-03-01 Reston, March 2018
DDS Security Demo — Overview 12/06/17 2 •  5 Vendor Products: •  CoreDX DDS from Twin Oaks CompuQng •  Connext DDS from Real Time InnovaQons (RTI) •  InterComm DDS from Kongsberg •  Vortex Cafe DDS from ADLink •  OpenDDS from Object CompuQng Inc (OCI) •  Using Shapes demo soware: •  Familiar from previous interoperability demos •  DemonstraQng granular configurability of DDS Security protocols •  Each ParQcipant has its own permissions – what exactly it can publish / subscribe •  Each Topic has its own configuraQon – encrypted, signed, clear, encrypted discovery
DDS Security Demo — Topics 12/06/17 3 Square Topic -  Secure Discovery -  Encrypted Data -  AuthenQcated Metadata -  Protected Access: AuthenQcated ParQcipants must have permissions to publish and/or subscribe Circle Topic -  Secure Discovery -  AuthenQcated Data -  AuthenQcated Metadata -  Protected Access: ParQcipants must have permissions to publish and/or subscribe Triangle Topic -  Open Discovery -  Open Data -  Open Access: Any parQcipant may publish and/or subscribe
DDS Security Configura9on Permissions IdenQty Governance Permissions IdenQty Permissions IdenQty PrivateKey PrivateKey PrivateKey Identity CA Permissions CA Permissions IdenQty PrivateKey
DDS Security Demo — Publishing 12/06/17 5 Permissions -  ALLOW Write Square -  DENY Write Circle Permissions -  ALLOW Write Circle -  DENY Write Triangle Permissions -  ALLOW Write Triangle -  DENY Write Square Permissions -  ALLOW Write Triangle -  DENY Write Circle
DDS Security Demo — Subscribing 6 Permissions Permissions Permissions Permissions
•  The demo consists of the following scenarios: •  Interoperability Without Security Enabled (SC#0) •  Controlled Access to Domain (SC#1) •  Enabling Open Access to Selected Topics (SC#2) •  Data Integrity versus Encryp9on (SC#3) •  Metadata protecQon (SC#4) •  Secure Discovery (SC#5) •  Topic Level Access Control (SC#6) Demo 12/06/17 Copyright © 2017 OMG. All rights reserved. 7
•  Objec9ve: DDS Security is an extension of DDS —sQll possible to run applicaQons without any protecQon. •  Governance File: Specifies domain 0 as an “open domain”. Governance_SC0_SecurityDisabled.xml •  Permission Files: None are needed for this scenario. Permissions_JoinDomain_<VENDOR>.xml •  Applica9ons: Regular and Secured and Shapes Demo SC#0: Interoperability Without Security Copyright © 2017 OMG. All rights reserved. 8 Subscribing to “Square” Expected Result All (Secure) RTI, TwinOaks, Kongsberg Receives All: Square: BLUE, GREEN, MAGENTA , RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg Receives All: Square: BLUE, GREEN, MAGENTA, RED, ORANGE 12/06/17 Publishing RTI SecureShapes BLUE Square TwinOaks SecureShapes GREEN Square Kongsberg SecureShapes MAGENTA Square ADLink RegularShapes RED Square OCI RegularShapes ORANGE Square OFF OFF OFF OFF OFF
•  Objec9ve: DDS Security can be used to protect access to a DDS Domain. Only applicaQons that can authenQcate and have the proper permissions can join the Domain. •  Governance File: Specifies domain 0 as a "protected domain." Governance_SC1_ProtectedDomain1.xml •  Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. •  Applica9ons: Regular and Secured and Shapes Demo SC#1: Controlled Access to Domain Copyright © 2017 OMG. All rights reserved. 9 Subscribing to “Square” Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Receives only from Secure: Square: BLUE, GREEN, MAGENTA , RED All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Receives only from Non-Secure Square: ORANGE 12/06/17 Publishing RTI BLUE Square TwinOaks GREEN Square Kongsberg MAGENTA Square ADLink RED Square OCI ORANGE Square
Subscribing “Square”, “Circle”, “Triangle” Expected Result Receives: RTI (Secure) Read Perm: Circle + Triangle Square: none Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE Twin Oaks (Secure) Read Perm: Square + Triangle Square: BLUE, MAGENTA Circle: none Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Kongsberg (Secure) Read Perm: Square + Circle Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE ADLink (Secure) Read Perm: Square + Circle Square: BLUE, MAGENTA , Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE OCI (Not Secure) Square: ORANGE, Circle: ORANGE Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE •  Objec9ve: Illustrates it is possible to allow access to certain Topics by unsecured applicaQons (e.g, for legacy applicaQons not running DDS Security). •  Governance File: Governance_SC2_ProtectedDomain2.xml •  Allows unauthenQcated parQcipants to join domain 0 •  Square and Circle: • Protected for read/write access • Encrypt/sign metadata • Use secure discovery •  Triangle • Unprotected for read/write access (open to all) • No encrypt/sign • Use regular (unsecured) discovery • Permission Files: Each vendor has its own permissions file. Permissions_TopicLevel_<VENDOR>.xml. • Applica9ons: Regular and Secure and Shapes Demo SC#2: Open Access to Selected Topics Publishing RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle ADLink Write Perm: Circle RED Square RED Circle RED Triangle OCI ORANGE Square ORANGE Circle ORANGE Triangle
•  Objec9ve: Illustrate different kinds of data protecQon. •  Encrypted (EN+SG)—(Encrypt and Sign) protected •  Signed data (SG)—vulnerable to snooping but not tampering •  Open data (OD)—vulnerable to tampering •  Governance File: Specifies domain 0 as a "protected domain” Governance_SC3_ProtectedDomain3.xml •  Squares shall be encrypted •  Circles shall be signed •  Triangles are unprotected •  Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. •  Applica9ons: Secured Shapes Demo + Wireshark SC#3: Data Integrity versus Encryp9on Subscribing: Square + Circle + Triangle Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle data in the clear Can see Circle data, but it is signed (or OD from OCI) Cannot see Square data—it is encrypted Publishing RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’ TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’ Kongsberg MAGENTA Square (EN + SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘ ADLink GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ RED Triangle (OD) ‘%’ OCI (not secure) ORANGE Triangle ‘%’ ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
•  Objec9ve: Illustrate concept of protecQng metadata. •  Encrypted (EN+SG)—Encrypt and Signed metadata protected •  Signed metadata (SG)—vulnerable to snooping but not tampering •  Open metadata (OD)—vulnerable to tampering •  Governance File: Specifies domain 0 as a "protected domain" Governance_SC4_ProtectedDomain4.xml •  Square metadata shall be encrypted •  Circle metadata shall be signed, •  Triangle metadata is unprotected •  Payload is le open for all topics for illustraQon •  Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. SC#4: Metadata Protec9on Publishing RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’ TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’ Kongsberg MAGENTA Square (EN+SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘ ADLink RED Square (EN + SG) ‘#’ RED Circle (SG) ‘$’ RED Triangle (OD) ‘%‘ OCI (not secure) ORANGE Triangle ‘%’ Subscribing Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, ADLink, OCI Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle metadata & data Can see Circle metadata, but it is signed Cannot see Square metadata—it is encrypted Also peek at Discovery – It is all clear ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
•  Objec9ve: Illustrates that discovery informaQon also be protected. •  Governance File: Specifies domain 0 as a "protected domain." Governance_SC5_ProtectedDomain5.xml •  Topic Triangle data and metadata are neither encrypted nor signed—sent over regular discovery •  Topic Circle data and metadata are signed, but not encrypted—sent over secure discovery •  Topic Square data and metadata are encrypted and signed—sent over secure discovery • Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. • Applica9ons: Secure Shapes Demo SC#5: Secure Discovery Publishing RTI BLUE Square (EN + SG) BLUE Circle (SG) BLUE Triangle (OD) TwinOaks GREEN Square (EN + SG) GREEN Circle (SG) GREEN Triangle (OD) Kongsberg MAGENTA Square (EN+SG) MAGENTA Circle (SG) MAGENTA Triangle (OD) ADLink RED Square (EN + SG) RED Circle (SG) RED Triangle (OD) OCI ORANGE Triangle (OD) Subscribing Square + Circle + Triangle Expected Result All (Secure) RTI, TwinOaks, Kongsberg Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle discovery in the clear Cannot see Circle discovery Cannot see Square discovery
Subscribing Expected Result RTI Read Perm: Circle + Triangle Subscribes: Square, Circle, Triangle Receives: Square: none Circle: GREEN, RED Triangle: none Twin Oaks Read Perm: Square+Triangle Subscribes: Square, Circle, Triangle Receives: Square: BLUE, MAGENTA Circle: none Triangle: none Kongsberg Read Perm: Square + Circle Subscribes: Square, Circle, Triangle Receives: Square: BLUE Circle: GREEN, RED Triangle: none ADLink Read Perm: Square + Circle Subscribes: Square, Circle, Triangle Receives: Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: none OCI (Not Secure) Triangle: ORANGE •  Objec9ve: Illustrates fine-grain access control at the Topic level. •  Governance File: Specifies domain 0 as a "protected domain." Indicates that Square •  All topics are protected for read/write access. •  All topics are sent over secure discovery •  All topics encrypt and sign metadata •  Governance_SC6_ProtectedDomain6.xml • Permission Files: Each vendor has its own permissions file. Permissions_TopicLevel_<VENDOR>.xml. • Applica9ons: Secure Shapes Demo SC#6: Topic-Level Access Control 12/06/17 Publishing RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle ADLink Write Perm: Circle RED Square RED Circle RED Triangle OCI (Not Secure) ORANGE Triangle
●  Standard & Interoperable ●  Scalable: Supports mulQcast ●  Fine-grain: Control at the Topic-level ●  Flexible: Build your own plugins ●  Generic: Works over any Transport ●  Transparent: No changes to ApplicaQon Code! More powerful that other secure middleware technologies 15
Ques9ons?

More Related Content

PDF
Deep Dive into the OPC UA / DDS Gateway Specification
byGerardo Pardo-Castellote
 
PPTX
Overview of the DDS-XRCE specification
byGerardo Pardo-Castellote
 
PDF
The DDS Security Standard
byAngelo Corsaro
 
PDF
DDS and OPC UA Explained
byAngelo Corsaro
 
PDF
DDS-XRCE (Extremely Resource Constrained Environments)
byGerardo Pardo-Castellote
 
PDF
Connected Mobile and Web Applications with Vortex
byAngelo Corsaro
 
PDF
DDS-XRCE - Revised Submission Presentation (September 2017)
byGerardo Pardo-Castellote
 
PDF
Vortex: The Intelligent Data Sharing Platform for the Internet of Things
byAngelo Corsaro
 
Deep Dive into the OPC UA / DDS Gateway Specification
byGerardo Pardo-Castellote
 
Overview of the DDS-XRCE specification
byGerardo Pardo-Castellote
 
The DDS Security Standard
byAngelo Corsaro
 
DDS and OPC UA Explained
byAngelo Corsaro
 
DDS-XRCE (Extremely Resource Constrained Environments)
byGerardo Pardo-Castellote
 
Connected Mobile and Web Applications with Vortex
byAngelo Corsaro
 
DDS-XRCE - Revised Submission Presentation (September 2017)
byGerardo Pardo-Castellote
 
Vortex: The Intelligent Data Sharing Platform for the Internet of Things
byAngelo Corsaro
 

What's hot

PDF
The DDS Tutorial - Part I
byAngelo Corsaro
 
PDF
DDS: The IoT Data Sharing Standard
byAngelo Corsaro
 
PDF
The Data Distribution Service
byAngelo Corsaro
 
PDF
OpenSplice DDS Tutorial -- Part II
byAngelo Corsaro
 
PDF
The DDS Tutorial Part II
byAngelo Corsaro
 
PDF
Reactive Data Centric Architectures with DDS
byAngelo Corsaro
 
PDF
Micro services Architecture with Vortex -- Part I
byAngelo Corsaro
 
PDF
The Data Distribution Service Tutorial
byAngelo Corsaro
 
PDF
Building and Scaling Internet of Things Applications with Vortex Cloud
byAngelo Corsaro
 
PDF
DDS In Action Part II
byAngelo Corsaro
 
PDF
Building Reactive Applications with DDS
byAngelo Corsaro
 
PDF
Advanced OpenSplice Programming - Part II
byAngelo Corsaro
 
PDF
Building Real-Time Web Applications with Vortex-Web
byAngelo Corsaro
 
PDF
DDS Web Enabled
byReal-Time Innovations (RTI)
 
PDF
DDS-TSN OMG Request for Proposals (RFP)
byGerardo Pardo-Castellote
 
PDF
Open splice dds security
byRamzi Karoui
 
PDF
Building IoT Applications with Vortex and the Intel Edison Starter Kit
byAngelo Corsaro
 
PDF
Architecting IoT Systems with Vortex
byAngelo Corsaro
 
PDF
Desktop, Embedded and Mobile Apps with Vortex Café
byAngelo Corsaro
 
PDF
OpenSplice Security Module
byAngelo Corsaro
 
The DDS Tutorial - Part I
byAngelo Corsaro
 
DDS: The IoT Data Sharing Standard
byAngelo Corsaro
 
The Data Distribution Service
byAngelo Corsaro
 
OpenSplice DDS Tutorial -- Part II
byAngelo Corsaro
 
The DDS Tutorial Part II
byAngelo Corsaro
 
Reactive Data Centric Architectures with DDS
byAngelo Corsaro
 
Micro services Architecture with Vortex -- Part I
byAngelo Corsaro
 
The Data Distribution Service Tutorial
byAngelo Corsaro
 
Building and Scaling Internet of Things Applications with Vortex Cloud
byAngelo Corsaro
 
DDS In Action Part II
byAngelo Corsaro
 
Building Reactive Applications with DDS
byAngelo Corsaro
 
Advanced OpenSplice Programming - Part II
byAngelo Corsaro
 
Building Real-Time Web Applications with Vortex-Web
byAngelo Corsaro
 
DDS Web Enabled
byReal-Time Innovations (RTI)
 
DDS-TSN OMG Request for Proposals (RFP)
byGerardo Pardo-Castellote
 
Open splice dds security
byRamzi Karoui
 
Building IoT Applications with Vortex and the Intel Edison Starter Kit
byAngelo Corsaro
 
Architecting IoT Systems with Vortex
byAngelo Corsaro
 
Desktop, Embedded and Mobile Apps with Vortex Café
byAngelo Corsaro
 
OpenSplice Security Module
byAngelo Corsaro
 

Similar to DDS-Security Interoperability Demo - March 2018

PDF
Using DDS to Secure the Industrial Internet of Things (IIoT)
byGerardo Pardo-Castellote
 
PDF
OMG Data-Distribution Service Security
byGerardo Pardo-Castellote
 
PPTX
Embedded Security and the IoT – Challenges, Trends and Solutions
byReal-Time Innovations (RTI)
 
PDF
DDS Secure Intro
byJohn Breitenbach
 
PDF
DDS-Security 1.2 - What's New? Stronger security for long-running systems
byGerardo Pardo-Castellote
 
PDF
Trends in IIoT and OT Security
byOliver Pfaff
 
PPTX
DDS Security for the Industrial Internet - London Connext DDS Conference
byGerardo Pardo-Castellote
 
PPTX
IoT and M2M Safety and Security
byReal-Time Innovations (RTI)
 
PPTX
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
byReal-Time Innovations (RTI)
 
PDF
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
PDF
PSCR 2019 - ICAM Standards
byAdam Lewis
 
PDF
DDS-Security Interoperability Demo - December 2017
byGerardo Pardo-Castellote
 
PDF
Senzations’15: Secure Internet of Things
bySenZations Summer School
 
PPTX
Data Distribution Service Security and the Industrial Internet of Things
byReal-Time Innovations (RTI)
 
PPTX
Is your distributed system secure?
byLacey Trebaol
 
PDF
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
byReal-Time Innovations (RTI)
 
PDF
getdns PyCon presentation
byMelinda Shore
 
PPTX
Four keys to securing distributed control systems and the industrial (IoT)
byReal-Time Innovations (RTI)
 
PPTX
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
byADVA
 
PPTX
RubiX ID - SOA Security - Ingrid Cox
byRubiX BV
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
byGerardo Pardo-Castellote
 
OMG Data-Distribution Service Security
byGerardo Pardo-Castellote
 
Embedded Security and the IoT – Challenges, Trends and Solutions
byReal-Time Innovations (RTI)
 
DDS Secure Intro
byJohn Breitenbach
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
byGerardo Pardo-Castellote
 
Trends in IIoT and OT Security
byOliver Pfaff
 
DDS Security for the Industrial Internet - London Connext DDS Conference
byGerardo Pardo-Castellote
 
IoT and M2M Safety and Security
byReal-Time Innovations (RTI)
 
The Inside Story: How OPC UA and DDS Can Work Together in Industrial Systems
byReal-Time Innovations (RTI)
 
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
PSCR 2019 - ICAM Standards
byAdam Lewis
 
DDS-Security Interoperability Demo - December 2017
byGerardo Pardo-Castellote
 
Senzations’15: Secure Internet of Things
bySenZations Summer School
 
Data Distribution Service Security and the Industrial Internet of Things
byReal-Time Innovations (RTI)
 
Is your distributed system secure?
byLacey Trebaol
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
byReal-Time Innovations (RTI)
 
getdns PyCon presentation
byMelinda Shore
 
Four keys to securing distributed control systems and the industrial (IoT)
byReal-Time Innovations (RTI)
 
Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Bo...
byADVA
 
RubiX ID - SOA Security - Ingrid Cox
byRubiX BV
 

More from Gerardo Pardo-Castellote

PDF
Introduction to DDS: Context, Information Model, Security, and Applications.
byGerardo Pardo-Castellote
 
PDF
Extensible Types for DDS (DDS-XTYPES) version 1.2
byGerardo Pardo-Castellote
 
PDF
DDS, the US Navy, and the Need for Distributed Software
byGerardo Pardo-Castellote
 
PDF
DDS Security Specification version 1.0
byGerardo Pardo-Castellote
 
PPTX
Web Enabled DDS - London Connext DDS Conference
byGerardo Pardo-Castellote
 
PDF
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
byGerardo Pardo-Castellote
 
PDF
DDS for eXtremely Resource Constrained Environments 1.0 Beta
byGerardo Pardo-Castellote
 
PDF
Interface Definition Language (IDL) version 4.2
byGerardo Pardo-Castellote
 
PPTX
Remote Procedure Call over DDS - London Connext DDS Conference
byGerardo Pardo-Castellote
 
PDF
DDS-Security Interoperability Demo - September 2017
byGerardo Pardo-Castellote
 
PDF
Protocol and Integration Challenges for SDN
byGerardo Pardo-Castellote
 
PDF
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
byGerardo Pardo-Castellote
 
PDF
Industrial IOT Data Connectivity Standard
byGerardo Pardo-Castellote
 
PDF
The Platform for the Industrial Internet of Things (IIoT)
byGerardo Pardo-Castellote
 
PDF
DDS-Security version 1.1
byGerardo Pardo-Castellote
 
PDF
A Converged Approach to Standards for Industrial Automation
byGerardo Pardo-Castellote
 
PDF
OPC UA/DDS Gateway version 1.0 Beta
byGerardo Pardo-Castellote
 
PDF
Rpc over-dds-rti-e prosima-twinoaks-submission-v5
byGerardo Pardo-Castellote
 
PDF
DDS for eXtremely Resource Constrained Environments
byGerardo Pardo-Castellote
 
PDF
DDS Security Specification (Adopted Beta1 June 2014)
byGerardo Pardo-Castellote
 
Introduction to DDS: Context, Information Model, Security, and Applications.
byGerardo Pardo-Castellote
 
Extensible Types for DDS (DDS-XTYPES) version 1.2
byGerardo Pardo-Castellote
 
DDS, the US Navy, and the Need for Distributed Software
byGerardo Pardo-Castellote
 
DDS Security Specification version 1.0
byGerardo Pardo-Castellote
 
Web Enabled DDS - London Connext DDS Conference
byGerardo Pardo-Castellote
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
byGerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments 1.0 Beta
byGerardo Pardo-Castellote
 
Interface Definition Language (IDL) version 4.2
byGerardo Pardo-Castellote
 
Remote Procedure Call over DDS - London Connext DDS Conference
byGerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - September 2017
byGerardo Pardo-Castellote
 
Protocol and Integration Challenges for SDN
byGerardo Pardo-Castellote
 
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
byGerardo Pardo-Castellote
 
Industrial IOT Data Connectivity Standard
byGerardo Pardo-Castellote
 
The Platform for the Industrial Internet of Things (IIoT)
byGerardo Pardo-Castellote
 
DDS-Security version 1.1
byGerardo Pardo-Castellote
 
A Converged Approach to Standards for Industrial Automation
byGerardo Pardo-Castellote
 
OPC UA/DDS Gateway version 1.0 Beta
byGerardo Pardo-Castellote
 
Rpc over-dds-rti-e prosima-twinoaks-submission-v5
byGerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments
byGerardo Pardo-Castellote
 
DDS Security Specification (Adopted Beta1 June 2014)
byGerardo Pardo-Castellote
 

Recently uploaded

PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PPTX
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
PDF
Guidewire Vs. Openkoda: Customizable, Open Alternative to Lagacy Core Systems
byOpenkoda
 
PPTX
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
PDF
MGA Insurance Product Launch Acceleration
byOpenkoda
 
PPTX
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
PPTX
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
PDF
Licensing for Software-as-a-Service (SaaS)
byteam-WIBU
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PDF
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
PDF
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PDF
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
Guidewire Vs. Openkoda: Customizable, Open Alternative to Lagacy Core Systems
byOpenkoda
 
Magnet-AXIOM_overview_tool_cyber_tool.pptx
byashishtjoseph
 
MGA Insurance Product Launch Acceleration
byOpenkoda
 
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
Licensing for Software-as-a-Service (SaaS)
byteam-WIBU
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 

DDS-Security Interoperability Demo - March 2018

  • 1.
  • 2.
    DDS Security Demo — Overview 12/06/17 2 •  5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng •  Connext DDS from Real Time InnovaQons (RTI) •  InterComm DDS from Kongsberg •  Vortex Cafe DDS from ADLink •  OpenDDS from Object CompuQng Inc (OCI) •  Using Shapes demo soware: •  Familiar from previous interoperability demos •  DemonstraQng granular configurability of DDS Security protocols •  Each ParQcipant has its own permissions – what exactly it can publish / subscribe •  Each Topic has its own configuraQon – encrypted, signed, clear, encrypted discovery
  • 3.
    DDS Security Demo — Topics 12/06/17 3 Square Topic -  Secure Discovery - Encrypted Data -  AuthenQcated Metadata -  Protected Access: AuthenQcated ParQcipants must have permissions to publish and/or subscribe Circle Topic -  Secure Discovery -  AuthenQcated Data -  AuthenQcated Metadata -  Protected Access: ParQcipants must have permissions to publish and/or subscribe Triangle Topic -  Open Discovery -  Open Data -  Open Access: Any parQcipant may publish and/or subscribe
  • 4.
  • 5.
    DDS Security Demo — Publishing 12/06/17 5 Permissions -  ALLOW Write Square - DENY Write Circle Permissions -  ALLOW Write Circle -  DENY Write Triangle Permissions -  ALLOW Write Triangle -  DENY Write Square Permissions -  ALLOW Write Triangle -  DENY Write Circle
  • 6.
  • 7.
    •  The demo consists of the following scenarios: •  Interoperability Without Security Enabled (SC#0) • Controlled Access to Domain (SC#1) •  Enabling Open Access to Selected Topics (SC#2) •  Data Integrity versus Encryp9on (SC#3) •  Metadata protecQon (SC#4) •  Secure Discovery (SC#5) •  Topic Level Access Control (SC#6) Demo 12/06/17 Copyright © 2017 OMG. All rights reserved. 7
  • 8.
    •  Objec9ve: DDS Security is an extension of DDS —sQll possible to run applicaQons without any protecQon. •  Governance File: Specifies domain 0 as an “open domain”. Governance_SC0_SecurityDisabled.xml • Permission Files: None are needed for this scenario. Permissions_JoinDomain_<VENDOR>.xml •  Applica9ons: Regular and Secured and Shapes Demo SC#0: Interoperability Without Security Copyright © 2017 OMG. All rights reserved. 8 Subscribing to “Square” Expected Result All (Secure) RTI, TwinOaks, Kongsberg Receives All: Square: BLUE, GREEN, MAGENTA , RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg Receives All: Square: BLUE, GREEN, MAGENTA, RED, ORANGE 12/06/17 Publishing RTI SecureShapes BLUE Square TwinOaks SecureShapes GREEN Square Kongsberg SecureShapes MAGENTA Square ADLink RegularShapes RED Square OCI RegularShapes ORANGE Square OFF OFF OFF OFF OFF
  • 9.
    •  Objec9ve: DDS Security can be used to protect access to a DDS Domain. Only applicaQons that can authenQcate and have the proper permissions can join the Domain. •  Governance File: Specifies domain 0 as a "protected domain." Governance_SC1_ProtectedDomain1.xml • Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. •  Applica9ons: Regular and Secured and Shapes Demo SC#1: Controlled Access to Domain Copyright © 2017 OMG. All rights reserved. 9 Subscribing to “Square” Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Receives only from Secure: Square: BLUE, GREEN, MAGENTA , RED All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Receives only from Non-Secure Square: ORANGE 12/06/17 Publishing RTI BLUE Square TwinOaks GREEN Square Kongsberg MAGENTA Square ADLink RED Square OCI ORANGE Square
  • 10.
    Subscribing “Square”, “Circle”, “Triangle” ExpectedResult Receives: RTI (Secure) Read Perm: Circle + Triangle Square: none Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE Twin Oaks (Secure) Read Perm: Square + Triangle Square: BLUE, MAGENTA Circle: none Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Kongsberg (Secure) Read Perm: Square + Circle Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE ADLink (Secure) Read Perm: Square + Circle Square: BLUE, MAGENTA , Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE OCI (Not Secure) Square: ORANGE, Circle: ORANGE Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE •  Objec9ve: Illustrates it is possible to allow access to certain Topics by unsecured applicaQons (e.g, for legacy applicaQons not running DDS Security). •  Governance File: Governance_SC2_ProtectedDomain2.xml •  Allows unauthenQcated parQcipants to join domain 0 •  Square and Circle: • Protected for read/write access • Encrypt/sign metadata • Use secure discovery •  Triangle • Unprotected for read/write access (open to all) • No encrypt/sign • Use regular (unsecured) discovery • Permission Files: Each vendor has its own permissions file. Permissions_TopicLevel_<VENDOR>.xml. • Applica9ons: Regular and Secure and Shapes Demo SC#2: Open Access to Selected Topics Publishing RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle ADLink Write Perm: Circle RED Square RED Circle RED Triangle OCI ORANGE Square ORANGE Circle ORANGE Triangle
  • 11.
    •  Objec9ve: Illustrate different kinds of data protecQon. •  Encrypted (EN+SG)—(Encrypt and Sign) protected • Signed data (SG)—vulnerable to snooping but not tampering •  Open data (OD)—vulnerable to tampering •  Governance File: Specifies domain 0 as a "protected domain” Governance_SC3_ProtectedDomain3.xml •  Squares shall be encrypted •  Circles shall be signed •  Triangles are unprotected •  Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. •  Applica9ons: Secured Shapes Demo + Wireshark SC#3: Data Integrity versus Encryp9on Subscribing: Square + Circle + Triangle Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle data in the clear Can see Circle data, but it is signed (or OD from OCI) Cannot see Square data—it is encrypted Publishing RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’ TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’ Kongsberg MAGENTA Square (EN + SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘ ADLink GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ RED Triangle (OD) ‘%’ OCI (not secure) ORANGE Triangle ‘%’ ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
  • 12.
    •  Objec9ve: Illustrate concept of protecQng metadata. •  Encrypted (EN+SG)—Encrypt and Signed metadata protected • Signed metadata (SG)—vulnerable to snooping but not tampering •  Open metadata (OD)—vulnerable to tampering •  Governance File: Specifies domain 0 as a "protected domain" Governance_SC4_ProtectedDomain4.xml •  Square metadata shall be encrypted •  Circle metadata shall be signed, •  Triangle metadata is unprotected •  Payload is le open for all topics for illustraQon •  Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. SC#4: Metadata Protec9on Publishing RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’ TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’ Kongsberg MAGENTA Square (EN+SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘ ADLink RED Square (EN + SG) ‘#’ RED Circle (SG) ‘$’ RED Triangle (OD) ‘%‘ OCI (not secure) ORANGE Triangle ‘%’ Subscribing Expected Result All (Secure) RTI, TwinOaks, Kongsberg, ADLink Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, ADLink, OCI Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle metadata & data Can see Circle metadata, but it is signed Cannot see Square metadata—it is encrypted Also peek at Discovery – It is all clear ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
  • 13.
    •  Objec9ve: Illustrates that discovery informaQon also be protected. •  Governance File: Specifies domain 0 as a "protected domain." Governance_SC5_ProtectedDomain5.xml • Topic Triangle data and metadata are neither encrypted nor signed—sent over regular discovery •  Topic Circle data and metadata are signed, but not encrypted—sent over secure discovery •  Topic Square data and metadata are encrypted and signed—sent over secure discovery • Permission Files: Each vendor has its own permissions file. Permissions_JoinDomain_<VENDOR>.xml. • Applica9ons: Secure Shapes Demo SC#5: Secure Discovery Publishing RTI BLUE Square (EN + SG) BLUE Circle (SG) BLUE Triangle (OD) TwinOaks GREEN Square (EN + SG) GREEN Circle (SG) GREEN Triangle (OD) Kongsberg MAGENTA Square (EN+SG) MAGENTA Circle (SG) MAGENTA Triangle (OD) ADLink RED Square (EN + SG) RED Circle (SG) RED Triangle (OD) OCI ORANGE Triangle (OD) Subscribing Square + Circle + Triangle Expected Result All (Secure) RTI, TwinOaks, Kongsberg Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE Wireshark Can see Triangle discovery in the clear Cannot see Circle discovery Cannot see Square discovery
  • 14.
    Subscribing Expected Result RTI ReadPerm: Circle + Triangle Subscribes: Square, Circle, Triangle Receives: Square: none Circle: GREEN, RED Triangle: none Twin Oaks Read Perm: Square+Triangle Subscribes: Square, Circle, Triangle Receives: Square: BLUE, MAGENTA Circle: none Triangle: none Kongsberg Read Perm: Square + Circle Subscribes: Square, Circle, Triangle Receives: Square: BLUE Circle: GREEN, RED Triangle: none ADLink Read Perm: Square + Circle Subscribes: Square, Circle, Triangle Receives: Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: none OCI (Not Secure) Triangle: ORANGE •  Objec9ve: Illustrates fine-grain access control at the Topic level. •  Governance File: Specifies domain 0 as a "protected domain." Indicates that Square •  All topics are protected for read/write access. •  All topics are sent over secure discovery •  All topics encrypt and sign metadata •  Governance_SC6_ProtectedDomain6.xml • Permission Files: Each vendor has its own permissions file. Permissions_TopicLevel_<VENDOR>.xml. • Applica9ons: Secure Shapes Demo SC#6: Topic-Level Access Control 12/06/17 Publishing RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle ADLink Write Perm: Circle RED Square RED Circle RED Triangle OCI (Not Secure) ORANGE Triangle
  • 15.
    ●  Standard & Interoperable ●  Scalable: Supports mulQcast ● Fine-grain: Control at the Topic-level ●  Flexible: Build your own plugins ●  Generic: Works over any Transport ●  Transparent: No changes to ApplicaQon Code! More powerful that other secure middleware technologies 15
  • 16.