SlideShare a Scribd company logo

DDS Security for the Industrial Internet - London Connext DDS Conference

Download as PPTX, PDF
Gerardo Pardo-Castellote
Gerardo Pardo-Castellote

DDS Security Specification. Overview and relevance to Industrial Internet Applications.

Technology
1 of 37
DDS DDS Security Gerardo Pardo-Castellote, Ph.D. Chief Technology Officer, RTI October 2014
© 2014 Real-Time Innovations, Inc.
Data-Centric Qos-Aware Pub-Sub Model Virtual, decentralized global data space Persistence Service Recording Service © 2014 Real-Time Innovations, Inc. CRUD operations Source (Key) Speed Power Phase WPT1 37.4 122.0 -12.20 WPT2 10.7 74.0 -12.23 WPTN 50.2 150.07 -11.98
Is there a Conflict? © 2014 Real-Time Innovations, Inc. • Security… – desires to restrict communication to only happen between authorized subjects – requires to confidentiality so that only communicating subjects see the information • PubSub/DDS – attempts to create a ‘global information space’ where anybody can access the information it needs – de-couples communications so publishers are unaware of subscribers and vice-versa 4
No Conflict: Security in the Global Information Space The key is to use a net-centric security model • Publishers are decoupled from subscribers via the Global Information Space – This does not mean loss of access control to the information – It means that the Information Space must have an associated security model • DDS can use standard PKI and cryptographic techniques to enforce the security policies • The situation is analogous to access control policies in a file system © 2014 Real-Time Innovations, Inc.
Security Terms: a Safe-Deposit Box • Authentication: The bank knows who you are; you must show ID. • Access Control: The bank only lets those on an access list into your box. • Confidentiality: You are alone in the room Nobody can see the contents of the box. • Integrity: The box is sealed. If anybody touches it you will know. • Non repudiation: You sign when you come in and out so you can’t claim that you weren’t there. • Availability: The bank is always open. © 2014 Real-Time Innovations, Inc.
Threats 1. Unauthorized subscription 2. Unauthorized publication 3. Tampering and replay 4. Unauthorized access to data by infrastructure services Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 7 © 2014 Real-Time Innovations, Inc.
Data-centric/multicast Insider Threats • Two insider threats affecting (multicast) data-centric systems are of unique significance 1. Reader mis-behaves as unauthorized writer An application uses knowledge gained as authorized reader to spoof the system as a writer 2. Compromise of Infrastructure Service A service that is trusted to read and write data on behalf of others (e.g. a persistence service ) becomes compromised 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 8 © 2014 Real-Time Innovations, Inc.
Session Sequence Number Attack © 2014 Real-Time Innovations, Inc. • Background: – Reliable protocols rely on a session_id and a sequence number to avoid duplicates and detect message loss – RTPS protocol can use GAP messages and HeartBeat messages to advance the session (DataWriter) sequence number • Vulnerability: – An attacker can spoof a packet with the session ID and Hearbeat/GAP causing the DataReader to advance the session sequence-numbers blocking future messages reception – Attacker only needs GUID of the DataWriter to attack, which can be obtained from snooping traffic. – Attack can be used to prevent the Authentication of legitimate Participants
Squatting Attack on GUID © 2014 Real-Time Innovations, Inc. • Background: – DDS DomainParticipants are identified by unique GUID, Readers/Writers derive their GUID from it. – GUID used to uniquely identifies the RTPS sessions and the location of each participant • Vulnerability: – An attacker with legit Identity can authenticate using the GUID of another Participant – Attacker with be accepted with “cuckooed” GUID blocking legitimate Participant from using its GUID – Attacker only needs GUID of the Participant to attack, which can be obtained from snooping traffic.
DDS Security covers 4 related concerns Security Model Security Plugin APIs & Behavior DDS & RTPS support © 2014 Real-Time Innovations, Inc. for Security Builtin Plugins
Security Model Example: UNIX FileSystem (simplified) • Subjects: Users, specifically processes executing on behalf of a specific userid • Protected Objects: Files and Directories • Protected Operations on Objects: – Directory.list, Directory.createFile, Directory.createDir, Directory.removeFile, Directory.removeDir, Directory.renameFile – File.view, File.modify, File.execute © 2014 Real-Time Innovations, Inc. • Access Control Model: – A subject is given a userId and a set of groupId – Each object is assigned a OWNER and a GROUP – Each Object is given a combination of READ, WRITE, EXECUTE permissions for the assigned OWNER and GROUP – Each protected operation is mapped to a check, for example • File.view is allowed if and only if – File.owner == Subject.userId AND File.permissions(OWNER) includes READ – OR File.group IS-IN Subject.groupId[] AND File.permissions(GROUP) includes READ
DDS Security Model © 2014 Real-Time Innovations, Inc. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 13 Concept Unix Filesystem Security Model DDS Security Model Subject User Process executing for a user DomainParticipant Application joining a DDS domain Protected Objects Directories Files Domain (by domain_id) Topic (by Topic name) DataObjects (by Instance/Key) Protected Operations Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write, File.execute Domain.join Topic.create Topic.read (includes QoS) Topic.write (includes QoS) Data.createInstance Data.writeInstance Data.deleteInstance Access Control Policy Control Fixed in Kernel Configurable via Plugin Builtin Access Control Mode Per-File/Dir Read/Write/Execute permissions for OWNER, GROUP, USERS Per-DomainParticipant Permissions : What Domains and Topics it can JOIN/READ/WRITE
Support for Security in DDS & RTPS • DDS Participants need to exchange security information – Certificates for Authentication & Permissions – Handshake messages for mutual authentication and shared-secret establishment – KeyTokens for key-exchange (Including Multicast Key Exchange) • Some reuse of existing DDS mechanisms – Builtin Participant data readers / writers – Discovery topic-types • Addition of secure discovery topics • Addition of a InterparticipantStatelessWriter/Reader • Encryption and signatures introduce new RTPS Submessage and Submessage elements – SecureSubMessage – SecuredData 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 14 © 2014 Real-Time Innovations, Inc.
Pluggable Security Architecture certificates application component ? Data cache Transport (e.g. UDP) Crypto Module (e.g. TPM ) © 2014 Real-Time Innovations, Inc. App. AApppp.. Other DDS System Secure DDS middleware Authentication Plugin Access Control Plugin Cryptographic Plugin Secure Kernel Protocol Engine Kernel Policies DDS Entities ? Network Driver Network Encrypted Data Other DDS System Other DDS System Logging Plugin DataTagging Plugin MAC
Platform Independent Interception Pts + SPIs © 2014 Real-Time Innovations, Inc. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 16 Service Plugin Purpose Interactions Authentication Authenticate the principal that is joining a DDS Domain. Handshake and establish shared secret between participants The principal may be an application/process or the user associated with that application or process. Participants may messages to do mutual authentication and establish shared secret Access Control Decide whether a principal is allowed to perform a protected operation. Protected operations include joining a specific DDS domain, creating a Topic, reading a Topic, writing a Topic, etc. Cryptography Perform the encryption and decryption operations. Create & Exchange Keys. Compute digests, compute and verify Message Authentication Codes. Sign and verify signatures of messages. Invoked by DDS middleware to encrypt data compute and verify MAC, compute & verify Digital Signatures Logging Log all security relevant events Invoked by middleware to log Data Tagging Add a data tag for each data sample
Builtin Plugins SPI Builtin Plungin Notes Authentication DDS:Auth:PKI-RSA/DSA-DH Uses PKI with a pre-configured shared Certificate Authority. DSA and Diffie-Hellman for authentication and key exchange Establishes shared secret AccessControl DDS:Access:PKI-Signed- XML-Permissions Governance Document and Permissions Document Each signed by shared Certificate Authority Cryptography DDS:Crypto:AES-CTR-HMAC- RSA/DSA-DH Protected key distribution AES128 and AES256 for encryption (in counter mode) SHA1 and SHA256 for digest HMAC-SHA1 and HMAC-256 for MAC DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery Logging DedicatedDDS_LogTopic © 2014 Real-Time Innovations, Inc.
DDS Security Flow Authenticate DP? © 2014 Real-Time Innovations, Inc. Domain Participant Create Fails Authenticate Yes DP? No Ignore Remote DP Authenticate Remote DP? No Yes No Yes Access OK? Ignore remote endpoint Message security Endpoint Create Fails Yes Access OK? No Create Domain Participant Create Endpoints Discover remote DP Discover remote Endpoints Send/Receiv e data
Cryptographic SPI at the wire-protocol level Message Transformation RTPS Header RTPS Header © 2014 Real-Time Innovations, Inc. RTPS SubMessage SerializedData RTPS SubMessage SerializedData RTPS SubMessage (*) RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData Secure encoding Secure decoding
Crypto-AES-CTR-HMAC-RSA/DSA-DH • Encryption uses AES in counter mode – Similar to SRTP, but enhanced to support multiple topics within a single RTPS message and infrastructure services like a relay or persistence • Use of counter mode turns the AES block cipher into a stream cipher – Each DDS sample is separately encrypted and can be decrypted without process the previous message • This is critical to support DDS QoS like history, content filters, best-efforts etc. • DSA and Diffie-Hellman used for mutual authentication and secure key exchange © 2014 Real-Time Innovations, Inc. MR# 6.5.3
Builtin DDS:Auth:PKI-DSA-DH • Uses shared Certificate Authority (CA) – All Participants pre-configured with shared-CA • Performs mutual authentication between discovered participants using the Digital Signature Algorithm (DSA) • Establishes a shared secret using Diffie-Hellman. © 2014 Real-Time Innovations, Inc.
Remote Participant Authentication Participants detect each other via discovery and exchange Identity and Permission Tokens (Hashes) © 2014 Real-Time Innovations, Inc.
Remote Participant Authentication Each Participant calls validate_remote_identity(). Participant with highest GUID returns PENDING_HANDSHAKE_REQUEST, the other PENDING_HANDSHAKE_MESSAGE © 2014 Real-Time Innovations, Inc.
Remote Participant Authentication Participant1 creates CHALLENGE1 = “CHALLENGE:<nonce> and sends message via ParticipantMessageWriter with messageToken1:= {CHALLENGE1, Identity1, Permissions1} © 2014 Real-Time Innovations, Inc.
Remote Participant Authentication Participant2 validates Identity of Participant1 against CA Participant2 creates CHALLENGE2 := CHALLENGE:<nonce> Participant2 sends to Participant1 message with messageToken2:= { SIGN(HASH(CHALLENGE1#Identity1#Permissions1)), CHALLENGE2, Identity2, © 2014 Real-Time Permissions2} Innovations, Inc.
Part1 validates Identity of Participant2 against CA Part1 verifies SIGN(CHALLENGE1) using Participant2’s PK Part1 computes a SharedSecret Part1 sends message with contents: messageToken3 := { ENCRYPT(SharedSecret), SIGN( HASH(CHALLENGE2 # Identity2 # Permissions2 # ENCRYPT(SharedSecret))) } Encrypt uses Part2’s PK. Remote Participant Authentication 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 26 © 2014 Real-Time Innovations, Inc.
Remote Participant Authentication Part2 verifies SIGN( HASH(CHALLENGE2 #Identity2#Permissions2# ENCRYPT(SharedSecret))) 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 27 © 2014 Real-Time Innovations, Inc. using Part1’s PK Part2 decrypts ENCRYPT(SharedSecret) using its own PK We have Mutual Authentication and a SharedSecret
Builtin DDS:AC:PKI SPI © 2014 Real-Time Innovations, Inc. • Configured with: – X.509 Certificate of shared Permissions CA – The Domain governance signed by the Permissions CA – The DomainParticipant permissions signed by the Permissions CA • The Domain governance configures – Which topics shall be secured and how – Whether discovery is secured and how • DomainParticipant permissions – Specifies what Domains Id can be joined by the DomainParticipant – Specified which Topics and be Read/Written by the DomainParticipant on each DomainId – Ties to the SubjectName matching the one on IdentityCertificate 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 28
Example Domain Governance © 2014 Real-Time Innovations, Inc.
Configuration possibilities • Are “legacy” or un-identified applications allowed in the Domain? Yes or No. – If yes an Unauthenticated applications will: • See the “unsecured” discovery Topics • Be allowed to read/write the “unsecured” Topics • Is a particular Topic discovered over protected discovery? – If so it can only be seen by “authenticated applications” • Is a access particular Topic protected? – If so only authenticated applications with the correct permissions © 2014 Real-Time Innovations, Inc. can read/write • Is data on a particular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenticated applications with right permissions will see anything
Example Permissions © 2014 Real-Time Innovations, Inc.
Secure discovery • Additional built-in endpoints: – DCPSPublicationsSecure – DCPSSubscriptionsSecure • Same discovery topic-data but encrypted & signed • Operation AccessControl::get_endpoint_security_attributes() controls which Topics use Secure Discovery 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 32 © 2014 Real-Time Innovations, Inc.
Configuration Possibilities • Is the access to a particular Topic protected? – If so only authenticated applications with the correct permissions can read/write • Is data on a particular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenticated applications with right permissions will see anything © 2014 Real-Time Innovations, Inc.
More Powerful Than Other Secure Middleware Technologies • Standard & Interoperable • Scalable: Supports multicast • Fine-grain: Control Topic-level aspect • Flexible: Build your own plugins • Generic: Works over any Transport • Transparent: No changes to Application Code! © 2014 Real-Time Innovations, Inc.
DDS-Secure Standard Status • The specification was adopted in March 2014. – Considered “Beta” for 1 year – RTI chairing the Finalization Task Force • This specification provides a framework for securing DDS systems. The builtin plugins provide a “common” approach for applications without specialized requirements – It is expected that plugins will be developed to match more specialized deployments and integrate with existing infrastructure. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 35 © 2014 Real-Time Innovations, Inc.
Questions? © 2014 RTI © 2014 Real-Time Innovations, Inc.
Find out more… www.rti.com community.rti.com demo.rti.com www.youtube.com/realtimeinnovations blogs.rti.com www.twitter.com/RealTimeInnov www.facebook.com/RTIsoftware www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovations © 2014 Real-Time Innovations, Inc. dds.omg.org www.omg.org © 2014 RTI

Recommended

Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityGerardo Pardo-Castellote
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionGerardo Pardo-Castellote
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure IntroJohn Breitenbach
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data SecureReal-Time Innovations (RTI)
 

Recommended

Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
OMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityOMG Data-Distribution Service Security
OMG Data-Distribution Service SecurityGerardo Pardo-Castellote
 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security StandardGerardo Pardo-Castellote
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
OMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionOMG DDS Security. 4th Revised Submission
OMG DDS Security. 4th Revised SubmissionGerardo Pardo-Castellote
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure IntroJohn Breitenbach
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubDataWorks Summit
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data SecureReal-Time Innovations (RTI)
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Cloudera, Inc.
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data SecurityChicago Hadoop Users Group
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
SafeNet overview 2014
SafeNet overview 2014SafeNet overview 2014
SafeNet overview 2014Sectricity
 
Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook Exclusive Networks ME
 
Secure channels main deck
Secure channels main deckSecure channels main deck
Secure channels main deckRichard Blech
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014Ravindran Vasu
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMMundo Contact
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS SolutionSrikrupa Srivatsan
 
White Paper: Protecting Your Cloud
White Paper: Protecting Your CloudWhite Paper: Protecting Your Cloud
White Paper: Protecting Your CloudthinkASG
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouCameronTait3
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overviewgtbsalesindia
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 

More Related Content

What's hot

Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Cloudera, Inc.
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
SafeNet overview 2014
SafeNet overview 2014SafeNet overview 2014
SafeNet overview 2014Sectricity
 
Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook Exclusive Networks ME
 
Secure channels main deck
Secure channels main deckSecure channels main deck
Secure channels main deckRichard Blech
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014Ravindran Vasu
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMMundo Contact
 
White Paper: Protecting Your Cloud
White Paper: Protecting Your CloudWhite Paper: Protecting Your Cloud
White Paper: Protecting Your CloudthinkASG
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouCameronTait3
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overviewgtbsalesindia
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 

What's hot (20)

Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
SafeNet overview 2014
SafeNet overview 2014SafeNet overview 2014
SafeNet overview 2014
 
Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook Protect Your Sensitive Data with Gemalto Guidebook
Protect Your Sensitive Data with Gemalto Guidebook
 
Secure channels main deck
Secure channels main deckSecure channels main deck
Secure channels main deck
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customers
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 
White Paper: Protecting Your Cloud
White Paper: Protecting Your CloudWhite Paper: Protecting Your Cloud
White Paper: Protecting Your Cloud
 
Use GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With YouUse GFA To Make Someone Fall In Love With You
Use GFA To Make Someone Fall In Love With You
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 

Similar to DDS Security for the Industrial Internet - London Connext DDS Conference

The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Real-Time Innovations (RTI)
 
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...Gerardo Pardo-Castellote
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Cloudera, Inc.
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoopNiel Dunnage
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersMukesh Singh
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahidBigDataExpo
 
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...SSH Communications Security
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 
Is Your Hadoop Environment Secure?
Is Your Hadoop Environment Secure?Is Your Hadoop Environment Secure?
Is Your Hadoop Environment Secure?Datameer
 
The DDS Security Standard
The DDS Security StandardThe DDS Security Standard
The DDS Security StandardAngelo Corsaro
 
Cloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceCloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceGoDataDriven
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 

Similar to DDS Security for the Industrial Internet - London Connext DDS Conference (20)

DDS Security
DDS SecurityDDS Security
DDS Security
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
DDS Security: A Security Model Suitable for Net-Centric for Pub-Sub and Data ...
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahid
 
1784 1788
1784 17881784 1788
1784 1788
 
1784 1788
1784 17881784 1788
1784 1788
 
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Is Your Hadoop Environment Secure?
Is Your Hadoop Environment Secure?Is Your Hadoop Environment Secure?
Is Your Hadoop Environment Secure?
 
The DDS Security Standard
The DDS Security StandardThe DDS Security Standard
The DDS Security Standard
 
Cloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceCloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and Governance
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & Compliance
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 

More from Gerardo Pardo-Castellote

DDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed SoftwareDDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed SoftwareGerardo Pardo-Castellote
 
Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.Gerardo Pardo-Castellote
 
A Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial AutomationA Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial AutomationGerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018Gerardo Pardo-Castellote
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkGerardo Pardo-Castellote
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationGerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 BetaDDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 BetaGerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017Gerardo Pardo-Castellote
 
DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017Gerardo Pardo-Castellote
 
Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2Gerardo Pardo-Castellote
 
Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2 Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2 Gerardo Pardo-Castellote
 
DDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained EnvironmentsDDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained EnvironmentsGerardo Pardo-Castellote
 
DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)Gerardo Pardo-Castellote
 
DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)Gerardo Pardo-Castellote
 
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)Gerardo Pardo-Castellote
 

More from Gerardo Pardo-Castellote (20)

DDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed SoftwareDDS, the US Navy, and the Need for Distributed Software
DDS, the US Navy, and the Need for Distributed Software
 
Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.Introduction to DDS: Context, Information Model, Security, and Applications.
Introduction to DDS: Context, Information Model, Security, and Applications.
 
DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)DDS-TSN OMG Request for Proposals (RFP)
DDS-TSN OMG Request for Proposals (RFP)
 
A Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial AutomationA Converged Approach to Standards for Industrial Automation
A Converged Approach to Standards for Industrial Automation
 
Overview of the DDS-XRCE specification
Overview of the DDS-XRCE specificationOverview of the DDS-XRCE specification
Overview of the DDS-XRCE specification
 
DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018DDS-Security Interoperability Demo - March 2018
DDS-Security Interoperability Demo - March 2018
 
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and SimulinkApplying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
Applying MBSE to the Industrial IoT: Using SysML with Connext DDS and Simulink
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway Specification
 
OPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 BetaOPC UA/DDS Gateway version 1.0 Beta
OPC UA/DDS Gateway version 1.0 Beta
 
DDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 BetaDDS for eXtremely Resource Constrained Environments 1.0 Beta
DDS for eXtremely Resource Constrained Environments 1.0 Beta
 
DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017DDS-Security Interoperability Demo - December 2017
DDS-Security Interoperability Demo - December 2017
 
DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017DDS-Security Interoperability Demo - September 2017
DDS-Security Interoperability Demo - September 2017
 
Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2Extensible Types for DDS (DDS-XTYPES) version 1.2
Extensible Types for DDS (DDS-XTYPES) version 1.2
 
DDS-Security version 1.1
DDS-Security version 1.1DDS-Security version 1.1
DDS-Security version 1.1
 
Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2 Interface Definition Language (IDL) version 4.2
Interface Definition Language (IDL) version 4.2
 
DDS Security Specification version 1.0
DDS Security Specification version 1.0DDS Security Specification version 1.0
DDS Security Specification version 1.0
 
DDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained EnvironmentsDDS for eXtremely Resource Constrained Environments
DDS for eXtremely Resource Constrained Environments
 
DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)DDS-XRCE - Revised Submission Presentation (September 2017)
DDS-XRCE - Revised Submission Presentation (September 2017)
 
DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)DDS-XRCE (Extremely Resource Constrained Environments)
DDS-XRCE (Extremely Resource Constrained Environments)
 
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

DDS Security for the Industrial Internet - London Connext DDS Conference

  • 1. DDS DDS Security Gerardo Pardo-Castellote, Ph.D. Chief Technology Officer, RTI October 2014
  • 2. © 2014 Real-Time Innovations, Inc.
  • 3. Data-Centric Qos-Aware Pub-Sub Model Virtual, decentralized global data space Persistence Service Recording Service © 2014 Real-Time Innovations, Inc. CRUD operations Source (Key) Speed Power Phase WPT1 37.4 122.0 -12.20 WPT2 10.7 74.0 -12.23 WPTN 50.2 150.07 -11.98
  • 4. Is there a Conflict? © 2014 Real-Time Innovations, Inc. • Security… – desires to restrict communication to only happen between authorized subjects – requires to confidentiality so that only communicating subjects see the information • PubSub/DDS – attempts to create a ‘global information space’ where anybody can access the information it needs – de-couples communications so publishers are unaware of subscribers and vice-versa 4
  • 5. No Conflict: Security in the Global Information Space The key is to use a net-centric security model • Publishers are decoupled from subscribers via the Global Information Space – This does not mean loss of access control to the information – It means that the Information Space must have an associated security model • DDS can use standard PKI and cryptographic techniques to enforce the security policies • The situation is analogous to access control policies in a file system © 2014 Real-Time Innovations, Inc.
  • 6. Security Terms: a Safe-Deposit Box • Authentication: The bank knows who you are; you must show ID. • Access Control: The bank only lets those on an access list into your box. • Confidentiality: You are alone in the room Nobody can see the contents of the box. • Integrity: The box is sealed. If anybody touches it you will know. • Non repudiation: You sign when you come in and out so you can’t claim that you weren’t there. • Availability: The bank is always open. © 2014 Real-Time Innovations, Inc.
  • 7. Threats 1. Unauthorized subscription 2. Unauthorized publication 3. Tampering and replay 4. Unauthorized access to data by infrastructure services Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 7 © 2014 Real-Time Innovations, Inc.
  • 8. Data-centric/multicast Insider Threats • Two insider threats affecting (multicast) data-centric systems are of unique significance 1. Reader mis-behaves as unauthorized writer An application uses knowledge gained as authorized reader to spoof the system as a writer 2. Compromise of Infrastructure Service A service that is trusted to read and write data on behalf of others (e.g. a persistence service ) becomes compromised 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 8 © 2014 Real-Time Innovations, Inc.
  • 9. Session Sequence Number Attack © 2014 Real-Time Innovations, Inc. • Background: – Reliable protocols rely on a session_id and a sequence number to avoid duplicates and detect message loss – RTPS protocol can use GAP messages and HeartBeat messages to advance the session (DataWriter) sequence number • Vulnerability: – An attacker can spoof a packet with the session ID and Hearbeat/GAP causing the DataReader to advance the session sequence-numbers blocking future messages reception – Attacker only needs GUID of the DataWriter to attack, which can be obtained from snooping traffic. – Attack can be used to prevent the Authentication of legitimate Participants
  • 10. Squatting Attack on GUID © 2014 Real-Time Innovations, Inc. • Background: – DDS DomainParticipants are identified by unique GUID, Readers/Writers derive their GUID from it. – GUID used to uniquely identifies the RTPS sessions and the location of each participant • Vulnerability: – An attacker with legit Identity can authenticate using the GUID of another Participant – Attacker with be accepted with “cuckooed” GUID blocking legitimate Participant from using its GUID – Attacker only needs GUID of the Participant to attack, which can be obtained from snooping traffic.
  • 11. DDS Security covers 4 related concerns Security Model Security Plugin APIs & Behavior DDS & RTPS support © 2014 Real-Time Innovations, Inc. for Security Builtin Plugins
  • 12. Security Model Example: UNIX FileSystem (simplified) • Subjects: Users, specifically processes executing on behalf of a specific userid • Protected Objects: Files and Directories • Protected Operations on Objects: – Directory.list, Directory.createFile, Directory.createDir, Directory.removeFile, Directory.removeDir, Directory.renameFile – File.view, File.modify, File.execute © 2014 Real-Time Innovations, Inc. • Access Control Model: – A subject is given a userId and a set of groupId – Each object is assigned a OWNER and a GROUP – Each Object is given a combination of READ, WRITE, EXECUTE permissions for the assigned OWNER and GROUP – Each protected operation is mapped to a check, for example • File.view is allowed if and only if – File.owner == Subject.userId AND File.permissions(OWNER) includes READ – OR File.group IS-IN Subject.groupId[] AND File.permissions(GROUP) includes READ
  • 13. DDS Security Model © 2014 Real-Time Innovations, Inc. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 13 Concept Unix Filesystem Security Model DDS Security Model Subject User Process executing for a user DomainParticipant Application joining a DDS domain Protected Objects Directories Files Domain (by domain_id) Topic (by Topic name) DataObjects (by Instance/Key) Protected Operations Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write, File.execute Domain.join Topic.create Topic.read (includes QoS) Topic.write (includes QoS) Data.createInstance Data.writeInstance Data.deleteInstance Access Control Policy Control Fixed in Kernel Configurable via Plugin Builtin Access Control Mode Per-File/Dir Read/Write/Execute permissions for OWNER, GROUP, USERS Per-DomainParticipant Permissions : What Domains and Topics it can JOIN/READ/WRITE
  • 14. Support for Security in DDS & RTPS • DDS Participants need to exchange security information – Certificates for Authentication & Permissions – Handshake messages for mutual authentication and shared-secret establishment – KeyTokens for key-exchange (Including Multicast Key Exchange) • Some reuse of existing DDS mechanisms – Builtin Participant data readers / writers – Discovery topic-types • Addition of secure discovery topics • Addition of a InterparticipantStatelessWriter/Reader • Encryption and signatures introduce new RTPS Submessage and Submessage elements – SecureSubMessage – SecuredData 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 14 © 2014 Real-Time Innovations, Inc.
  • 15. Pluggable Security Architecture certificates application component ? Data cache Transport (e.g. UDP) Crypto Module (e.g. TPM ) © 2014 Real-Time Innovations, Inc. App. AApppp.. Other DDS System Secure DDS middleware Authentication Plugin Access Control Plugin Cryptographic Plugin Secure Kernel Protocol Engine Kernel Policies DDS Entities ? Network Driver Network Encrypted Data Other DDS System Other DDS System Logging Plugin DataTagging Plugin MAC
  • 16. Platform Independent Interception Pts + SPIs © 2014 Real-Time Innovations, Inc. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 16 Service Plugin Purpose Interactions Authentication Authenticate the principal that is joining a DDS Domain. Handshake and establish shared secret between participants The principal may be an application/process or the user associated with that application or process. Participants may messages to do mutual authentication and establish shared secret Access Control Decide whether a principal is allowed to perform a protected operation. Protected operations include joining a specific DDS domain, creating a Topic, reading a Topic, writing a Topic, etc. Cryptography Perform the encryption and decryption operations. Create & Exchange Keys. Compute digests, compute and verify Message Authentication Codes. Sign and verify signatures of messages. Invoked by DDS middleware to encrypt data compute and verify MAC, compute & verify Digital Signatures Logging Log all security relevant events Invoked by middleware to log Data Tagging Add a data tag for each data sample
  • 17. Builtin Plugins SPI Builtin Plungin Notes Authentication DDS:Auth:PKI-RSA/DSA-DH Uses PKI with a pre-configured shared Certificate Authority. DSA and Diffie-Hellman for authentication and key exchange Establishes shared secret AccessControl DDS:Access:PKI-Signed- XML-Permissions Governance Document and Permissions Document Each signed by shared Certificate Authority Cryptography DDS:Crypto:AES-CTR-HMAC- RSA/DSA-DH Protected key distribution AES128 and AES256 for encryption (in counter mode) SHA1 and SHA256 for digest HMAC-SHA1 and HMAC-256 for MAC DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery Logging DedicatedDDS_LogTopic © 2014 Real-Time Innovations, Inc.
  • 18. DDS Security Flow Authenticate DP? © 2014 Real-Time Innovations, Inc. Domain Participant Create Fails Authenticate Yes DP? No Ignore Remote DP Authenticate Remote DP? No Yes No Yes Access OK? Ignore remote endpoint Message security Endpoint Create Fails Yes Access OK? No Create Domain Participant Create Endpoints Discover remote DP Discover remote Endpoints Send/Receiv e data
  • 19. Cryptographic SPI at the wire-protocol level Message Transformation RTPS Header RTPS Header © 2014 Real-Time Innovations, Inc. RTPS SubMessage SerializedData RTPS SubMessage SerializedData RTPS SubMessage (*) RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData RTPS SubMessage (*) RTPS SubMessage SecuredData SerializedData Secure encoding Secure decoding
  • 20. Crypto-AES-CTR-HMAC-RSA/DSA-DH • Encryption uses AES in counter mode – Similar to SRTP, but enhanced to support multiple topics within a single RTPS message and infrastructure services like a relay or persistence • Use of counter mode turns the AES block cipher into a stream cipher – Each DDS sample is separately encrypted and can be decrypted without process the previous message • This is critical to support DDS QoS like history, content filters, best-efforts etc. • DSA and Diffie-Hellman used for mutual authentication and secure key exchange © 2014 Real-Time Innovations, Inc. MR# 6.5.3
  • 21. Builtin DDS:Auth:PKI-DSA-DH • Uses shared Certificate Authority (CA) – All Participants pre-configured with shared-CA • Performs mutual authentication between discovered participants using the Digital Signature Algorithm (DSA) • Establishes a shared secret using Diffie-Hellman. © 2014 Real-Time Innovations, Inc.
  • 22. Remote Participant Authentication Participants detect each other via discovery and exchange Identity and Permission Tokens (Hashes) © 2014 Real-Time Innovations, Inc.
  • 23. Remote Participant Authentication Each Participant calls validate_remote_identity(). Participant with highest GUID returns PENDING_HANDSHAKE_REQUEST, the other PENDING_HANDSHAKE_MESSAGE © 2014 Real-Time Innovations, Inc.
  • 24. Remote Participant Authentication Participant1 creates CHALLENGE1 = “CHALLENGE:<nonce> and sends message via ParticipantMessageWriter with messageToken1:= {CHALLENGE1, Identity1, Permissions1} © 2014 Real-Time Innovations, Inc.
  • 25. Remote Participant Authentication Participant2 validates Identity of Participant1 against CA Participant2 creates CHALLENGE2 := CHALLENGE:<nonce> Participant2 sends to Participant1 message with messageToken2:= { SIGN(HASH(CHALLENGE1#Identity1#Permissions1)), CHALLENGE2, Identity2, © 2014 Real-Time Permissions2} Innovations, Inc.
  • 26. Part1 validates Identity of Participant2 against CA Part1 verifies SIGN(CHALLENGE1) using Participant2’s PK Part1 computes a SharedSecret Part1 sends message with contents: messageToken3 := { ENCRYPT(SharedSecret), SIGN( HASH(CHALLENGE2 # Identity2 # Permissions2 # ENCRYPT(SharedSecret))) } Encrypt uses Part2’s PK. Remote Participant Authentication 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 26 © 2014 Real-Time Innovations, Inc.
  • 27. Remote Participant Authentication Part2 verifies SIGN( HASH(CHALLENGE2 #Identity2#Permissions2# ENCRYPT(SharedSecret))) 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 27 © 2014 Real-Time Innovations, Inc. using Part1’s PK Part2 decrypts ENCRYPT(SharedSecret) using its own PK We have Mutual Authentication and a SharedSecret
  • 28. Builtin DDS:AC:PKI SPI © 2014 Real-Time Innovations, Inc. • Configured with: – X.509 Certificate of shared Permissions CA – The Domain governance signed by the Permissions CA – The DomainParticipant permissions signed by the Permissions CA • The Domain governance configures – Which topics shall be secured and how – Whether discovery is secured and how • DomainParticipant permissions – Specifies what Domains Id can be joined by the DomainParticipant – Specified which Topics and be Read/Written by the DomainParticipant on each DomainId – Ties to the SubjectName matching the one on IdentityCertificate 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 28
  • 29. Example Domain Governance © 2014 Real-Time Innovations, Inc.
  • 30. Configuration possibilities • Are “legacy” or un-identified applications allowed in the Domain? Yes or No. – If yes an Unauthenticated applications will: • See the “unsecured” discovery Topics • Be allowed to read/write the “unsecured” Topics • Is a particular Topic discovered over protected discovery? – If so it can only be seen by “authenticated applications” • Is a access particular Topic protected? – If so only authenticated applications with the correct permissions © 2014 Real-Time Innovations, Inc. can read/write • Is data on a particular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenticated applications with right permissions will see anything
  • 31. Example Permissions © 2014 Real-Time Innovations, Inc.
  • 32. Secure discovery • Additional built-in endpoints: – DCPSPublicationsSecure – DCPSSubscriptionsSecure • Same discovery topic-data but encrypted & signed • Operation AccessControl::get_endpoint_security_attributes() controls which Topics use Secure Discovery 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 32 © 2014 Real-Time Innovations, Inc.
  • 33. Configuration Possibilities • Is the access to a particular Topic protected? – If so only authenticated applications with the correct permissions can read/write • Is data on a particular Topic protected? How? – If so data will be sent signed or encrypted+signed • Are all protocol messages signed? Encrypted? – If so only authenticated applications with right permissions will see anything © 2014 Real-Time Innovations, Inc.
  • 34. More Powerful Than Other Secure Middleware Technologies • Standard & Interoperable • Scalable: Supports multicast • Fine-grain: Control Topic-level aspect • Flexible: Build your own plugins • Generic: Works over any Transport • Transparent: No changes to Application Code! © 2014 Real-Time Innovations, Inc.
  • 35. DDS-Secure Standard Status • The specification was adopted in March 2014. – Considered “Beta” for 1 year – RTI chairing the Finalization Task Force • This specification provides a framework for securing DDS systems. The builtin plugins provide a “common” approach for applications without specialized requirements – It is expected that plugins will be developed to match more specialized deployments and integrate with existing infrastructure. 10/27/2014 © 2012 Real-Time Innovations, Inc. - All rights reserved 35 © 2014 Real-Time Innovations, Inc.
  • 36. Questions? © 2014 RTI © 2014 Real-Time Innovations, Inc.
  • 37. Find out more… www.rti.com community.rti.com demo.rti.com www.youtube.com/realtimeinnovations blogs.rti.com www.twitter.com/RealTimeInnov www.facebook.com/RTIsoftware www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovations © 2014 Real-Time Innovations, Inc. dds.omg.org www.omg.org © 2014 RTI