Weitere ähnliche Inhalte Ähnlich wie DDS Secure Intro (20) Mehr von John Breitenbach (6) Kürzlich hochgeladen (20) DDS Secure Intro2. Agenda
• RTI Company Overview
• Security requirements of modern distributed systems
• Step-by-step guidance on implementing a secure
connectivity model
• Considerations when upgrading to Connext DDS Secure
• Leveraging RTI’s tool suite to develop and debug DDS Secure
applications
• Wrap Up
©2020 Real-TimeInnovations,Inc.
3. Goals
• 3 main goals:
– Understand basic DDS Secure concepts
– Steps to move non-secure app to DDS Secure
– Learn how to use RTI tools w/ Secure
• Focus is on setting up as a CA & self-signing artifacts
• Leverage Shapes to demo the concepts & artifacts
• Wireshark to show crypto is working
• Instrument Secure
• Consider a Secure Architecture Review
©2020 Real-TimeInnovations,Inc.
4. RTI Overview
©2020 Real-TimeInnovations,Inc.
RTI is the largest IIoT connectivity
software vendor
– Focus on autonomous systems
– 1600+ designs, many real-world
programs across industries
– 600+ research programs
– Technology Readiness Level (TRL) 9
10. Data-Centric- Better for Integration
Data centricity reduces complexity and enables interoperation and integration
Unstructured files
Data Centricity
Database
Data at Rest
Data Centricity Data in Motion
Databus (DDS)Connectivity software
©2020 Real-TimeInnovations,Inc.
11. Data-Centric Publish/Subscribe
Connext Databus
Track Topic
sensorId id
location
x float
y float
z float
velocity
x float
y float
z float
Command Topic
deviceId id
command string
©2020 Real-TimeInnovations,Inc.
location.z
< 5000
Status Topic
deviceId id
status enum
12. Alice: Allowed to publish topic T
Bob: Allowed to subscribe to topic T
Eve: Non-authorized eavesdropper
Trudy: Intruder
Trent: Trusted infrastructure service
Mallory: Malicious insider
1. Unauthorized subscription
2. Unauthorized publication
3. Tampering and replay
4. Unauthorized access to data by
infrastructure services
DDS Databus
Alice Bob Eve
Trudy Trent Mallory
Threats
©2020 Real-TimeInnovations,Inc.
(2)
(1)
(3, 4)
13. The network is the adversary
The adversary has the following capabilities:
– can obtain any message passing through the network
– is a legit user of the network and thus can initiate and participate
in a conversation with any other user
– can become the receiver of messages
– can send messages to anybody through impersonation
– any message sent will go through adversary
– any message received has gone through adversary
©2020 Real-Time Innovations, Inc.
14. Defense in depth
1. System edge
2. Host
– Machine/OS/Applications/Files
3. Network transport
– Media access (layer 2)
– Network (layer 3)
– Session/Endpoint (layer 4/5)
4. Dataflow
– Control observations and modifications of data
– This is addressed by DDS Security
1
2
3
4
15. Brokered Security vs DDS Security
App App
App
App
DDS Secure Multicast
Server
or
Broker
App App
App
AppServer-based system
©2020 Real-TimeInnovations,Inc.
16. RTI Connext DDS Secure
• Based on the OMG DDS Security Standard
• Built-in Plugins
– Little to no application development
• Run over any transport
– UDP, shared memory, TCP, …
• Completely decentralized
– High performance and scalability
– No single point of failure
• Connext Security Customization Package
©2020 Real-TimeInnovations,Inc.
RTI Core
Library
Authentication
Access Control
Cryptography
Data Tagging
Logging
Application
Any Transport*
(e.g., UDP uni/multicast,
shared memory, TCP, …)
17. Security Designed for Real-Time Systems
• Configure the right level of
security for each topic
– Unprotected for non-sensitive data
– Integrity Protection for data that must
be trusted but not private
– Additional confidentiality for data that
must be private
• Optimize tradeoffs between security,
CPU overhead, throughput and
latency
©2020 Real-TimeInnovations,Inc.
Operator
SetPoint
Data Topic Security model:
• State: Integrity
• Statistics: Unprotected
• SetPoint: Confidentiality + Integrity
Control
CBM
Analysis
Sensor
State Statistics
18. Security Designed for Real-Time Systems
• Apply Principle of Least Privilege
– Authorize or deny access to trusted
parties on a “need-to-know” basis
– Share symmetric keys accordingly
• Trust Participants via mutual
authentication
– Trust is the foundation of access
authorization
– Built-in authentication mechanisms
are based on PKI
©2020 Real-TimeInnovations,Inc.
Operator
SetPoint
Data Topic Security model:
• Sensor: State(w)
• CBM: State(r); Statistics(w)
• Control: State(r), SetPoint(w)
• Operator: *(r), Setpoint(w)
Control
CBM
Analysis
Sensor
State Statistics
19. Builtin Security Plugins
©2020 Real-TimeInnovations,Inc.
Security Plugin Plugin Description
Authentication
X.509 Public Key Infrastructure (PKI) with a pre-configured shared
Certificate Authority (CA)
RSA or (EC) Digital Signature Algorithm ((EC)DSA) with (EC) Diffie-
Hellman for shared secret establishment
Access Control
Specified via permissions file signed by shared CA
Control over ability to join systems, read or write data topics
Cryptography
Protected symmetric key distribution
AES-GCM-128 and AES-GCM-256 for authenticated encryption
GMAC variants for integrity protection only
Data Tagging
Tags specify security metadata, such as classification level
Can be used to determine access privileges (via plugin)
Logging Log security events to a file or distribute securely over Connext DDS
20. DDS Secure
Connext DDS Secure
Connext Tools
Code
Generation
3rd Party
Tools
Excel
Admin DDS Spy
MonitoringWire Shark
Ping
Connext Services
Data
Routing
Data
Queuing
Web
Integration
Recording
& Replay
Database
Integration
Persistence
Connext DDS Core
Security
API’s: C C++ C#
Java Ada
DDS Pub/Sub
Messaging/RPC
DDS XTYPES
RTPS
Pluggable
Transports
Windows, Linux,
Unix, macOS, RTOS
©2020 Real-TimeInnovations,Inc.
22. Latency and Throughput Benchmarks
• Platforms
– Intel i7 6-core CPU 3.33GHz
– Intel I350 Gigabit NIC
– 12 GB RAM
– CentOS Linux 7.1
– API: C++
• Cryptography
– OpenSSL 1.0.2o built-in algorithms
– GMAC-AES128 for MAC only (without encryption)
– AES-128-GCM for encrypt
• Network
– D-Link DXS-3350 SR Switch
– Dual 10-Gigabit stackable ports
– 4MB packet buffer size
– 10/100/1000 Base-T interfaces
©2020 Real-TimeInnovations,Inc.
23. Latency for 1024 Byte Samples
©2020 Real-TimeInnovations,Inc.
0
20
40
60
80
No Security HMACed RTPS HMACed RTPS, Encrypt User Data, Encrypt
Submessage
Latency(μs)
24. Throughput for 1024 Byte Sample
©2020 Real-TimeInnovations,Inc.
0
250
500
750
1000
No Security HMACed RTPS HMACed RTPS, Encrypt User Data, Encrypt
Submessage
Throughput(Mbps)
27. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Signs
28. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Signs
29. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
30. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
31. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
32. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
33. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
34. Configuring & Deploying DDS Security
Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Identity
Certificate
P1 Private Key
Permissions File
QoS XML Config
Governance
File
Identity CA
Certificate
Permissions
CA
Certificate
Common to/installed on all participants
37. Security Configuration
©2020 Real-Time Innovations, Inc.
<qos_profile name="SecurityExample“ base_name=“BuiltinQosLib::Generic.Security">
<participant_qos>
<property>
<value>
<element>
<name>dds.sec.auth.identity_ca</name>
<value>file:../../../dds_security/cert/cacertECdsa.pem</value>
</element>
<element>
<name>dds.sec.auth.identity_certificate</name>
<value>file:../../../dds_security/cert/peer1ECdsa.pem</value>
</element>
<element>
<name>dds.sec.auth.private_key</name>
<value>file:../../../dds_security/cert/peer1keyECdsa.pem</value>
</element>
<element>
<name>dds.sec.access.permissions_ca</name>
<value>file:../../../dds_security/cert/cacertECdsa.pem</value>
</element>
<element>
<name>dds.sec.access.governance</name>
<value>file:../../../dds_security/xml/signed/signed_Governance.p7s</value>
</element>
<element>
<name>dds.sec.access.permissions</name>
<value>file:../../../dds_security/xml/signed/signed_PermissionsA.p7s</value>
</element>
</value>
</property>
</participant_qos>
</qos_profile>
38. Functional Requirements
• Algorithms
• Business Logic
• Data Content
• Events and Reports
• Explicit dependencies
©2020 Real-TimeInnovations,Inc.
Transition to DDS Secure changes none of these!
39. Non-Functional Requirements
• Scalability – Affected?
• Performance – Affected?
• Capacity – Affected?
• Availability – Not Affected
• Reliability – Not Affected
• Resiliency – Not Affected
• Maintainability – Affected?
• Serviceability – Affected?
• Usability – Not Affected
• Interoperability – Affected?
©2020 Real-TimeInnovations,Inc.
41. Steps to add DDS Secure to your system: Phase 1
1. Download & install
2. Setup to self-sign certificates
3. Generate some certs to use for testing w/ Shapes
4. Use Shapes to setup basic governance and permissions
files
5. Start w/ basic authentication (point to certs in QoS file)
6. Add read/write permissions
7. Add crypto last
©2020 Real-TimeInnovations,Inc.
42. Steps to add DDS Secure to your system: Phase 2
1. Modify your build system to link w/ Secure libraries
2. and/or modify your QoS files to load Secure libs & point to
certs, etc.
3. Start w/ basic authentication
4. Add read/write permissions
5. Add crypto last
6. Benchmark performance
©2020 Real-TimeInnovations,Inc.
44. Domains used in demo
©2020 Real-TimeInnovations,Inc.
Domain Notes Effect/How to demo
0 No protections, allow unauthorized participants Share data between all apps
1 Add R access control to Squares
Add W access control to Circle
Add R/W access control on Triangle
Pub/sub all 3 topics, non-secure on the left, secure
on the right; pub on top, sub on bottom.
Have trireader try to publish triangles
2 Don’t allow unauthenticated participants Show no data flows between secure & non-secure
Shapes
3 RTPS data now signed Wireshark
4 Topic payload now encrypted Wireshark
5 Topic metadata now encrypted Wireshark
6 RTPS data now encrypted Wireshark
Topic Read access Write access
Square True False Only secure readers get data from secure writers. (L to H, not H to L)
Circle False True Readers only get data from Secure writers (H to L, not L to H)
Triangle True True Readers and writers must both be Secure (L to L, H to H, no others)
46. Domain 0 – No protections
©2020 Real-TimeInnovations,Inc.
Non-Secure App Secure App
47. Domain 1 – Write protections on Circles, Triangles
©2020 Real-TimeInnovations,Inc.
Non-Secure App Secure App
48. Domain 2 – Unauthenticated NOT allowed
©2020 Real-TimeInnovations,Inc.
Non-Secure App Secure App
49. Domain 3 – rtps_protection_kind = SIGN
©2020 Real-TimeInnovations,Inc.
HMAC added to message
No encryption
50. Domain 4 – Add encryption of topic data
©2020 Real-TimeInnovations,Inc.
Payload now encrypted
Metadata visible (i.e. sequence #)
51. Domain 5 – Encrypt topic metadata and payload
©2020 Real-TimeInnovations,Inc.
Payload encrypted
Metadata not visible
52. Domain 6 – rtps_protection_kind = ENCRYPT
©2020 Real-TimeInnovations,Inc.
Entire RTPS message encrypted
53. Free RTI Connext Evaluation
©2020 Real-Time Innovations, Inc.
https://www.rti.com/free-trial
• Fully functional version of
Connext DDS Professional
• With monitoring, debug
and visualization tools
• Includes Shapes Demo
• Runs on Windows, Linux
and MacOS
• Runs for 30 days
©2020 Real-TimeInnovations,Inc.
54. RTI’s Resources
• Community.rti.com
– Complete RTI product documentation
– Best Practices
– Forum
– Knowledge Base
– Getting Started Videos
– HOWTO’s
• DDS Secure Getting Started Guide
• DDS Secure User’s Guide
• Why You Should Use TPM with RTI Connext DDS Secure
• Using Connext DDS Secure 6.0 to Protect your Data
• OMG DDS Secure site: https://www.omg.org/spec/DDS-SECURITY/1.1/PDF
©2020 Real-TimeInnovations,Inc.
55. RTI Account Team – VA/WV/NC
Ken McInerney, Field Application Engineer
Phone: (410) 707 - 5889| kenm@rti.com
How we help you:
• Support for Connext Product Evaluations / Proof of Concept Efforts
• Account Management – Licensing, Customer Service, Project Management
• Customer Success Meetings/Calls – Best Practices, Troubleshooting Guidance, Education on
Tools and New Products, New Platform Builds and Feature Requests, Support Case Escalation
Lisa Ray, Connext Account Manager
Phone: (919) 949 - 6115| lray@rti.com
John Breitenbach, FAE Manager
Phone: (919) 597 – 9386 johnb@rti.com
©2020 Real-TimeInnovations,Inc.
56. Questions?
• IIC: www.iiconsortium.org
• DDS
– DDS portal: portals.omg.org/dds/
– RTI: www.rti.com
– Email: johnb@rti.com
– Examples, forum, papers:
community.rti.com
©2020 Real-TimeInnovations,Inc.