DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor...
Transcript of DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor...
![Page 1: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/1.jpg)
3/19/2018 Copyright©2018OMG.Allrightsreserved. 1
DDSSecurityInteroperabilityDemoDDS™–TheProvenDataConnec9vityStandardforIIoT™
dds/2018-03-01
Reston, March 2018
![Page 2: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/2.jpg)
DDSSecurityDemo—Overview
12/06/17 2
• 5VendorProducts:• CoreDXDDSfromTwinOaksCompuQng• ConnextDDSfromRealTimeInnovaQons(RTI)• InterCommDDSfromKongsberg• VortexCafeDDSfromADLink• OpenDDSfromObjectCompuQngInc(OCI)
• UsingShapesdemoso\ware:• Familiarfrompreviousinteroperabilitydemos
• DemonstraQnggranularconfigurabilityofDDSSecurityprotocols• EachParQcipanthasitsownpermissions–whatexactlyitcanpublish/subscribe• EachTopichasitsownconfiguraQon–encrypted,signed,clear,encrypteddiscovery
![Page 3: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/3.jpg)
DDSSecurityDemo—Topics
12/06/17 3
SquareTopic - SecureDiscovery - EncryptedData - AuthenQcatedMetadata - ProtectedAccess:
AuthenQcatedParQcipantsmusthavepermissionstopublishand/orsubscribe
CircleTopic - SecureDiscovery - AuthenQcatedData - AuthenQcatedMetadata - ProtectedAccess:
ParQcipantsmusthavepermissionstopublishand/orsubscribe
TriangleTopic- OpenDiscovery - OpenData - OpenAccess:
AnyparQcipantmaypublishand/orsubscribe
![Page 4: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/4.jpg)
DDSSecurityConfigura9on
Permissions
IdenQty
Governance
Permissions
IdenQty
Permissions
IdenQty
PrivateKey
PrivateKey
PrivateKey
Identity CA Permissions CA
Permissions
IdenQty
PrivateKey
![Page 5: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/5.jpg)
DDSSecurityDemo—Publishing
12/06/17 5
Permissions - ALLOWWriteSquare - DENYWriteCircle
Permissions - ALLOWWriteCircle- DENYWriteTriangle
Permissions - ALLOWWriteTriangle - DENYWriteSquare
Permissions - ALLOWWriteTriangle- DENYWriteCircle
![Page 6: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/6.jpg)
DDSSecurityDemo—Subscribing
6
Permissions
Permissions
Permissions
Permissions
![Page 7: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/7.jpg)
• Thedemoconsistsofthefollowingscenarios:• InteroperabilityWithoutSecurityEnabled(SC#0)• ControlledAccesstoDomain(SC#1)• EnablingOpenAccesstoSelectedTopics(SC#2)• DataIntegrityversusEncryp9on(SC#3)• MetadataprotecQon(SC#4)• SecureDiscovery(SC#5)• TopicLevelAccessControl(SC#6)
Demo
12/06/17 Copyright©2017OMG.Allrightsreserved. 7
![Page 8: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/8.jpg)
• Objec9ve:DDSSecurityisanextensionofDDS—sQllpossibletorunapplicaQonswithoutanyprotecQon.
• GovernanceFile:Specifiesdomain0asan“opendomain”.Governance_SC0_SecurityDisabled.xml
• PermissionFiles:Noneareneededforthisscenario.Permissions_JoinDomain_<VENDOR>.xml
• Applica9ons:RegularandSecuredandShapesDemo
SC#0:InteroperabilityWithoutSecurity
Copyright©2017OMG.Allrightsreserved. 8
Subscribing to “Square”
Expected Result
All (Secure) RTI, TwinOaks, Kongsberg
Receives All: Square: BLUE, GREEN, MAGENTA , RED, ORANGE
All (Not Secure) RTI, TwinOaks, Kongsberg
Receives All: Square: BLUE, GREEN, MAGENTA, RED, ORANGE
12/06/17
Publishing
RTI SecureShapes BLUE Square
TwinOaks SecureShapes GREEN Square
Kongsberg SecureShapes MAGENTA Square
ADLink RegularShapes RED Square
OCI RegularShapes ORANGE Square
OFF
OFF
OFF
OFF
OFF
![Page 9: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/9.jpg)
• Objec9ve:DDSSecuritycanbeusedtoprotectaccesstoaDDSDomain.OnlyapplicaQonsthatcanauthenQcateandhavetheproperpermissionscanjointheDomain.
• GovernanceFile:Specifiesdomain0asa"protecteddomain."Governance_SC1_ProtectedDomain1.xml
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_JoinDomain_<VENDOR>.xml.
• Applica9ons:RegularandSecuredandShapesDemo
SC#1:ControlledAccesstoDomain
Copyright©2017OMG.Allrightsreserved. 9
Subscribing to “Square”
Expected Result
All (Secure) RTI, TwinOaks, Kongsberg, ADLink
Receives only from Secure: Square: BLUE, GREEN, MAGENTA , RED
All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink
Receives only from Non-Secure Square: ORANGE
12/06/17
Publishing
RTI BLUE Square
TwinOaks GREEN Square
Kongsberg MAGENTA Square
ADLink RED Square
OCI ORANGE Square
![Page 10: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/10.jpg)
Subscribing “Square”, “Circle”, “Triangle”
Expected Result Receives:
RTI (Secure) Read Perm: Circle + Triangle
Square: none Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE
Twin Oaks (Secure) Read Perm: Square + Triangle
Square: BLUE, MAGENTA Circle: none Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
Kongsberg (Secure) Read Perm: Square + Circle
Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
ADLink (Secure) Read Perm: Square + Circle
Square: BLUE, MAGENTA , Circle: GREEN, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE
OCI (Not Secure) Square: ORANGE, Circle: ORANGE Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
• Objec9ve:IllustratesitispossibletoallowaccesstocertainTopicsbyunsecuredapplicaQons(e.g,forlegacyapplicaQonsnotrunningDDSSecurity).
• GovernanceFile:Governance_SC2_ProtectedDomain2.xml
• AllowsunauthenQcatedparQcipantstojoindomain0• SquareandCircle:
• Protectedforread/writeaccess• Encrypt/signmetadata• Usesecurediscovery
• Triangle• Unprotectedforread/writeaccess(opentoall)• Noencrypt/sign• Useregular(unsecured)discovery
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_TopicLevel_<VENDOR>.xml.
• Applica9ons:RegularandSecureandShapesDemo
SC#2:OpenAccesstoSelectedTopicsPublishing
RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle
TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle
Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle
ADLink Write Perm: Circle RED Square RED Circle RED Triangle
OCI ORANGE Square ORANGE Circle ORANGE Triangle
![Page 11: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/11.jpg)
• Objec9ve:IllustratedifferentkindsofdataprotecQon.
• Encrypted(EN+SG)—(EncryptandSign)protected
• Signeddata(SG)—vulnerabletosnoopingbutnottampering
• Opendata(OD)—vulnerabletotampering• GovernanceFile:Specifiesdomain0asa"protecteddomain” Governance_SC3_ProtectedDomain3.xml
• Squaresshallbeencrypted• Circlesshallbesigned• Trianglesareunprotected
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_JoinDomain_<VENDOR>.xml.
• Applica9ons:SecuredShapesDemo+Wireshark
SC#3:DataIntegrityversusEncryp9onSubscribing:
Square + Circle + Triangle
Expected Result
All (Secure) RTI, TwinOaks, Kongsberg, ADLink
Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink
Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
Wireshark
Can see Triangle data in the clear Can see Circle data, but it is signed (or OD from OCI) Cannot see Square data—it is encrypted
Publishing
RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’
TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’
Kongsberg MAGENTA Square (EN + SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘
ADLink GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ RED Triangle (OD) ‘%’
OCI (not secure) ORANGE Triangle ‘%’
ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
![Page 12: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/12.jpg)
• Objec9ve:IllustrateconceptofprotecQngmetadata.• Encrypted(EN+SG)—EncryptandSignedmetadataprotected
• Signedmetadata(SG)—vulnerabletosnoopingbutnottampering
• Openmetadata(OD)—vulnerabletotampering• GovernanceFile:Specifiesdomain0asa"protecteddomain"Governance_SC4_ProtectedDomain4.xml
• Squaremetadatashallbeencrypted
• Circlemetadatashallbesigned,• Trianglemetadataisunprotected• Payloadisle\openforalltopicsforillustraQon
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_JoinDomain_<VENDOR>.xml.
SC#4:MetadataProtec9on
Publishing
RTI BLUE Square (EN + SG) ‘#’ BLUE Circle (SG) ‘$’ BLUE Triangle (OD) ‘%’
TwinOaks GREEN Square (EN + SG) ‘#’ GREEN Circle (SG) ‘$’ GREEN Triangle (OD) ‘%’
Kongsberg MAGENTA Square (EN+SG) ‘#’ MAGENTA Circle (SG) ‘$’ MAGENTA Triangle (OD) ‘%‘
ADLink RED Square (EN + SG) ‘#’ RED Circle (SG) ‘$’ RED Triangle (OD) ‘%‘
OCI (not secure) ORANGE Triangle ‘%’
Subscribing Expected Result
All (Secure) RTI, TwinOaks, Kongsberg, ADLink
Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
All (Not Secure) RTI, TwinOaks, Kongsberg, ADLink, OCI
Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
Wireshark
Can see Triangle metadata & data Can see Circle metadata, but it is signed Cannot see Square metadata—it is encrypted
Also peek at Discovery – It is all clear
ShapeSizes: Square -> 35 ‘#’ Circle -> 36 ‘$’ Triangle -> 37 ‘%’
![Page 13: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/13.jpg)
• Objec9ve:IllustratesthatdiscoveryinformaQonalsobeprotected.
• GovernanceFile:Specifiesdomain0asa"protecteddomain."Governance_SC5_ProtectedDomain5.xml• TopicTriangledataandmetadataareneitherencryptednorsigned—sentoverregulardiscovery
• TopicCircledataandmetadataaresigned,butnotencrypted—sentoversecurediscovery
• TopicSquaredataandmetadataareencryptedandsigned—sentoversecurediscovery
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_JoinDomain_<VENDOR>.xml.• Applica9ons:SecureShapesDemo
SC#5:SecureDiscovery
Publishing
RTI BLUE Square (EN + SG) BLUE Circle (SG) BLUE Triangle (OD)
TwinOaks GREEN Square (EN + SG) GREEN Circle (SG) GREEN Triangle (OD)
Kongsberg MAGENTA Square (EN+SG) MAGENTA Circle (SG) MAGENTA Triangle (OD)
ADLink RED Square (EN + SG) RED Circle (SG) RED Triangle (OD)
OCI ORANGE Triangle (OD)
Subscribing
Square + Circle + Triangle
Expected Result
All (Secure) RTI, TwinOaks, Kongsberg
Square: BLUE, GREEN, MAGENTA, RED Circle: BLUE, GREEN, MAGENTA, RED Triangle: BLUE, GREEN, MAGENTA , RED, ORANGE
All (Not Secure) RTI, TwinOaks, Kongsberg, OCI, ADLink
Square: Circle: Triangle: BLUE, GREEN, MAGENTA, RED, ORANGE
Wireshark
Can see Triangle discovery in the clear Cannot see Circle discovery Cannot see Square discovery
![Page 14: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/14.jpg)
Subscribing Expected Result
RTI Read Perm: Circle + Triangle Subscribes: Square, Circle, Triangle
Receives: Square: none Circle: GREEN, RED Triangle: none
Twin Oaks Read Perm: Square+Triangle Subscribes: Square, Circle, Triangle
Receives: Square: BLUE, MAGENTA Circle: none Triangle: none
Kongsberg Read Perm: Square + Circle Subscribes: Square, Circle, Triangle
Receives: Square: BLUE Circle: GREEN, RED Triangle: none
ADLink Read Perm: Square + Circle Subscribes: Square, Circle, Triangle
Receives: Square: BLUE, MAGENTA Circle: GREEN, RED Triangle: none
OCI (Not Secure) Triangle: ORANGE
• Objec9ve:Illustratesfine-grainaccesscontrolattheTopiclevel.
• GovernanceFile:Specifiesdomain0asa"protecteddomain."IndicatesthatSquare• Alltopicsareprotectedforread/writeaccess.• Alltopicsaresentoversecurediscovery• Alltopicsencryptandsignmetadata• Governance_SC6_ProtectedDomain6.xml
• PermissionFiles:Eachvendorhasitsownpermissionsfile.Permissions_TopicLevel_<VENDOR>.xml.• Applica9ons:SecureShapesDemo
SC#6:Topic-LevelAccessControl
12/06/17
Publishing
RTI Write Perm: Squares BLUE Square BLUE Circle BLUE Triangle
TwinOaks Write Perm: Circle GREEN Square GREEN Circle GREEN Triangle
Kongsberg Write Perm: Square MAGENTA Square MAGENTA Circle MAGENTA Triangle
ADLink Write Perm: Circle RED Square RED Circle RED Triangle
OCI (Not Secure) ORANGE Triangle
![Page 15: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/15.jpg)
● Standard&Interoperable● Scalable:SupportsmulQcast● Fine-grain:ControlattheTopic-level● Flexible:Buildyourownplugins● Generic:WorksoveranyTransport● Transparent:NochangestoApplicaQonCode!
Morepowerfulthatothersecuremiddlewaretechnologies
15
![Page 16: DDS Security Interoperability Demo · DDS Security Demo — Overview 12/06/17 2 • 5 Vendor Products: • CoreDX DDS from Twin Oaks CompuQng • Connext DDS from Real Time Innovaons](https://reader033.fdocuments.in/reader033/viewer/2022051512/6035fec63230ec13132edbc0/html5/thumbnails/16.jpg)
Ques9ons?