Connext DDS Secure

Secure Messaging for Intelligent Machines

Connext DDS Secure provides the world's first standards-compliant, off-the-shelf messaging platform that delivers the security, performance and safety required for deployment of the Industrial Internet of Things. It complies with the new Data Distribution Service (DDS) Security specification from the Object Management Group (OMG).

Two-Minute Topic: Connext DDS Secure

Download  |  Larger View

Features and Benefits:

  • Provides authentication, authorization, non-repudiation, confidentiality and integrity
  • Protects discovery information, metadata and data
  • Defends against unauthorized access, tampering and replay
  • Operates without centralized servers for high performance, scalability and availability
  • Runs over any transport including TCP, UDP, multicast and shared memory
  • Integrates with existing security infrastructures and hardware acceleration
  • Secures unmodified existing DDS applications

Securing critical infrastructure is essential for safety and economic reasons. And it must be pursued without sacrificing performance or reliability. The machines that make up medical, energy, manufacturing, transportation and defense systems must perform at the speed of the physical-world processes they manage. Even brief unplanned outages can be disastrous.

Connext DDS Secure introduces a robust set of security capabilities to the Connext DDS Professional package. These include authentication, encryption, access control and logging. Secure multicast support enables efficient and scalable distribution of data to many subscribers. Performance is also optimized by fine-grain control over the level of security applied to each data flow, such as whether encryption or just message authentication is required.

Standard Capabilities

Authentication
  • X.509 Public Key Infrastructure (PKI) with a pre-configured shared Certificate Authority (CA)
  • Digital Signature Algorithm (DSA) with Diffie-Hellman and RSA for authentication and key exchange
Access Control
  • Specifications via permissions file signed by shared CA
  • Control over ability to join DDS Domains and Partitions, read or write Topics
  • Control on individual objects and Quality of Service (QoS) via plugins
Cryptography
  • Protected key distribution
  • AES128 and AES256 for encryption
  • HMAC-SHA1 and HMAC-SHA256 for message authentication and integrity
Data Tagging
  • Used to specify security metadata, such as classification level
  • Sent during endpoint discovery
  • Can be used to determine access privileges (via plugin)
Logging
  • Log security events to a local file or distribute securely over Connext DDS

Customizable

An optional SDK allows implementation of custom security plugins. These can be used to integrate with existing authentication infrastructures, support additional encryption algorithms or leverage hardware acceleration. The Plugin SDK includes source code to the standard RTI plugins as an example.

Transport Flexibility

Security is implemented above the transport layer and does not require a secure transport protocol such as TLS/SSL or DTLS. Any Connext DDS transport can be used securely, including UDP, TCP and shared memory. Support for UDP multicast (both reliable and best effort) enables very efficient data distribution when there are many subscribers to the same data.

Security in the middleware layer
Security is implemented at the middleware layer, between the application and underlying transport protocol.

Optimized Performance

Only data that must be private has to incur the overhead of encryption and decryption. This is much more efficient than TLS and other transport-layer security approaches that encrypt all data. For example, it is not necessary to encrypt the observable data reported by a weather station used to forecast power demand; the data only has to be signed with a Message Authentication Code (MAC) to prevent malicious manipulation.

Standards Compliance

Connext DDS Secure complies with the Data Distribution Service (DDS) Security specification from the Object Management Group (OMG). This provides interoperability with other compliant DDS implementation, as well as portability of custom plugins.

Evaluation Version

To request an evaluation version of Connext DDS Secure please register for Connext DDS Professional. A sales representative will contact you.