Introducing a Free and Open Source Next-Generation Crypto Engine for DDS Security on Windows
Written by Reinier Torenbeek
June 23, 2021
RTI releases OpenSSL CNG Engine
RTI Connext® is considered by many to be the proven and preferred connectivity framework for securely distributing and managing real-time data in the world’s most demanding systems. In addition to adding data centricity, a key advantage of Connext is that it’s supported on many different operating systems -- one example of this flexibility is that by default, Connext relies on OpenSSL's libcrypto for protecting sensitive information. So when system security is top-of-mind, Connext can open the door to important new capabilities for data protection
Because RTI is committed to offering viable security solutions that cover the entire ecosystem, we recently decided to take our focus on security a step further by developing and releasing an OpenSSL Engine for the Windows Cryptography API -- Next Generation (CNG). We’re now pleased to share that the RTI OpenSSL CNG Engine is here, and it has one overarching goal: to provide a stronger security solution than standard OpenSSL mechanisms can offer. And RTI customers will be pleased to hear that it is compatible for use with the latest release of Connext® DDS Professional 6.1.
To encourage its adoption by all Connext Secure® DDS users on Windows, as well as the larger OpenSSL community, RTI decided to publish this new release under the standard Apache v2 license. This effectively means that our new OpenSSL CNG Engine is now a free and open source solution that you can download and try out separately today!
Using EVP and STORE Engines as the Foundation for DDS Security
The diagram below visualizes the role of the OpenSSL engine in the Connext stack. It shows the engine components we’re talking about here in the yellow blocks: EVP and STORE.
The EVP engine can be used to substitute default OpenSSL code for Microsoft's "better cryptography" algorithm implementations, also known as bcrypt. These popular implementations have been FIPS validated and are distributed with the Windows operating system. The STORE engine plugs Windows certificate and key stores into the framework. This allows users to natively integrate with the Windows PKI, instead of using regular files. Together, those two elements form the basis of DDS Security, providing the most complete solution available for securing real-time dataflows. This is achieved through the following features:
- Authentication of any participant in the DDS Domain, via PKI
- Fine-grained access control of dataflows to enforce the “Principle of Least Privilege”
- Protection of integrity and confidentiality of dataflows, as well as data source authentication
These mechanisms can be applied without changing or rebuilding any code, if the plugins and engines are configured to be dynamically loaded. Statically linked configurations are possible as well, with minor code changes and a rebuild.
All crypto algorithms specified in the DDS-SECURITY™ built-in plugins specification are supported by the CNG engine, which means that CNG-based Windows nodes will (continue to) be able to interact with nodes running other platforms as well, as long as they are consistently configured to use DDS Security.
If you are interested in further details about using our new OpenSSL CNG Engine in your project, or learning about Connext Secure and DDS Security in general, the RTI Professional Services team is here to help.
But of course, you are also welcome to get your hands dirty right away. The CNG engine is one of our RTI Labs projects. You can find the landing page with all the instructions to get started here.
Happy Coding! We are looking forward to hearing feedback from you, which you can share with us at firstname.lastname@example.org.
About the author
Reinier Torenbeek is a long time DDS-enthusiast. He is a member of RTI's Professional Services team, specializing in DDS Security.