信息网络安全 ›› 2021, Vol. 21 ›› Issue (6): 19-25.doi: 10.3969/j.issn.1671-1122.2021.06.003

• 技术研究 • 上一篇    下一篇

基于安全协商的DDS安全通信中间件设计

沈卓炜1,2(), 高鹏1,2, 许心宇1,2   

  1. 1. 东南大学网络空间安全学院,南京 211189
    2. 东南大学计算机网络和信息集成教育部重点实验室,南京 211189
  • 收稿日期:2021-02-25 出版日期:2021-06-10 发布日期:2021-07-01
  • 通讯作者: 沈卓炜 E-mail:zwshen@seu.edu.cn
  • 作者简介:沈卓炜(1974—),男,江苏,副教授,博士,主要研究方向为分布式系统与网络安全|高鹏(1986—),男,甘肃,硕士研究生,主要研究方向为分布式系统与网络安全|许心宇(1998—),男,安徽,硕士研究生,主要研究方向为分布式系统与网络安全
  • 基金资助:
    国家重点研发计划(2018YFB1800602)

Design of DDS Secure Communication Middleware Based on Security Negotiation

SHEN Zhuowei1,2(), GAO Peng1,2, XU Xinyu1,2   

  1. 1. School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China
    2. Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 211189, China;
  • Received:2021-02-25 Online:2021-06-10 Published:2021-07-01
  • Contact: SHEN Zhuowei E-mail:zwshen@seu.edu.cn

摘要:

针对关键核心领域中基于数据分发服务的分布式实时应用面临的安全威胁,文章以公钥基础设施为基础,提出一种支持身份认证、权限控制和数据加解密的插件化DDS安全通信中间件方案。该方案在保持API与原DDS中间件一致的同时,将安全协商过程与DDS发现机制相融合,利用自定义的安全服务质量,采用标准化的QoS协商手段,完成安全服务等级和加密算法的灵活配置,以非对称加密和对称加密相结合的方式实现数据分发的机密性和访问控制。理论分析和原型系统测试表明,文章提出的DDS安全通信中间件方案能解决数据分发过程中未授权的订阅、未授权的发布和非安全的信道传输等安全威胁,时延较原DDS通信中间件仅有少量增加,兼顾了安全性与高效性。

关键词: 数据分发服务, 中间件, 身份认证, 访问控制, 数据机密性

Abstract:

In response to the security threats faced by distributed real-time applications based on DDS in critical areas, a PKI based DDS secure communication middleware scheme is proposed, which adopts plug-in design and supports the functions of identity authentication, access control and data encryption and decryption. The scheme not only keeps the APIs consistent with the original DDS middleware, but also integrates the security negotiation process with the discovery mechanism of DDS. By using the customized security QoS and standardized QoS negotiation mechanism, the security service level and encryption algorithm can be chosen and configured flexibly. The confidentiality of data distribution is achieved by combing asymmetric encryption and symmetric encryption. Theoretical analysis and prototype system test show that the proposed DDS middleware can solve the security threats such as unauthorized subscription, unauthorized publishing and insecure channel transmission in the process of data distribution, and the delay is only slightly increased compared with the original DDS middleware. This scheme gives consideration to both security and efficiency.

Key words: data distribution service, middleware, identity authentication, access control, data confidentiality

中图分类号: