Design of DDS Secure Communication Middleware Based on Security Negotiation

doi:10.3969/j.issn.1671-1122.2021.06.003

Abstract

Abstract:

In response to the security threats faced by distributed real-time applications based on DDS in critical areas, a PKI based DDS secure communication middleware scheme is proposed, which adopts plug-in design and supports the functions of identity authentication, access control and data encryption and decryption. The scheme not only keeps the APIs consistent with the original DDS middleware, but also integrates the security negotiation process with the discovery mechanism of DDS. By using the customized security QoS and standardized QoS negotiation mechanism, the security service level and encryption algorithm can be chosen and configured flexibly. The confidentiality of data distribution is achieved by combing asymmetric encryption and symmetric encryption. Theoretical analysis and prototype system test show that the proposed DDS middleware can solve the security threats such as unauthorized subscription, unauthorized publishing and insecure channel transmission in the process of data distribution, and the delay is only slightly increased compared with the original DDS middleware. This scheme gives consideration to both security and efficiency.

Key words: data distribution service, middleware, identity authentication, access control, data confidentiality

CLC Number:

TP309

SHEN Zhuowei, GAO Peng, XU Xinyu. Design of DDS Secure Communication Middleware Based on Security Negotiation[J]. Netinfo Security, 2021, 21(6): 19-25.

Figures/Tables 9

References 12

[1]	Object Management Group. Data Distribution Service(DDS) [EB/OL]. , 2021 -01-10.
[2]	REN Haoli. Data Distribution Service: Data Centric Publish/Subscribe Communication[M]. Beijing: Tsinghua University Press, 2014.
	任昊利. 数据分发服务:以数据为中心的发布/订阅式通信[M]. 北京: 清华大学出版社, 2014.
[3]	Object Management Group. Who’s Using DDS[EB/OL]. , 2021-01-10.
[4]	MICHAUD M J, DEAN T, LEBLANC S P. Attacking OMG Data Distribution Service(DDS) Based Real-time Mission Critical Distributed Systems[C]// IEEE. 13th International Conference on Malicious and Unwanted Software(MALWARE), October 22-24, 2018, Nantucket, MA, USA. New Jersey: IEEE, 2018: 68-77.
[5]	Object Management Group. DDS Security[EB/OL]. https://www.omg.org/spec/DDS-SECURITY/1.0, 2021 -01-12.
[6]	ZHEN Chao, DI Haitao, GUO Qiuli. Research on Identity Authentication Method for Data Distribution Service[J]. Electronic Technology, 2015,44(6):44-48.
	甄超, 邸海涛, 郭秋丽. 数据分发服务身份认证方法研究[J]. 电子技术, 2015,44(6):44-48.
[7]	LI Mingjuan, YE Hong, WANG Le, et al. Design of Authentication Protocol for High-security Data Distribution Service[J]. Aeronautical Computing Technique, 2015,45(1):103-107.
	李明娟, 叶宏, 王乐, 等. 面向高安全数据分发服务的身份认证协议设计[J]. 航空计算技术, 2015,45(1):103-107.
[8]	CHEN Kaifang, LI Huiyun, LIU Song, et al. Research on Information Security for Shipboard System Based on DDS[J]. Netinfo Security, 2016,16(3):47-52.
	陈开放, 李汇云, 刘松, 等. 基于DDS舰载通信系统的信息安全分析研究[J]. 信息网络安全, 2016,16(3):47-52.
[9]	ZHANG Qingliang, QIN Yuanqing. Research on Security Assessment Index and Its Application for Shipboard Network Based on DDS[J]. Netinfo Security, 2017,17(2):73-78.
	章清亮, 秦元庆. 基于DDS通信的舰载网络安全评估指标及应用研究[J]. 信息网络安全, 2017,17(2):73-78.
[10]	ZHEN Chao, DI Haitao, GUO Qiuli, et al. Research on Access Control Method of Data Distribution Service[J]. Information & Communications, 2019(5):96-98.
	甄超, 邸海涛, 郭秋丽, 等. 数据分发服务访问控制方法研究[J].信息通信, 2019(5):96-98.
[11]	Object Management Group. The Real-time Publish-subscribe Protocol DDS Interoperability Wire Protocol[EB/OL]. , 2021-01-14.
[12]	OH S, KIM J, FOX G. Real-time Performance Analysis for Publish/Subscribe Systems[J]. Future Generation Computer Systems, 2010,26(3):318-323. doi: 10.1016/j.future.2009.09.001 URL

QoS策略	字段	语义
Security_QoS	Security_level	参与者安全防护等级
	Crypto_kind	数据加解密算法标识
	Public_ parameters	加解密算法公开参数
	Session_key	发布密钥（自动生成的对称加密密钥）

方案	文献[5]方案	文献[6]方案	本文方案
协议轮数	3	4	2
签名次数	2	2	2
签名验证次数	2	2	2
非对称加密次数	1	0	1
对称加密次数	0	1	0

[1]	WANG Jian, ZHAO Manli, CHEN Zhihao, SHI Bo. An Authentication Scheme for Conditional Privacy Preserving Based on Pseudonym in Intelligent Transportation [J]. Netinfo Security, 2021, 21(4): 49-61.
[2]	LU Xiaofeng, FU Songbing. A Trusted Data Access Control Scheme Combining Attribute-based Encryption and Blockchain [J]. Netinfo Security, 2021, 21(3): 7-8.
[3]	WANG Jinmiao, XIE Yongheng, WANG Guowei, LI Yiting. A Method of Privacy Preserving and Access Control in Blockchain Based on Attribute-based Encryption [J]. Netinfo Security, 2020, 20(9): 47-51.
[4]	WU Yunkun, JIANG Bo, PAN Ruixuan, LIU Yuling. A SDN Access Control Mechanism Based on Zero Trust [J]. Netinfo Security, 2020, 20(8): 37-46.
[5]	DU Yifeng, GUO Yuanbo. A Dynamic Access Control Method for Fog Computing Based on Trust Value [J]. Netinfo Security, 2020, 20(4): 65-72.
[6]	LIU Xiaofen, CHEN Xiaofeng, LIAN Guiren, LIN Song. Authenticated Multiparty Quantum Secret Sharing Protocol with d-level Single Particle [J]. Netinfo Security, 2020, 20(3): 51-55.
[7]	LIU Peng, HE Qian, LIU Wangyang, CHENG Xu. CP-ABE Scheme Supporting Attribute Revocation and Outsourcing Decryption [J]. Netinfo Security, 2020, 20(3): 90-97.
[8]	YU Lu, LUO Senlin. A Method of Internal Intrusion Detection of Database in RBAC Mode [J]. Netinfo Security, 2020, 20(2): 83-90.
[9]	LIU Lijuan, LI Zhihui, ZHI Danli. A Multi-party Quantum Key Distribution Protocol with Quantum Identity Authentication [J]. Netinfo Security, 2020, 20(11): 59-66.
[10]	XU Shengwei, WANG Feijie. Attribute-based Encryption Scheme Traced Under Multi-authority [J]. Netinfo Security, 2020, 20(1): 33-39.
[11]	Jinmiao WANG, Guowei WANG, Mei WANG, Ruijin ZHU. Achieving Privacy Preserving and Flexible Access Control in Fog Computing [J]. Netinfo Security, 2019, 19(9): 41-45.
[12]	Juru HAN, Zhi YANG, Zhaoxuan JI, Cunqing MA. Design and Implementation of File Encryption System Based on Wechat Mini Program [J]. Netinfo Security, 2019, 19(9): 81-85.
[13]	Fuyou ZHANG, Qiongxiao WANG, Li SONG. Research on Unified Identity Authentication System Based on Biometrics [J]. Netinfo Security, 2019, 19(9): 86-90.
[14]	A-yong YE, Junlin JIN, Lingyu MENG, Ziwen ZHAO. Research on Access Control for Privacy Protection of Mobile Terminals [J]. Netinfo Security, 2019, 19(8): 51-60.
[15]	Zhongyuan QIN, Yin HAN, Qunfang ZHANG, Xuejin ZHU. An Improved Scheme of Multi-PKG Cloud Storage Access Control [J]. Netinfo Security, 2019, 19(6): 11-18.