DDS securityΒΆ

Cyclone DDS is compliant with The Object Management Group (OMG) DDS security specification, which defines the Security Model and SPI architecture for compliant DDS implementations. The DDS Security Model is enforced by the invocation of these SPIs by the DDS implementation.

../_images/dds_security_overview.png

The DDS Security Model has the following three Cyclone DDS plugins:

  • Authentication service plugin

    Verifies the identity of the application and/or user that invokes operations on DDS. Includes facilities for mutual authentication between participants and establish a shared secret.

  • AccessControl service plugin

    Enforces policy decisions that determine what DDS-related operations an authenticated user is permitted to do. For example, which domains it can join, which topics it can publish or subscribe to, and so on.

  • Cryptographic service plugin

    Implements (or interfaces with libraries that implement) all cryptographic operations. Includes encryption, decryption, hashing, digital signatures, and so on (also includes the means to derive keys from a shared secret).

Cyclone DDS provides built-in implementations of these plugins. Authentication uses PKI with a pre-configured shared Certificate Authority. RSA is for authentication and Diffie-Hellman is for key exchange. The AccessControl service plugin uses a Permissions document that is signed by a shared certificate authority. Cryptography uses AES-GCM for encryption and AES-GMAC for message authentication.

Security plugins are dynamically loaded. The locations are defined in Cyclone DDS configuration or participant QoS settings:

The security plugins can also be found in: