DDS Security
HDDS implements the OMG DDS Security v1.1 specification for secure publish-subscribe communication.
Security Features
| Feature | Description | Status |
|---|---|---|
| Authentication | X.509 PKI with challenge-response | ✅ |
| Access Control | XML-based permissions | ✅ |
| Encryption | AES-256-GCM | ✅ |
| Key Exchange | ECDH P-256 with HKDF | ✅ |
| Audit Logging | Hash-chained event log | ✅ |
Architecture
┌─────────────────────────────────────────────────────┐
│ DDS Application │
├─────────────────────────────────────────────────────┤
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │Authentication│ │Access Control│ │ Cryptographic│ │
│ │ Plugin │ │ Plugin │ │ Plugin │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
├─────────────────────────────────────────────────────┤
│ RTPS Protocol │
├─────────────────────────────────────────────────────┤
│ Transport (UDP/TCP) │
└─────────────────────────────────────────────────────┘
Quick Start
1. Generate Certificates
# Generate CA certificate
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout ca_key.pem \
-out ca_cert.pem \
-subj "/CN=HDDS CA"
# Generate participant certificate
openssl req -nodes -newkey rsa:2048 \
-keyout participant_key.pem \
-out participant_csr.pem \
-subj "/CN=Participant1"
openssl x509 -req -days 365 \
-in participant_csr.pem \
-CA ca_cert.pem \
-CAkey ca_key.pem \
-CAcreateserial \
-out participant_cert.pem
2. Create Permissions File
<?xml version="1.0" encoding="UTF-8"?>
<permissions>
<grant name="Participant1">
<subject_name>CN=Participant1</subject_name>
<validity>
<not_before>2024-01-01T00:00:00</not_before>
<not_after>2025-12-31T23:59:59</not_after>
</validity>
<allow_rule>
<domains><id>0</id></domains>
<publish>
<topics><topic>*</topic></topics>
</publish>
<subscribe>
<topics><topic>*</topic></topics>
</subscribe>
</allow_rule>
</grant>
</permissions>
3. Configure HDDS
use hdds::prelude::*;
use hdds::security::SecurityConfig;
let security = SecurityConfig::builder()
.identity_certificate("participant_cert.pem")
.private_key("participant_key.pem")
.ca_certificates("ca_cert.pem")
.permissions_xml("permissions.xml")
.enable_encryption(true)
.build()?;
let participant = DomainParticipant::builder()
.domain_id(0)
.security(security)
.build()?;
Security Plugins
Authentication Plugin
PKI-DH authentication using X.509 certificates:
- Certificate validation: Chain verification to CA
- Challenge-response: 4-step handshake protocol
- Algorithms: RSA-2048/4096, ECDSA P-256
Access Control Plugin
Fine-grained permissions for participants and topics:
- Governance: Domain-wide security policies
- Permissions: Per-participant access rules
- Wildcards: Glob-style topic matching
Cryptographic Plugin
Data protection with authenticated encryption:
- Algorithm: AES-256-GCM
- Key exchange: ECDH with HKDF-SHA256
- Nonce: Unique 96-bit per message
Security Levels
Level 1: Authentication Only
Verify participant identity without encryption:
let security = SecurityConfig::builder()
.identity_certificate("cert.pem")
.private_key("key.pem")
.ca_certificates("ca.pem")
.enable_encryption(false) // No encryption
.build()?;
Level 2: Full Encryption
Authenticate and encrypt all traffic:
let security = SecurityConfig::builder()
.identity_certificate("cert.pem")
.private_key("key.pem")
.ca_certificates("ca.pem")
.enable_encryption(true) // Full encryption
.enable_audit_log(true) // Audit trail
.build()?;
Performance Impact
| Feature | Overhead |
|---|---|
| Authentication handshake | 10-50 ms per participant |
| Encryption (per message) | ~200 ns |
| Latency increase | ~80% |
| CPU usage | ~5% at 50K msg/s |
Compliance
HDDS security implementation follows:
- OMG DDS Security v1.1 (formal/18-04-01)
- RFC 5280 - X.509 Certificate Profile
- RFC 5869 - HKDF Key Derivation
- NIST SP 800-38D - GCM Specification
- NIST FIPS 186-4 - ECDSA
Next Steps
- Authentication - Certificate-based identity
- Access Control - Permission management
- Encryption - Data protection