Secure Your IIoT System with the Cryptography Library of YOUR Choice! Reply

Secure Your IIoT System with the Cryptography Library of YOUR Choice!

By now, you might have read about the OMG DDS Security Specification which enhances the existing DDS standard with a security architecture and model. Version 1.0 of that specification is about to be finalized by the OMG. This means that a data-centric security model will now be natively integrated into the DDS standard – the only open communications standard that was designed to deliver the flexibility, reliability and speed necessary to build complex real-time applications, including many types of Industrial IoT systems.

One of the striking features introduced in DDS Security Spec is the notion of a Service Plugin Interface (SPI) architecture. The mechanism of SPIs allows users to customize the behavior and technologies that the DDS implementation uses for Information Assurance, without changes to the application code.

This blog post briefly explains the SPI architecture and demonstrates an easy way to leverage the RTI Connext DDS Secure built-in security plugins to have them execute selected cryptographic actions with the cryptography library of your choice.

DDS Secure Service Plugin Interfaces (SPIs)

The DDS Security Specification does not introduce any changes in the way applications interact with the DDS infrastructure. Instead, it defines five different plugin components that are leveraged by the infrastructure when needed. Each of those components provides a certain aspect of the Information Assurance functionality and has a standardized interface, as defined by the DDS Security Specification. This is what the name Service Plugin Interfaces (SPIs) refers to. The plugin architecture is illustrated in the image below.

Secure Your IIoT System with the Cryptography Library of YOUR Choice!

As you can see, there are five SPIs that collectively provide Information Assurance to DDS systems. Their names and purposes are as follows:

SPI Name Purpose of its types and operations
Authentication Support verification of the identity of DDS DomainParticipants, including facilities to perform mutual authentication and to establish shared secrets.
AccessControl Make decisions on what protected DDS-related operations an authenticated DDS DomainParticipant is allowed to perform, including joining of a DDS Domain and creating Topics, DataReaders and DataWriters.
Cryptography Support cryptographic operations, including encryption and decryption, hashing, digital signatures and message authentication codes.
Logging Support logging of security-related events for a DDS DomainParticipant.
Data Tagging Provide the ability to add a security label or tag to data, for application-specific purposes.

The SPI-architecture gives you a lot of freedom to customize the Information Assurance aspects of your secure DDS system. All aspects mentioned in the above bullet list can be modified or re-implemented by using your own implementation of the SPIs. What you can not change, is the mechanism when the DDS implementation actually invokes the methods of the SPIs — they just get invoked when necessary. This is actually a good thing because it means that the middleware continues to behave as prescribed in the specification and you do not have to worry about breaking that.

In addition to the interfaces of the SPIs, the DDS Security specification also provides a functional description of the so-called builtin plugins, described in detail in Chapter 9 of that document. Their primary intention is to provide out-of-the-box interoperability between different implementations of DDS Security. With RTI Connext Secure DDS, the builtin plugins also happen to be an excellent starting point for customization.

Customizing the RTI Connext DDS Secure builtin plugins

The builtin security plugin binaries shipped with Connext DDS Secure can be used out-of-the-box to create your DDS system that includes Information Assurance. All you need to do is properly configure the PropertyQosPolicy of your DomainParticipant as explained in the specification to point to the desired security artifacts like access control and governance configuration files as well as identity certificates, among others.

For those who wish to modify the behavior of the plugins, a set of buildable source code files is provided as well. However, for many situations, the Connext DDS Secure plugins offer a much easier option. Enter the OpenSSL EVP API…

Swapping out cryptographic algorithm implementations

The builtin Connext DDS Secure plugins source code makes use of the OpenSSL cryptographic library — not for its SSL or TLS functionality, but for its set of cryptographic function implementations and a number of helper classes used with those. If you are familiar with OpenSSL programming, you will know that it is good practice to leverage the so-called EVP interface. (In case you are wondering about it, like I did: EVP stands for EnVeloPe.) The Connext DDS Secure  plugins invoke a subset of its functions, namely those related to the items in the table below:

Functionality Algorithms specified for builtin DDS Security plugins
Symmetric encryption and decryption AES in Galois Counter Mode (GCM) for 128-bits or 256-bits key sizes
Signing and verifying RSA-PSS or ECDSA signature algorithms with SHA-256 as their hash function
Key exchange Diffie-Hellman using modular arithmetic (DH) or elliptic curves (ECDH), with specified parameters
Message authentication codes HMAC, with with SHA-256 as its hash function, and GMAC
Secure hash functions SHA-256
Random number generation Any cryptographically-strong random number generator

The plugins shipped with the product use the OpenSSL implementations of these functions, as found in the standard OpenSSL EVP engine. However, they also support inserting your own engine. Your OpenSSL engine implementation could invoke other implementations of these cryptographic functions, for example leveraging the cryptographic library of your choice, maybe because you are required to use FIPS-compliant implementations. Some libraries already support an EVP engine, in which case you only have to configure the plugins. Otherwise, you will have to write a shim layer that invokes the right functions from your library.

Modifying the builtin plugins themselves

It might happen that the algorithms and mechanisms in the builtin plugins, outlined in the previous section, do not meet the needs of your project. In that case, you will have to resort to making modifications to the code of the actual plugins, the code that invokes the EVP functions. For example, you can make small modifications like selecting different algorithms than those defined by the specification, possibly using different key sizes or algorithm parameters. As another example, you can change from dynamic to static linking if you prefer.

It is possible to go beyond minor changes and, for example, introduce an entirely different identity authentication mechanism. Going down that path becomes complicated pretty quickly and we strongly recommend contacting us  to discuss your needs and plans. We are looking forward to engaging with you!

5 of the best on-demand webinars to inspire your IIoT and system designs Reply

The Top 5 Connext DDS + IIOT Webinars!

Ever feel like your work could use an infusion of inspiration, stat? We hear you.

Consistently keeping up with all of the latest best practices, updates to standards, and new trends can be hard, but we’ve got you covered! Grab your laptop and headphones, and spend some time on YOU. Click on the links below to view our Top 5 on-demand webinars from the first half of 2016.

  1. IoT Panel Webcast – Best Practices and Avoiding Pitfalls for IoT Development
    Originally presented on March 24, 2016

    Our panel of IoT experts discuss best practices and common pitfalls that can help keep your IoT rollout on-time and within budget.
  2. Data Distribution Service Security and the Industrial Internet of Things
    Originally presented on January 13, 2016
    The webinar includes discussions about the most recent work on the security specification for the DDS standard, its rationale, and architectural design.
  3. Cyber Security for the Connected Car
    Originally presented on May 18, 2016
    Learn how isolation techniques and security measures from the embedded industry can be leveraged to protect modern vehicles from unwanted code or malicious attack.
  4. Space Rovers and Surgical Robots
    Originally presented on May 5, 2016
    Learn why Robot Operating System (ROS) 2.0 and robotic systems like NASA’s and MIRO Lab’s chose to implement a data-centric architecture using Data Distribution Service (DDS), a communication protocol standard for real-time and embedded systems.
  5. Accelerate Distributed Systems Development using Connext Tools
    Originally presented on June 22, 2016
    Our tools expert covers how you can use the tools included in RTI Connext DDS Pro to accelerate your distributed systems development.

To view our full list of on-demand videos, head on over to the archives.

Databus vs. Database: The 6 Questions Every IIoT Developer Needs to Ask Reply

importantQuestionsDatabasevsDatabus

The Industrial Internet of Things (IIoT) is full of confusing terms.  That’s unavoidable; despite its reuse of familiar concepts in computing and systems, the IIoT is a fundamental change in the way things work.  Fundamental changes require fundamentally new concepts.  One of the most important is the concept of a “databus”.

The soon-to-be-released IIC reference architecture version 2 contains a new pattern called the “layered databus” pattern.  I can’t say much more now about the IIC release, but going through the documentation process has been great for driving crisp definitions.

The databus definition is:

A databus is a data-centric information-sharing technology that implements a virtual, global data space.  Software applications read and update entries in a global data space. Updates are shared between applications via a publish-subscribe communications mechanism.

Key characteristics of a databus are:

  1. the participants/applications directly interface with the data,
  2. the infrastructure understands, and can therefore selectively filter the data, and
  3. the infrastructure imposes rules and guarantees of Quality of Service (QoS) parameters such as rate, reliability, and security of data flow.

Of course,  new concepts generate questions.  Some of the best questions came from an architect from a large database company.  We usually try to explain the databus concept from the perspective of a networking or software architect.  But, data science is perhaps a better approach.  Both databases and databuses are, after all, data science concepts.

Let’s look at the 6 most common questions.

Question 1: How is a databus different from a database (of any kind)?

Short answer: A database implements data-centric storage.  It saves old information that you can later search by relating properties of the stored data.  A databus implements data-centric interaction.  It manages future information by letting you filter by properties of the incoming data.

Long answer: Data centricity can be defined by these properties:

  • The interface is the data. There are no artificial wrappers or blockers to that interface like messages, or objects, or files, or access patterns.
  • The infrastructure understands that data. This enables filtering/searching, tools, & selectivity.  It decouples applications from the data and thereby removes much of the complexity from the applications.
  • The system manages the data and imposes rules on how applications exchange data. This provides a notion of “truth”.  It enables data lifetimes, data model matching, CRUD interfaces, etc.

A relational database is a data-centric storage technology. Before databases, storage systems were files with application-defined (ad hoc) structure.  A database is also a file, but it’s a very special file.  A database knows how to interpret the data and enforces access control.  A database thus defines “truth” for the system; data in the database can’t be corrupted or lost.

By enforcing simple rules that control the data model, databases ensure consistency.  By exposing the data to search and retrieval by all users, databases greatly ease system integration.  By allowing discovery of data and schema, databases also enable generic tools for monitoring, measuring, and mining information.

Like a database, data-centric middleware (a databus) understands the content of the transmitted data.  The databus also sends messages, but it sends very special messages.  It sends only messages specifically needed to maintain state.  Clear rules govern access to the data, how data in the system changes, and when participants get updates.  Importantly, only the infrastructure sends messages.  To the applications, the system looks like a controlled global data space.  Applications interact directly with data and data “Quality of Service” (QoS) properties like age and rate.  There is no application-level awareness or concept of “message”.  Programs using a databus read and write data, they do not send and receive messages.

Database vs Databus

A database replaces files with data-centric storage that finds the right old data through search. A databus replaces messages with data-centric connectivity that finds the right future data through filtering. Both technologies make system integration much easier, supporting much larger scale, better reliability, and application interoperability.

With knowledge of the structure and demands on data, the databus infrastructure can do things like filter information, selecting when or even if to do updates.  The infrastructure itself can control QoS like update rate, reliability, and guaranteed notification of peer liveliness.  The infrastructure can discover data flows and offer those to applications and generic tools alike.  This knowledge of data status, in a distributed system, is a crisp definition of “truth”.  As in databases, the infrastructure exposes the data, both structure and content, to other applications.  This accessible source of truth greatly eases system integration.  It also enables generic tools and services that monitor and view information flow, route messages, and manage caching.

Question 2: “Software applications read and update entries in a global data space. Updates are shared between applications via a publish-subscribe communications mechanism.”  Does that mean that this is a database that you interact with via a pub-sub interface?

Short answer: No, there is no database.  A database implies storage: the data physically resides somewhere.  A databus implements a purely virtual concept called a “global data space”.

Long answer: The databus data space defines how to interact with future information.  For instance, if “you” are an intersection controller, you can subscribe to updates of vehicles within 200m of your position.  Those updates will then be delivered to you, should a vehicle ever approach.  Delivery is guaranteed in many ways (start within .01 secs, updated 100x/sec, reliable, etc.).  Note that the data may never be stored at all.  (Although some QoS settings like reliability may require some local storage.)  You can think of a data space as a set of specially-controlled data objects that will be filled with information in the exact way you specify, although that information is not (in general) saved by the databus…it’s just delivered.

Question 3: “The participants/applications directly interface with the data.”  Could you elaborate on what that means?

With “message-centric” middleware, you write an application that sends data, wrapped in messages, to another application.  You may do that by having clients send data to servers, for instance.  Both ends need to know something about the other end, usually including things like the schema, but also likely assumed properties of the data like “it’s less than .01 seconds old”, or “it will come 100x/second”, or at least that there is another end alive, e.g. the server is running.  All these assumed properties are completely hidden in the application code, making reuse, system integration, and interoperability really hard.

With a databus, you don’t need to know anything about the source applications.  You make clear your data needs, and then the databus delivers it.  Thus, with a databus, each application interacts only with the data space.  As an application, you simply write to the data space or read from the data space with a CRUD interface.  Of course, you may require some QoS from that data space, e.g. you need your data updated 100x per second.  The data space itself (the databus) will guarantee you get that data (or flag an error).  You don’t need to know if there are only one or 27 redundant sources of that data, or if it comes over a network or shared memory, or if it’s a C program on Linux or a C# program on Windows.  All interactions are with your own view of the data space.  It also makes sense, for instance, to write data to a space with no recipients.  In this case, the databus may do absolutely nothing, or it may cache information for later delivery, depending on your QoS settings.

Note that both database and databus technologies replace the application-application interaction with application-data-application interaction.  This abstraction is absolutely critical.  It decouples applications and greatly eases scaling, interoperability, and system integration.  The difference is really one of old data stored in a (likely centralized) database, vs future data sent directly to the applications from a distributed data space.

Question 4: “The infrastructure understands, and can therefore selectively filter the data.” Isn’t that true of all pub-sub, where you can register for “events” of interest to you?

Most pub-sub is very primitive.  An application “registers interest”, and then everything is simply sent to that application.  So, for instance, an intersection collision detection algorithm could subscribe to “vehicle positions”.   The infrastructure then sends messages from any sensor capable of producing positions, with no knowledge of the data inside that message.  Even “content filtering” pub-sub offers only very simple specs and requires the system to pre-select what’s important for all.  There’s no real control of flow.

A databus is much more expressive.  That intersection could say “I am interested only in vehicle positions within 200m, moving at 10m/s towards me.  If a vehicle falls into my specs, I need to be updated 200 times a second.  You (the databus) need to guarantee me that all sensors feeding this algorithm promise to deliver data that fast…no slower or faster.  If a sensor updates 1000 times a second, then only send me every 5th update.  I also need to know that you actually are in touch with currently-live sensors (which I define as producing in the last 0.01secs) on all possible roadway approaches at all times.  Every sensor must be able to store 600 old samples (3 seconds worth), and update me with that old data if I need it.”   (These are a few of the 20+ QoS settings in the DDS standard.)

Note that a subscribing application in the primitive pub-sub case is very dependent on the actual properties of its producers.  It has to somehow trust that they are alive (!), that they have enough buffers to save the information it may need, that they won’t flood it with information nor provide it too slowly.  If there are 10,000 cars being sensed 1000x/sec, but only 3 within 200m, it will have to receive 10,000*1000 = 10m samples every second just to find the 3*200 = 600 it needs to pay attention to.  It will have to ping every single sensor 100x/second just to ensure it is active.  If there are redundant sensors on different paths, it has to ping them all independently and somehow make sure all paths are covered.  If there are many applications, they all have to ping all the sensors independently.  It also has to know the schema of the producers, etc.

The application in the second case will, by contrast, receive exactly the 600 samples it cares about, comfortable in the knowledge that at least one sensor for each path is active.  The rate of flow is guaranteed.  Sufficient reliability is guaranteed.  The total dataflow is reduced by 99.994% (we only need 600/10m samples, and smart middleware does filtering at the source).  For completeness, note that the collision algorithm is completely independent of the sensors themselves.  It can be reused on any other intersection, and it will work with one sensor per path or 17.  If during runtime, the network gets too loaded to meet the data specs (or something fails), the application will be immediately notified.

Question 5: How does a databus differ from a CEP engine?

Short answer: a databus is a fundamentally distributed concept that selects and delivers data from local producers that match a simple specification.  A CEP engine is a centralized executable service that is capable of much more complex specifications, but must have all streams of data sent to one place.

Long answer: A Complex Event Processing (CEP) engine examines an incoming stream of data, looking for patterns you program it to identify.  When it finds one of those patterns, you can program it to take action. The patterns can be complex combinations of past and incoming future data.  However, it is a single service, running on a single CPU somewhere.  It transmits no information.

A databus also looks for patterns of data.  However, the specifications are simpler; it makes decisions about each data item as it’s produced.  The actions are also simpler; the only action it may take is to send that data to a requestor.  The power of a databus is that it is fundamentally distributed.  The looking happens locally on potentially hundreds, thousands, or even millions of nodes.  Thus, the databus is a very powerful way to select the right data from the right sources and send them to the right places.  A databus is sort of like a distributed set of CEP engines, one for every possible source of information, that are automatically programmed by the users of that information.  Of course, the databus has many other properties beyond pattern matching, such as schema mediation, redundancy management, transport support, an interoperable protocol, etc.

Question 6: What application drove the DDS standard and databuses?

The early applications were in intelligent robots, “information superiority”, and large coordinated systems like navy combat management.  These systems needed reliability even when components fail, data fast enough to control physical processes, and selective discovery and delivery to scale.  Data centricity really simplified application code and controlled interfaces, letting teams of programmers work on large software systems over time.  The DDS standard is an active, growing family of standards that was originally driven by both vendors and customers.  It has significant use across many verticals, including medical, transportation, smart cities, and energy.

If you’d like to learn about how intelligent software is sweeping the IIoT, be sure to download our whitepaper on the future of the automotive industry,”The Secret Sauce of Autonomous Cars“.