KR20190048537A - Platform and method for interworking between secured dds and non-secured dds - Google Patents

Abstract

The present invention relates to a platform for interlocking between a secured data distribution service (DDS) and a non-secured DDS, and a method thereof. According to the present invention, a DDS to which security is not applied, can access a DDS to which security is applied, without improving an entire DDS system to which security is not applied. The platform for interlocking between a secured DDS and a non-secured DDS, as a platform for interlocking between a non-DDS to which a security standard is not applied, and a secured DDS to which a security standard is applied, comprises: a DDS non-secured participant connected to a non-secured DDS side and including a DDS subscriber and a DDS issuer; and a DDS security agent connected to a secured DDS side and including a DDS subscriber and a DDS issuer. The DDS non-secured participant comprises a 1a function of subscribing to a specific topic issued by the DDS issuer of the non-secured DDS, and a 2a function of allowing the DDS non-secure participant to reissue the subscribed topic to the DDS security agent. The DDS security agent comprises: a 1b function of listing and storing a name of the topic subscribed from the DDS non-secured participant; a 2b function of subscribing to a topic having the name included in the list from the secured DDS; and a 3b function of reissuing and transferring the topic subscribed in the security DDS to the DDS non-secure participant.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a secure DDS and an unsecured DDS,

The present invention relates to an interworking platform and an interworking method between a non-secured DDS and a secured DDS for accessing a secured DDS without security.

Data Distribution Service (DDS) is a standard data-centric communication protocol that supports the service quality recommended by OMG (Object Management Group). DDS conveys information to the publish-subscribe communication model and has a structure suitable for one-to-many and many-to-many communications.

DDS initially did not include security-related information when it was standardized at OMG, and later announced DDS with security as a new security standard named DDS-Security.

The adoption of the DDS as a security standard for encrypting the RTPS protocol components makes it impossible for an intruder to know the contents of a RDSS packet even if a security threat such as an RTPS packet is stolen during DDS communication. However, in order to generate or receive and decrypt secure RTPS packets, it is necessary to acquire a product to which a DDS security standard is applied.

DDS is optimized for the ability to issue and subscribe to information as much as it focuses on real-time communication, but before the security standard was established, unauthorized participants could issue or subscribe to information. The security standard contains contents to improve these vulnerabilities. Therefore, old versions of DDS that do not apply the standard do not have access to the security DDS by default. Therefore, DDS without security applies DDS The contents of the packet of FIG.

DDS developed prior to the establishment of a standard for security of DDS or developed as a product that does not support the function of the security standard could not communicate basically with the secured DDS. To solve this problem, in order to change to a security-enabled DDS, the system should be improved so that all DDS participants in the DDS system use the new library. However, there are limitations in realizing that the number of DDS participants configured in the DDS system can not be increased or can not be improved.

Therefore, there is a need for a platform or method for interworking with DDS to which security is applied without improving overall DDS system without security.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a DDS system in which security is not applied, And to provide an interworking platform and interworking method between the DDS and the non-secure DDS.

According to an aspect of the present invention, there is provided a platform for interworking between a secure DDS and an insecure DDS according to the present invention is a platform for interworking between an insecure DDS to which a security standard is not applied and a secure DDS to which a security standard is applied, , A DDS non-security participant connected to a DDS subscriber and a DDS issuer; And a DDS security agent coupled to the secure DDS side, the DDS security agent including a DDS subscriber and a DDS issuer.

And, the DDS non-security participant is a 1a function that subscribes to a specific topic issued by the DDS issuer of the non-secure DDS; And a 2a function that reissues the topic subscribed to by the DDS non-security participant himself / herself to the DDS security representative.

And, the DDS security agent has a 1b function that lists and keeps the names of the topics subscribed from the DDS non-security participants; A second b function for subscribing to a topic having a name in the list in the secure DDS; And a third function to reissue the topic subscribed in the secure DDS and deliver it to the non-secure DDS participant.

The DDS non-security participant further includes a third function that re-issues the topic received from the DDS security agent through the third function to the non-secured DDS.

The second function and the third function may be a Real-Time Publish Subscribe (RTPS) unicast method using DTLS (Datagram Transport Layer Security).

According to the platform and the method for interworking between the secure DDS and the non-secure DDS according to the present invention, it is possible to link the secure DDS with the secured DDS system without the general modification of the non-secure DDS system, So that the efficiency of use of the existing DDS system can be increased.

1 illustrates an interoperable platform structure between a secure DDS and an insecure DDS according to the present invention;
2 is a block flow diagram of a method for interworking between a secure DDS and an insecure DDS according to the present invention.
3 is a diagram showing a process of issuing a topic to be subscribed in a secure DDS according to the present invention;
4 is a diagram showing a process of reissuing a subscription topic of a non-secured DDS participant according to the present invention.
5 illustrates a process in which a DDS security agent according to the present invention subscribes to a topic in a secure DDS;
6 is a diagram illustrating a process of reissuing a subscription topic of a DDS security agent according to the present invention.
7 is a diagram illustrating a process of reissuing a received topic of a non-secured DDS participant according to the present invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like refer to the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Also, in this specification, when an element is referred to as being " connected " or " connected " with another element, the element may be directly connected or directly connected to the other element, It should be understood that, unless an opposite description is present, it may be connected or connected via another element in the middle.

Also, in this specification, the terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

Hereinafter, preferred embodiments, advantages and features of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating an interworking platform structure between a secure DDS and an unsecured DDS according to the present invention.

Referring to FIG. 1, a platform for interworking between a secure DDS and an insecure DDS according to the present invention is for interworking between a non-secure DDS to which a security standard is not applied and a secure DDS to which a security standard is applied. And includes DDS non-security participants and DDS security representatives relaying interworking between secure DDS and non-secure DDS.

The Data Distribution Service (DDS) of the present invention is a data-oriented communication protocol standard established by OMG (Object Management Group). DDS transmits information to the publish-subscribe communication model and has a structure suitable for 1: many, many: many. Therefore, DDS does not use standard security protocols such as TLS and DTLS, which are suitable for one-to-one communication. Instead, DDS establishes a standard for applying security in the DDS system by keeping the data payload, heartbeat, ACK and NACK, sequence number, QoS, and issuer information of the RTPS protocol confidential .

The non-secure DDS of the present invention means a DDS platform to which the security standard is not applied, and which does not include security-related contents at the time of standardization in the OMG at the beginning.

The security DDS of the present invention refers to a DDS platform to which a security standard is applied, which is announced as a new security standard named DDS-Security after the non-security DDS. Security DDS adopts a method of encrypting the components of RTPS (Real-Time Publish Subscribe) protocol as a security standard. Even if a security threat such as an RTPS packet is stolen during DDS communication, an intruder can not know its contents .

The DDS non-security participant of the present invention is a participant for communicating with a participant of the security-applied DDS platform, which is connected to the non-security DDS side, has a DDS subscriber and a DDS issuer built therein, And serves as another participant who is different from the connected participant.

Specifically, the DDS non-security participant issues a list of topic names to subscribe to in the secure DDS to the DDS security representative. The DDS security agent is then configured to subscribe the subject requested by the DDS non-security participant to the domain of the secure DDS and reissue to the non-DDS participant within the interoperable domain.

DDS communication within an interworking domain is configured to apply Datagram Transport Layer Security (DTLS) to the transport layer User Datagram Protocol (UDP) to prevent security threats. Since the DDS communication in the interworking domain is limited to one-to-one communication, the security of DDS can be satisfied as DTLS.

DDS The non-security participant reissues the topic of the secure DDS obtained from the interworking domain to the non-security DDS, and the non-security DDS subscribes to the non-security DDS and the secure DDS.

Meanwhile, such DDS non-security participants may be created in non-secure DDS, or may be implemented in proprietary devices that are distinguished from devices with non-secure DDS.

The DDS security agent of the present invention is a participant for communicating with the DDS non-security participant, which is connected to the secure DDS side and has a DDS subscriber and a DDS issuer built therein, and is distinguished from the participants connected to the secure DDS As well as other participants.

Specifically, the DDS security agent selects a topic to be issued to the insecure DDS among the topics issued within the domain of the secure DDS. Thereafter, a new DDS domain named interworking domain is created, and the DDS non-insecure participant and the DDS security surrogate are respectively added as participants of the interworking domain.

That is, the platform of the present invention newly creates an interworking domain consisting of a DDS non-security participant and a DDS security agent, and relaying between the secure DDS and the non-secure DDS is performed through the interworking domain, .

At this time, the security QoS (Quality of Service) of the DDS security agent is not applied in the interworking domain. In addition, it is configured to set the RTPS communication to unicast by designating the IP address of the other party without using the discovery function of the DDS. Therefore, data is transmitted only to the IP address of the designated receiver side. Herein, the 'other party' to which the IP address is designated means the data receiver side, and thus may be a DDS non-security participant or a DDS security agent.

On the other hand, such a DDS security agent may be created in a secure DDS or may be implemented in a proprietary device which is distinguished from the device in which the secure DDS is mounted.

Hereinafter, a method for interworking between a secure DDS and an insecure DDS will be described in detail.

FIG. 2 is a block flow diagram of a method for interworking between a secure DDS and an insecure DDS according to the present invention.

Referring to FIG. 2, a method of interworking between a secure DDS and an insecure DDS according to the present invention includes: issuing a topic (S10) of a topic to be subscribed in a secure DDS; A topic subscription step (S20) of the DDS non-security participant; A subscription topic reissue step (S30) of the DDS non-security participant; List the topics of the DDS security surrogate and subscribe to topics in the secure DDS (S40); Reissue and subscribe to the subscription topic of the DDS security agent (S50); And a receiving topic reissue step (S60) of the DDS non-security participant.

The steps 'S30' and 'S50' are performed using a Real-Time Publish Subscribe (RTPS) unicast method using Datagram Transport Layer Security (DTLS).

The DTLS is applied to a UDP (User Datagram Protocol) of a transport layer.

The RTPS unicast method is characterized in that RTPS communication is set to unicast by designating an IP address on the receiver side.

(1) Step S10

Step S10 of the present invention is a step of issuing a topic to be subscribed in the secure DDS so that the DDS participant of the non-secure DDS requests a specific topic of the secure DDS.

3 is a diagram illustrating a process of issuing a topic to be subscribed to in the secure DDS according to the present invention. Referring to FIG. 3, a DDS issuer of a non-secure DDS publishes a sample in a secure DDS with a name of a topic to be subscribed to a topic present for data request.

3 illustrates a process of adding a topic name to be subscribed in a security-applied DDS. The DDS issuer of the non-secure DDS puts "TopicA" (ie, the name of the topic to be subscribed) in the topic "SDDS_Topic_Req" Samples were issued.

(2) Steps S20 and S30

Step S20 of the present invention is a step in which the DDS non-security participant subscribes to a specific topic issued by the DDS issuer of the non-secured DDS, and step S30 of the present invention is a step of reissuing the topic subscribed to by the DDS non-security participant himself / herself to the DDS security delegate.

4 is a diagram illustrating a process of reissuing a subscription topic of a DDS non-security participant of the present invention. Referring to FIG. 4, a DDS subscriber of a DDS non-security participant receives a sample by subscribing to a specific topic issued by a DDS issuer of a non-secure DDS, and then re-issues the sample of the subscription to the DDS security delegate. In the process of step S30, the RDSS unicast DDS to which the DTLS is applied is configured between the DDS non-security participant and the DDS security delegate.

In the example of FIG. 3, the DDS issuer of the non-secured DDS participant subscribes to the topic to be subscribed in the secure DDS, that is, the topic "SDDS_Topic_Req", and reissues it to the DDS security representative.

(3) Step S40

The step S40 of the present invention is a step in which the DDS security agent catalogs the names of the topics subscribed from the DDS non-security participant in step S30, and the DDS security agent subscribes the topics with the names in the list in the secure DDS .

FIG. 5 illustrates a process of subscribing to a topic in the secure DDS of the present invention, wherein the DDS security agent subscribes to the "TopicA" topic requested by the participant of the non-secured DDS.

Referring to FIG. 5, the DDS issuer of the secure DDS issues a response sample of the " Topic A " topic in response to a topic of the participant of the DDS (i.e., a topic having the topic name " TopicA "). The DDS security agent then completes step S40 by subscribing to the response sample of the topic "TopicA" issued in this manner.

(4) Step S50

The step S50 of the present invention is a step in which the DDS security agent reissues the topic subscribed in the secure DDS (i.e., step S40) and delivers it to the DDS non-security participant.

FIG. 6 is a diagram illustrating a process of reissuing a subscription topic of a DDS security agent of the present invention, in which a DDS security agent issues a topic subscribed in a security-applied DDS and delivers the topic to a DDS non-security participant. In the process of step S50, the DDS security agent and the DDS non-security participant are configured with RTPS unicast DDS to which DTLS is applied.

(5) Step S60

Step S60 of the present invention is a step of reissuing the topic received from the DDS security agent in step S50 to the non-secured DDS by the DDS non-security participant.

According to a preferred embodiment, step S60 may be configured to add a regex to the topic delivered from the DDS security agent and reissue to the non-secure DDS. In this case, the regulatory word may consist of letters, numbers or symbols indicating that the topic is a topic taken from a secure DDS to which the security standard has been applied.

FIG. 7 is a diagram illustrating a process of reissuing a topic received from a DDS security agent by a DDS non-security participant, according to an embodiment of the present invention.

In step S60, the DDS issuer of the DDS non-security participant may be configured to specify that the topic is taken from the secured DDS by attaching a prefix stipulated in the name of the topic, but this is not essential. Unsecured DDS DDS subscribers subscribe to this topic to ensure that non-secured DDS completes the link to access secured DDS.

While the preferred embodiments of the present invention have been described and illustrated above using specific terms, such terms are used only for the purpose of clarifying the invention, and it is to be understood that the embodiment It will be obvious that various changes and modifications can be made without departing from the spirit and scope of the invention. Such modified embodiments should not be understood individually from the spirit and scope of the present invention, but should be regarded as being within the scope of the claims of the present invention.

Claims (10)

As a platform for interworking between non-secure DDS without security standard and secure DDS with security standard,
A DDS non-security participant connected to the non-secure DDS side and comprising a DDS subscriber and a DDS issuer; And a DDS security agent coupled to the secure DDS side, the DDS security agent including a DDS subscriber and a DDS issuer,
The DDS non-security participant,
A < RTI ID = 0.0 > 1a < / RTI > function for subscribing to a specific topic issued by a DDS issuer of the non-secure DDS; And a 2a function for reissuing a topic subscribed to by the DDS non-security participant himself / herself to the DDS security agent,
The DDS security agent,
A first function for listing and storing names of topics subscribed from the DDS non-secured participants; A second function for subscribing a topic with a name in the list in the secure DDS; And a third function for reissuing a topic subscribed to by the secure DDS and delivering it to the non-secured DDS participant,
The DDS non-security participant,
And a third function to re-issue the topic received from the DDS security agent to the non-secured DDS via the third function,
Wherein the second function and the third function are implemented by a Real-Time Publish Subscribe (RTPS) unicast method using Datagram Transport Layer Security (DTLS).
The method according to claim 1,
Wherein the DTLS is applied to a UDP (User Datagram Protocol) of a transport layer.
The method according to claim 1,
Wherein the RTPS unicast method sets an RTPS communication to unicast by designating an IP address of the receiver side, and a platform for interworking between the secure DDS and the non-secure DDS.
The method according to claim 1,
The < RTI ID =
Adding a reword to the topic received from the DDS security agent, reissuing it to the non-secured DDS,
Wherein said regulatory word is a letter, number or symbol indicating that the topic is a topic taken from a secure DDS to which the security standard is applied.
A DDS non-security participant connected to a non-secure DDS side that does not have a security standard applied and that includes a DDS subscriber and a DDS issuer; And a secure DDS linked to a secure DDS side to which a security standard is applied, using a DDS security delegate including a DDS subscriber and a DDS issuer,
Inserting a specific topic issued by a DDS issuer of the non-secured DDS into the non-secured DDS;
B) the DDS unsecure participant reissues the subscribed topic to the DDS security representative;
C) listing the names of the topics subscribed to by the DDS security agent from the DDS non-security participant and storing the names;
D) the DDS security agent subscribes to a topic with a name in the list in the secure DDS;
Reissuing a topic subscribed to by the DDS security agent in the secure DDS and delivering it to the non-secured DDS participant; And
Inserting the DDS security agent into the non-secured DDS; and f) reissuing the DDS non-secured participant to the non-secured DDS,
Wherein the step b and the step e are performed by a Real-Time Publish Subscribe (RTPS) unicast method using Datagram Transport Layer Security (DTLS).
6. The method of claim 5,
Wherein the DTLS is applied to a UDP (User Datagram Protocol) of a transport layer.
6. The method of claim 5,
Wherein the RTPS unicast method sets an RTPS communication to unicast by specifying an IP address of a receiver side.
6. The method of claim 5,
In the step between the step d and the step e,
Further comprising the step of creating a new DDS domain (hereinafter 'interworking domain') to add the DDS non-secured participant and the DDS security agent as participants, respectively.
9. The method of claim 8,
Wherein the secure QoS (Quality of Service) of the DDS security agent is not applied in the interworking domain.
6. The method of claim 5,
The step (f)
Inserting a reword into a topic received from the DDS security agent, and re-issuing the unregulated DDS to the non-secured DDS,
Wherein said regulatory word is a letter, number or symbol indicating that the topic is a topic taken from a secure DDS to which the security standard is applied.

Images