WO2021103431A1 - Method for realizing dds domain participant security authentication - Google Patents

Method for realizing dds domain participant security authentication Download PDF

Info

Publication number
WO2021103431A1
WO2021103431A1 PCT/CN2020/089928 CN2020089928W WO2021103431A1 WO 2021103431 A1 WO2021103431 A1 WO 2021103431A1 CN 2020089928 W CN2020089928 W CN 2020089928W WO 2021103431 A1 WO2021103431 A1 WO 2021103431A1
Authority
WO
WIPO (PCT)
Prior art keywords
dds
node
domain
authentication
file
Prior art date
Application number
PCT/CN2020/089928
Other languages
French (fr)
Chinese (zh)
Inventor
王啸
彭海维
尹剑峰
翟海涛
李晨浩
Original Assignee
南京莱斯电子设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京莱斯电子设备有限公司 filed Critical 南京莱斯电子设备有限公司
Publication of WO2021103431A1 publication Critical patent/WO2021103431A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption

Definitions

  • the invention belongs to the field of distributed communication technology, and in particular relates to a method for realizing DDS domain participant safety authentication.
  • the data distribution service DDS (Data Distribution Service) is a distributed real-time communication middleware standard formulated by the object management organization.
  • the publish-subscribe mode it supports provides flexible decoupling capabilities for applications, and it has a wealth of QoS (Quality of Service, Service quality), DDS can well meet the functional and performance requirements of the Internet of Things system.
  • QoS Quality of Service, Service quality
  • DDS has been widely used in a variety of industrial IoT fields, including energy, medical, robotics, etc.
  • DDS specifications include domain participants, publishers, subscribers, data types, data writers, data readers, topics, built-in topics, and QoS.
  • DDS is above the operating system and below the user application, which can well shield the details of the underlying system and bus heterogeneity, and provide a unified API interface for application data, as shown in Figure 1. .
  • DDS communicates through multicast (the UDP protocol used at the bottom of the multicast) to discover Domain participants
  • this X.509-based authentication method generally requires the use of the TCP protocol and communication between two points; a new link needs to be established for the communication of authentication messages, and there is now a DDS automatic discovery mechanism
  • There is no way to directly implement this method and there is no way to implement intercommunication between different vendors.
  • the technical problem to be solved by the present invention is to provide a method for realizing DDS (Dat a Distribution Service, data distribution service) domain participant security authentication in view of the deficiencies of the prior art, including the following steps:
  • Step 1 All powered-on DDS nodes will automatically read the current system configuration, and according to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node;
  • Step 2 The DDS node newly added to the domain will determine whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then execute Step 3; if not needed, go directly to step 4;
  • Step 3 For the newly added DDS node of the domain, fill in the name of the encryption certificate in the 0-31 digits of the UserDataQosPolicy (User Data Entity Policy) parameter of the DomainParticipantQoS (Domain Participant Quality of Service) in the DDS protocol specification, 32-36 Fill in the length of the encrypted data in bits; fill in the encrypted data after 37;
  • UserDataQosPolicy User Data Entity Policy
  • DomainParticipantQoS Domain Participant Quality of Service
  • Step 4 The DDS node that newly joins the domain sends an SPDP message
  • Step 5 The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS and base it on The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data from 32-36 to obtain the information after 37 bits, and then performs step 6; if not needed, receive the new addition After the SPDP message of the DDS node of the domain, directly add the DDS node of the newly joined domain to the local domain participant list, and send a confirmation message to the newly joined DDS node, and then perform step 7;
  • Step 6 Confirm the legality of the decrypted data in step 5. If it is legal and valid, the authentication is passed, the DDS node of the newly added domain is added to the local domain participant list, and the newly added domain DDS The node sends a confirmation message; otherwise, the authentication fails, and the SPDP message is directly ignored;
  • Step 7 The domain participant authentication process ends and continues to monitor DDS messages.
  • step 1 the system configuration includes the following configuration items:
  • DDS_ENDPOINT_AUTH_SWITCH When the value is true, it means that the node needs to be encrypted and decrypted, and when the value is false, it means that the node does not need to be encrypted or decrypted;
  • DDS_CERTIFICATE_PATH the path of the encryption and decryption certificate of this node
  • DDS_CERTIFICATE_SERVER_ADD IP address and port of the certificate service center
  • DDS_CERTIFICATE_SERVER_USER User name and password of the certificate service center.
  • step 1 the specified directory is obtained through the configuration item DDS_CERTIFICATE_PATH.
  • step 1 if you apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node, the synchronization fails, then directly copy the latest certificate file to the specified directory of the current DDS node.
  • step 2 if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the system configuration of the current node, it is determined that the domain participant security authentication is required, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then go to step 3. ; Otherwise, it is determined that the security authentication of the domain participant is not required, and proceed directly to step 4.
  • the parameters of DomainParticipantQoS mainly include UserDataQosPolicy (user entity data policy) and EntityFactoryQosPolicy (entity factory policy):
  • step 5 if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the current system configuration, it is determined that the domain participant security authentication is required, otherwise it is determined that it is not required.
  • Figure 1 is a diagram of the DDS architecture.
  • Figure 2 is a diagram of the naming specification of encryption and decryption certificates.
  • Figure 3 is a schematic diagram of the overall message of the domain participants.
  • Figure 4 is a flowchart of a newly joined domain participant.
  • Figure 5 is a schematic diagram of authentication data rules.
  • Figure 6 is a diagram of the composition of the domain participant authentication message.
  • Figure 7 is a flowchart of authentication for newly joined domain participants.
  • the RTPS protocol (Real-time Publish-Subscribe Wire Protocol) stipulates two methods for SPDP messages: multicast and unicast; in actual application scenarios, most SPDP messages are sent through multicast.
  • the method can realize the automatic discovery of DDS, and each node can automatically join or exit the domain without any configuration or human intervention.
  • the default value of the multicast IP is 239.255.0.1; the port is PB+DG*domainId (PB is 7400, DG is 250, and domainId is the domain ID value).
  • PB is 7400
  • DG is 250
  • domainId is the domain ID value
  • the first 0-1 is to distinguish whether the current certificate is encrypted or decrypted; the second 2-4 are to identify the product type, and the first Bits 5-9 are reserved fields, and bits 10-26 are the time when the file is generated (year, month, day, hour, minute, second, millisecond); 27-29 are reserved fields, and 30-31 are random numbers; see Figure 2 for details.
  • the first 2 bytes are used to identify the current certificate type.
  • the current encryption methods are mainly symmetric encryption and asymmetric encryption.
  • the file names of symmetric encryption and decryption are the same; asymmetric encryption and decryption are distinguished by public and private keys; see Table 2 for details .
  • the symmetric encryption algorithm of the present invention adopts MD5, and the asymmetric encryption algorithm adopts RSA; however, the present invention does not limit specific encryption algorithms, and does not perceive specific algorithms.
  • the present invention proposes to maintain a certification file microservice, which stores the current encryption and decryption files of the entire company, and specifically stores them according to product categories; externally provides SFTP (Secret) File Transfer Protocol (secure file transfer protocol) message interface; according to different products, different user names are provided.
  • the authentication file component is designed and implemented, which is deployed on each DDS node, and each DDS node is configured with the IP, port number, SFTP user name and password of the authentication file microservice; see Table 1 for specific parameters.
  • the DDS node After the DDS node is powered on, it will synchronize the latest encryption and decryption certificate file information from the authentication file microservice at regular intervals (the current synchronization interval is 2 hours); at the same time, it also supports the direct copy of the corresponding encryption and decryption certificate files to the local.
  • the authentication file microservice Through the authentication file microservice, the management of encryption and decryption certificates is unified and standardized, and the maintenance difficulty and cost of the encryption and decryption certificates are reduced.
  • For the leaked secret key files only need to be deleted in the authentication file microservice, and each DDS node will automatically be synchronized during synchronization. Delete the leaked secret key file.
  • the present invention considers corresponding countermeasures and proposes an authentication data rule. Even if the secret key is leaked, if it does not know the authentication rules of the data, it still cannot pass the security authentication and cannot join the current DDS. Domain.
  • the implementation method of the present invention for realizing the security authentication of DDS domain participants combined with Figure 3, it mainly includes the following steps:
  • Step 1 All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
  • Step 2 The DDS node newly added to the domain judges whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file according to the corresponding algorithm (the present invention does not specifically specify the specific algorithm for selecting the encrypted file At present, the present invention adopts random selection, and the specific selection algorithm can be determined according to the needs of specific business scenarios). Use the selected encrypted file to encrypt the authentication data, the application itself does not need to perceive the current encrypted file, encryption method and other information.
  • Step 3 For the newly added DDS node of the domain, fill in the name of the selected encryption certificate in the UserDataQosPolicy parameter of DomainParticipantQoS in bits 0-31, and fill in the encrypted data length information in the 32-36 bits; fill in the encrypted data after 37; then send the SPDP message.
  • the parameter information of DomainParticipantQoS is as follows:
  • Step 4 The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether the domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS, and according to The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data obtained by 32-36, and then decrypts it.
  • Step 5 Confirm the legality of the decrypted data. If it is legal and valid, the authentication is passed, and the DDS node of the newly joined domain is added to the local domain participant list; and a confirmation is sent to the newly joined DDS node Message; if authentication fails, ignore the message and go to step 7.
  • Step 6 If the current DDS node that has joined the domain does not need to perform domain participant security authentication, after receiving the SPDP message of the newly joined DDS node, directly add the newly joined DDS node of the domain to the local domain participant list. And send a confirmation message to the DDS node newly joining the domain.
  • Step 7 The domain participant authentication process ends and continues to monitor DDS messages.
  • the present invention makes full use of the UserDataQosPolicy parameter of DDS (Data Distribution Service) DomainParticipantQoS, and designs a universal domain that can be compatible with different DDS products.
  • DDS Data Distribution Service
  • a data authentication rule is proposed, which can guarantee the validity and reliability of the security authentication to the greatest extent in the case of the leakage of the secret key.
  • Step 1 All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
  • Step 2 If the synchronization of the latest certificate file fails in step 1, you can directly copy the latest certificate file to the specified directory of the current DDS node.
  • Step 3 a new DDS node trying to join the current domain will read the current system configuration item: DDS_ENDPOINT_AUTH_SWITCH. If the configuration item is true, proceed to the next step; otherwise, proceed to step 7.
  • Step 4 Randomly fetch an encrypted file from the directory configured by DDS_CERTIFICATE_PATH. (The present invention does not specifically specify the specific algorithm for selecting encrypted files, and the specific selection algorithm can be determined according to the needs of specific business scenarios).
  • Step 5 Use the selected encrypted file to encrypt the authentication data.
  • This example uses a simple encryption rule.
  • the specific rule is shown in Figure 5.
  • the 0-13 bytes are the current system time, accurate to the second. ;
  • the 14th-15th byte is to fill in the current domain ID
  • the 16th-31th byte is to fill in the IP address of this node in DDS communication (compatible with IPV6)
  • the 32-35th byte is to fill in the SPDP (multicast/unicast) message
  • the 36-41 bytes fill in the MAC address corresponding to the IP address of the node participating in DDS communication
  • the 42-44 bytes fill in the current product type
  • the 45-47 bytes fill in the checksum.
  • the specific encryption rules can be negotiated according to the requirements of each product. Encrypt 48 bytes of data information through the encrypted file in step 4.
  • Step 6 Write the data into the UserDataQosPolicy parameter.
  • the 0-31 bytes of the UserDataQosPolicy parameter fill in the name of the encrypted file of this node, which is the information obtained in step 4; the 32-35 bytes fill in the length of the encrypted data in step 5 ; Fill in the encrypted data content in step 5 after the 36th byte (including the 36th byte). See Figure 6 for details.
  • Step 7 Send the SPDP message.
  • Step 8 The participant who has joined the domain receives the SPDP message sent by the participant who joins the domain.
  • the main process is shown in Figure 7.
  • Step 9 The joined domain participant node reads the configuration item information of whether the current system performs domain participant authentication, the configuration item: DDS_ENDPOINT_AUTH_SWITCH.
  • Step 10 If the configuration item read in step 9 is true, execute the next step; otherwise, execute step 15.
  • Step 11 parse the UserDataQosPolicy parameter information of DomainParticipantQoS in the received SPDP message; parse out the encrypted certificate name, encrypted data length, and encrypted authentication data information.
  • Step 12 According to the name of the encryption certificate parsed in Step 11, the corresponding decrypted file is obtained locally; and the authentication data is encrypted for decryption.
  • step 13 it is judged whether the decrypted data in step 12 meets the authentication data rule in FIG. 5, if it meets, the next step is executed, otherwise, step 17 is executed.
  • Step 14 Check the legality and validity of the decrypted authentication data, such as whether the IP address and MAC match, whether they are correct, whether the time information is valid, whether the product types are consistent, whether the checksum is correct, and so on. If the authentication data is legal and valid, go to the next step, otherwise go to step 17.
  • Step 15 Add the newly joined domain participant to the local domain participant list.
  • Step 16 Send a confirmation message to the newly joined domain participant.
  • Step 17 the domain participant authentication process ends and continues to monitor DDS messages.
  • the present invention provides a method for realizing the security authentication of DDS domain participants.
  • the above are only the preferred embodiments of the present invention. It should be pointed out that for those of ordinary skill in the art In other words, without departing from the principle of the present invention, several improvements and modifications can be made, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components that are not clear in this embodiment can be implemented with the existing technology.

Abstract

The present invention provides a method for realizing DDS domain participant security authentication. The present invention comprises: designing an authentication file assembly which is deployed on each DDS node, and configuring an IP, a port number, an SFTP user name and a password of an authentication file microservice on each DDS node; after the DDS node is powered on, synchronizing latest encryption and decryption certificate file information from the authentication file microservice at regular time; and moreover, supporting directly copying the corresponding encryption and decryption certificate file to the local. By means of the authentication file microservice, the management of encryption and decryption certificates is standardized in a unified manner, and the maintenance difficulty and costs of the encryption and decryption certificates are reduced. A leaked secret key file is only required to be deleted in the authentication file microservice, and each DDS node may automatically delete the leaked secret key file during synchronization. For the situation of secret key leakage, the present invention provides an authentication data rule. Even if a secret key is leaked, if an authentication rule of the data is unknown, the security authentication cannot be passed, and addition into the domain of the current DDS is not allowed.

Description

一种实现DDS域参与者安全认证的方法A Method for Realizing DDS Domain Participant Security Authentication 技术领域Technical field
本发明属于分布式通信技术领域,尤其涉及一种实现DDS域参与者安全认证的方法。The invention belongs to the field of distributed communication technology, and in particular relates to a method for realizing DDS domain participant safety authentication.
背景技术Background technique
随着信息化的建设发展,需要面对多变的海量数据信息,实时、高效、高速的数据交互具有至关重要的地位。因此,建立实时性强、可靠性高、安全性好的信息传输中间件,提高系统互联能力,满足系统内各种信息交换和共享需求,并解决应用软件之间的数据共享和集成问题是亟待解决的问题。With the development of informatization, it is necessary to face the ever-changing massive data information, and real-time, efficient, and high-speed data interaction is of vital importance. Therefore, it is urgent to establish information transmission middleware with strong real-time, high reliability and good security, improve system interconnection capabilities, meet various information exchange and sharing needs in the system, and solve data sharing and integration problems between application software. solved problem.
数据分发服务DDS(Data Distribution Service)是由对象管理组织制定的一个分布式实时通信中间件标准,其支持的发布订阅模式为应用提供了灵活解耦能力,并且有丰富的QoS(Quality of Service,服务质量),DDS能够很好地满足物联网系统的功能和性能要求。目前,DDS已被广泛应用于多种工业物联网领域,包括能源、医疗、机器人等。The data distribution service DDS (Data Distribution Service) is a distributed real-time communication middleware standard formulated by the object management organization. The publish-subscribe mode it supports provides flexible decoupling capabilities for applications, and it has a wealth of QoS (Quality of Service, Service quality), DDS can well meet the functional and performance requirements of the Internet of Things system. At present, DDS has been widely used in a variety of industrial IoT fields, including energy, medical, robotics, etc.
DDS规范包括域参与者、发布者、订阅者、数据类型、数据写入者、数据读取者、主题、内置主题和QoS等。在具体的产品实现中,DDS处于操作系统之上、用户应用程序之下,可以很好的屏蔽底层系统、总线的异构等细节,对应用数据提供统一的API接口,具体如图1所示。DDS specifications include domain participants, publishers, subscribers, data types, data writers, data readers, topics, built-in topics, and QoS. In the specific product implementation, DDS is above the operating system and below the user application, which can well shield the details of the underlying system and bus heterogeneity, and provide a unified API interface for application data, as shown in Figure 1. .
随着DDS越来越多的被使用,尤其在各种无线智能设备中的广泛的应用。在充分利用DDS自动加入域的功能的同时,也带来了安全的问题,如何确认加入当前域的节点是合法的,成了当前需要解决的问题。当前有提出各个节点加入的域参与者通过都通过第三方认证服务中心认证,这个方式有一个致命的问题,有单点故障的风险,并违背了DDS的动态的理念;还有提出采用基于X.509等认证方式,域参与者之间通过协商动态秘钥的方式进行通信认证,在实际业务场景中,DDS是通过组播(组播底层是采用的UDP协议)的方式进行通信,来发现域参与者的,而这种基于X.509的认证方式一般都需要使用TCP协议,且是两点之间通信;需要建立新的链路来进行认证消息的通信,现在有的DDS自动发现机制没有办法直接实现该方法,且也没有办法实现不同厂商之间互通。针对目前的现状,亟需提供一个新的方法能够简单,在现有DDS标准协议条件下能够支持不同厂商的DDS产品相互实现域参与者安全认证。As DDS is used more and more, it is widely used in various wireless smart devices. While making full use of the function of DDS to automatically join the domain, it also brings about security issues. How to confirm that the node joining the current domain is legal has become a problem that needs to be solved at present. At present, it is proposed that the domain participants joined by each node have passed the certification of the third-party certification service center. This method has a fatal problem, there is a risk of single point of failure, and violates the dynamic concept of DDS; and it is proposed to adopt X-based .509 and other authentication methods, domain participants communicate and authenticate by negotiating dynamic secret keys. In actual business scenarios, DDS communicates through multicast (the UDP protocol used at the bottom of the multicast) to discover Domain participants, and this X.509-based authentication method generally requires the use of the TCP protocol and communication between two points; a new link needs to be established for the communication of authentication messages, and there is now a DDS automatic discovery mechanism There is no way to directly implement this method, and there is no way to implement intercommunication between different vendors. In view of the current status quo, it is urgent to provide a new method that is simple and can support the DDS products of different manufacturers to mutually realize the security authentication of domain participants under the existing DDS standard protocol conditions.
发明内容Summary of the invention
发明目的:本发明所要解决的技术问题是针对现有技术的不足,提供一种实现DDS(Dat aDistribution Service,数据分发服务)域参与者安全认证的方法,包括如下步骤:Purpose of the invention: The technical problem to be solved by the present invention is to provide a method for realizing DDS (Dat a Distribution Service, data distribution service) domain participant security authentication in view of the deficiencies of the prior art, including the following steps:
步骤1,所有上电的DDS节点会自动读取当前系统配置,根据系统配置项信息,自动向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下;Step 1. All powered-on DDS nodes will automatically read the current system configuration, and according to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node;
步骤2,新加入域的DDS节点,根据当前节点的系统配置,判断是否需要域参与者安全认证,如果需要,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处 理,然后执行步骤3;如果不需要,直接执行步骤4; Step 2. The DDS node newly added to the domain will determine whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then execute Step 3; if not needed, go directly to step 4;
步骤3,新加入域的DDS节点,在DDS协议规范中的DomainParticipantQoS(域参与者服务质量)的UserDataQosPolicy(用户数据实体策略)参数的第0-31位填写选择加密证书的名称,第32-36位填写加密数据长度信息;37之后填写加密数据; Step 3. For the newly added DDS node of the domain, fill in the name of the encryption certificate in the 0-31 digits of the UserDataQosPolicy (User Data Entity Policy) parameter of the DomainParticipantQoS (Domain Participant Quality of Service) in the DDS protocol specification, 32-36 Fill in the length of the encrypted data in bits; fill in the encrypted data after 37;
步骤4,新加入域的DDS节点发送SPDP消息; Step 4. The DDS node that newly joins the domain sends an SPDP message;
步骤5,已加入域的DDS节点接收到新加入域的DDS节点SPDP消息,会根据当前的系统配置,判断是否需要域参与者安全认证,如果需要,则会解析DomainParticipantQoS的UserDataQosPolicy参数内容,并根据UserDataQosPolicy参数中的第0-31位信息获取本地对应的解密文件,根据32-36获取加密数据的长度来获取37位之后的信息,进行解密,然后执行步骤6;如果不需要,接收到新加入域的DDS节点SPDP消息后,直接把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息,然后执行步骤7;Step 5: The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS and base it on The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data from 32-36 to obtain the information after 37 bits, and then performs step 6; if not needed, receive the new addition After the SPDP message of the DDS node of the domain, directly add the DDS node of the newly joined domain to the local domain participant list, and send a confirmation message to the newly joined DDS node, and then perform step 7;
步骤6,对步骤5解密后的数据进行合法性确认,如果是合法、有效的,则认证通过,把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息;否则为认证失败,直接忽略所述SPDP消息; Step 6. Confirm the legality of the decrypted data in step 5. If it is legal and valid, the authentication is passed, the DDS node of the newly added domain is added to the local domain participant list, and the newly added domain DDS The node sends a confirmation message; otherwise, the authentication fails, and the SPDP message is directly ignored;
步骤7,域参与者认证流程结束,继续监听DDS的消息。 Step 7. The domain participant authentication process ends and continues to monitor DDS messages.
步骤1中,所述系统配置包括如下配置项:In step 1, the system configuration includes the following configuration items:
DDS_ENDPOINT_AUTH_SWITCH:值为true时表示本节点需要加解密,值为false时表示本节点不需要加解密;DDS_ENDPOINT_AUTH_SWITCH: When the value is true, it means that the node needs to be encrypted and decrypted, and when the value is false, it means that the node does not need to be encrypted or decrypted;
DDS_CERTIFICATE_PATH:本节点加解密证书路径;DDS_CERTIFICATE_PATH: the path of the encryption and decryption certificate of this node;
DDS_CERTIFICATE_SERVER_ADD:证书服务中心的IP地址和端口;DDS_CERTIFICATE_SERVER_ADD: IP address and port of the certificate service center;
DDS_CERTIFICATE_SERVER_USER:证书服务中心用户名和密码。DDS_CERTIFICATE_SERVER_USER: User name and password of the certificate service center.
步骤1中,所述指定目录,通过配置项DDS_CERTIFICATE_PATH获取。In step 1, the specified directory is obtained through the configuration item DDS_CERTIFICATE_PATH.
步骤1中,如果向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下时,同步失败,则直接把最新的证书文件拷贝到当前DDS节点的指定目录下。In step 1, if you apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node, the synchronization fails, then directly copy the latest certificate file to the specified directory of the current DDS node.
步骤2中,如果当前节点的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处理,然后执行步骤3;否则判定为不需要域参与者安全认证,直接执行步骤4。In step 2, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the system configuration of the current node, it is determined that the domain participant security authentication is required, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then go to step 3. ; Otherwise, it is determined that the security authentication of the domain participant is not required, and proceed directly to step 4.
步骤3中,DomainParticipantQoS的参数主要包含UserDataQosPolicy(用户实体数据策略)和EntityFactoryQosPolicy(实体工厂策略):In step 3, the parameters of DomainParticipantQoS mainly include UserDataQosPolicy (user entity data policy) and EntityFactoryQosPolicy (entity factory policy):
Figure PCTCN2020089928-appb-000001
Figure PCTCN2020089928-appb-000001
步骤5中,如果当前的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,否则判定为不需要。In step 5, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the current system configuration, it is determined that the domain participant security authentication is required, otherwise it is determined that it is not required.
本发明具有如下有益效果:The present invention has the following beneficial effects:
(1)可以实现不同DDS产品之间域参与者安全认证。(1) The security authentication of domain participants between different DDS products can be realized.
(2)同时支持对称加解密和非对称加解密。(2) Support both symmetric encryption and decryption and asymmetric encryption and decryption.
(2)提出了通过对认证数据加密和数据认证规则双重认证,提高了认证的可靠性。(2) It is proposed to improve the reliability of authentication through double authentication of authentication data encryption and data authentication rules.
(4)提出通过认证文件微服务,可以实现所有加解密证书的统一管理,降低了加解密证书的维护难度和成本。(4) It is proposed that through the authentication file microservice, the unified management of all encryption and decryption certificates can be realized, which reduces the difficulty and cost of maintaining encryption and decryption certificates.
(5)同时支持SPDP的组播和单播的方式域参与者发现安全认证。(5) Supporting SPDP multicast and unicast at the same time, domain participant discovery security authentication.
附图说明Description of the drawings
下面结合附图和具体实施方式对本发明做更进一步的具体说明,本发明的上述和/或其他方面的优点将会变得更加清楚。In the following, the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments, and the above-mentioned and/or other advantages of the present invention will become clearer.
图1是DDS架构图。Figure 1 is a diagram of the DDS architecture.
图2是加解密证书命名规范图。Figure 2 is a diagram of the naming specification of encryption and decryption certificates.
图3是域参与者整体消息示意图。Figure 3 is a schematic diagram of the overall message of the domain participants.
图4是新加入的域参与者流程图。Figure 4 is a flowchart of a newly joined domain participant.
图5是认证数据规则示意图。Figure 5 is a schematic diagram of authentication data rules.
图6是域参与者认证消息组成图。Figure 6 is a diagram of the composition of the domain participant authentication message.
图7是对新加入的域参与者认证流程图。Figure 7 is a flowchart of authentication for newly joined domain participants.
具体实施方式Detailed ways
DDS参与者之间的发现实现是通过Simple Participant Discovery Protocol(SPDP)协议实现的。RTPS协议(Real-time Publish-Subscribe Wire Protocol)中规定SPDP消息的有两种方式:组播和单播;在实际应用场景下,大多数是通过组播的方式来发送SPDP消息,通过组播的方式可以实现DDS的自动发现,各个节点可以自动的加入域或退出域,不需要任何配置或人为干预。其中组播IP默认值为:239.255.0.1;端口为PB+DG*domainId(PB为7400,DG为250,domainId为域ID值)。当然,在某些业务场景下,是需要采用单播的方式来实现域参与者发现的过程,即静态发现。Discovery among DDS participants is realized through Simple Participant Discovery Protocol (SPDP). The RTPS protocol (Real-time Publish-Subscribe Wire Protocol) stipulates two methods for SPDP messages: multicast and unicast; in actual application scenarios, most SPDP messages are sent through multicast. The method can realize the automatic discovery of DDS, and each node can automatically join or exit the domain without any configuration or human intervention. The default value of the multicast IP is 239.255.0.1; the port is PB+DG*domainId (PB is 7400, DG is 250, and domainId is the domain ID value). Of course, in some business scenarios, it is necessary to use unicast to realize the process of domain participant discovery, that is, static discovery.
在DDS标准协议中要求所有加入当前域的DDS节点都会主动发送域参与者消息,每个域参与者都有域参与者服务质量DomainParticipantQoS这个QoS;标准协议中有规定该QoS含有UserDataQosPolicy(用户数据实体策略)和EntityFactoryQosPolicy(实体工厂策略);即所有DDS产品的DomainParticipantQoS中都应该包含这个两个参数信息,当然各个DDS产品可以在这个基础上再新增自己定义的参数信息;在本发明中,为了兼容现有不同的DDS产品,本发明不采用新增的QoS参数方式,而直接复用DomainParticipantQoS现有的UserDataQosPolicy参数。In the DDS standard protocol, all DDS nodes joining the current domain are required to actively send domain participant messages, and each domain participant has the domain participant quality of service DomainParticipantQoS QoS; the standard protocol stipulates that the QoS contains UserDataQosPolicy (user data entity Policy) and EntityFactoryQosPolicy (Entity Factory Policy); that is, the DomainParticipantQoS of all DDS products should contain these two parameter information. Of course, each DDS product can add its own defined parameter information on this basis; in the present invention, for Compatible with different existing DDS products, the present invention does not adopt the newly added QoS parameter mode, but directly reuses the existing UserDataQosPolicy parameters of DomainParticipantQoS.
为了实现本发明,在本方案中增加了两个系统配置,其中一个是当前是否需要进行域参与安全认证操作,即加解密操作;还有一个是当前DDS节点存放加解密证书的路径;在本发明中共有四个配置项,具体的配置项信息见表1。本发明还对加解密证书的命名规则做了规定,加解密证书的命名长度共32字节,其中第0-1是区分当前证书是加密还是解密;第2-4位是标识产品类型,第5-9位是保留字段,第10-26位是文件生成的时间(年月日时分秒毫秒);第27-29是保留字段,第30-31是随机数;具体见图2。前2个字节是标识当前证书类 型,目前加密方式主要是对称加密和非对称加密,其中对称加密的加解密文件名相同;非对称加解密有公钥和私钥区分;具体的见表2。目前本发明的对称加密算法采用的MD5,非对称加密算法采用的是RSA;不过本发明是不限制具体加密算法,也不感知具体的算法。In order to implement the present invention, two system configurations are added to this solution, one of which is whether the domain participation security authentication operation is currently required, that is, encryption and decryption operations; the other is the path where the current DDS node stores the encryption and decryption certificates; There are four configuration items in the invention, and the specific configuration item information is shown in Table 1. The present invention also stipulates the naming rules of encryption and decryption certificates. The naming length of the encryption and decryption certificates is 32 bytes in total. Among them, the first 0-1 is to distinguish whether the current certificate is encrypted or decrypted; the second 2-4 are to identify the product type, and the first Bits 5-9 are reserved fields, and bits 10-26 are the time when the file is generated (year, month, day, hour, minute, second, millisecond); 27-29 are reserved fields, and 30-31 are random numbers; see Figure 2 for details. The first 2 bytes are used to identify the current certificate type. The current encryption methods are mainly symmetric encryption and asymmetric encryption. The file names of symmetric encryption and decryption are the same; asymmetric encryption and decryption are distinguished by public and private keys; see Table 2 for details . At present, the symmetric encryption algorithm of the present invention adopts MD5, and the asymmetric encryption algorithm adopts RSA; however, the present invention does not limit specific encryption algorithms, and does not perceive specific algorithms.
表1Table 1
配置项Configuration item 示例Example 说明Description
DDS_ENDPOINT_AUTH_SWITCHDDS_ENDPOINT_AUTH_SWITCH true/falsetrue/false 本节点是否需要加解密Does this node need to encrypt and decrypt
DDS_CERTIFICATE_PATHDDS_CERTIFICATE_PATH /dds/certificate//dds/certificate/ 本节点加解密证书路径Encryption and decryption certificate path of this node
DDS_CERTIFICATE_SERVER_ADDDDS_CERTIFICATE_SERVER_ADD 192.168.1.1:22192.168.1.1:22 证书服务中心的IP地址和端口IP address and port of the certificate service center
DDS_CERTIFICATE_SERVER_USERDDS_CERTIFICATE_SERVER_USER dds_radar:ddsdds_radar:dds 证书服务中心用户名和密码Certificate Service Center username and password
表2Table 2
证书类型字段取值Certificate type field value 说明Description
0000 对称加密Symmetric encryption
0101 非对称加密(公钥)Asymmetric encryption (public key)
1010 非对称加密(私钥)Asymmetric encryption (private key)
同时为了更好的维护和更新加密、解密文件,本发明提出了维护一个认证文件微服务,里面存放了当前整个公司加密、解密文件,具体的是根据产品类别进行划分存放;对外提供SFTP(Secret File Transfer Protocol,安全文件传送协议)消息接口;根据不同的产品,提供不同的用户名。在本发明中设计实现了认证文件组件,其部署在各个DDS节点上,每个DDS节点上配置认证文件微服务的IP、端口号、SFTP用户名和密码;具体参数见表1。DDS节点上电后会定时(目前同步时间间隔为2小时)从认证文件微服务同步最新的加解密证书文件信息;同时也支持直接把相应的加解密证书文件拷贝到本地。通过认证文件微服务,统一规范了加解密证书的管理,降低了加解密证书的维护难度和成本,对于泄露的秘钥文件只要在认证文件微服务删除即可,各个DDS节点在同步时会自动把泄露的秘钥文件删除。At the same time, in order to better maintain and update encrypted and decrypted files, the present invention proposes to maintain a certification file microservice, which stores the current encryption and decryption files of the entire company, and specifically stores them according to product categories; externally provides SFTP (Secret) File Transfer Protocol (secure file transfer protocol) message interface; according to different products, different user names are provided. In the present invention, the authentication file component is designed and implemented, which is deployed on each DDS node, and each DDS node is configured with the IP, port number, SFTP user name and password of the authentication file microservice; see Table 1 for specific parameters. After the DDS node is powered on, it will synchronize the latest encryption and decryption certificate file information from the authentication file microservice at regular intervals (the current synchronization interval is 2 hours); at the same time, it also supports the direct copy of the corresponding encryption and decryption certificate files to the local. Through the authentication file microservice, the management of encryption and decryption certificates is unified and standardized, and the maintenance difficulty and cost of the encryption and decryption certificates are reduced. For the leaked secret key files, only need to be deleted in the authentication file microservice, and each DDS node will automatically be synchronized during synchronization. Delete the leaked secret key file.
另外,针对秘钥泄露的情况,本发明考虑相应的应对措施,提出了一种认证数据规则,即使秘钥泄露,其若不知道数据的认证规则,还是不能通过安全认证,不能加入当前DDS的域中。In addition, in view of the leakage of the secret key, the present invention considers corresponding countermeasures and proposes an authentication data rule. Even if the secret key is leaked, if it does not know the authentication rules of the data, it still cannot pass the security authentication and cannot join the current DDS. Domain.
本发明所述的一种实现DDS域参与者安全认证的实现方法;结合图3,主要包括下述步骤:The implementation method of the present invention for realizing the security authentication of DDS domain participants; combined with Figure 3, it mainly includes the following steps:
步骤1,所有上电的DDS节点会自动读取当前系统配置,具体的配置见表1。根据系统配置项信息,自动向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下,具体的目录见表1中的DDS_CERTIFICATE_PATH配置项。Step 1. All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
步骤2,新加入域的DDS节点,根据当前节点的系统配置,判断是否需要域参与者安全认证,若需要,根据相应的算法选择当前的加密文件(本发明没有特别规定选择加密文件的具体算法,本发明目前采用的是随机选择,具体的选择算法可以根据具体的业务场景需要确定)。使用已选择的加密文件对认证数据进行加密处理,应用程序本身是不需要感知当前的加密文件,加密方式等信息。 Step 2. The DDS node newly added to the domain judges whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file according to the corresponding algorithm (the present invention does not specifically specify the specific algorithm for selecting the encrypted file At present, the present invention adopts random selection, and the specific selection algorithm can be determined according to the needs of specific business scenarios). Use the selected encrypted file to encrypt the authentication data, the application itself does not need to perceive the current encrypted file, encryption method and other information.
步骤3,新加入域的DDS节点,在DomainParticipantQoS的UserDataQosPolicy参数的第0-31位填写选择加密证书的名称,第32-36位填写加密数据长度信息;37之后填写加密数据;然后发送SPDP消息。DomainParticipantQoS的参数信息如下:Step 3. For the newly added DDS node of the domain, fill in the name of the selected encryption certificate in the UserDataQosPolicy parameter of DomainParticipantQoS in bits 0-31, and fill in the encrypted data length information in the 32-36 bits; fill in the encrypted data after 37; then send the SPDP message. The parameter information of DomainParticipantQoS is as follows:
Figure PCTCN2020089928-appb-000002
Figure PCTCN2020089928-appb-000002
步骤4,已加入域的DDS节点接收到新加入域的DDS节点SPDP消息,会根据当前的系统配置,判断是否需要域参与者安全认证,若需要,则会解析DomainParticipantQoS的UserDataQosPolicy参数内容,并根据UserDataQosPolicy参数中的第0-31位信息获取本地对应的解密文件,根据32-36获取加密数据的长度来获取37位之后的信息,进行解密。 Step 4. The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether the domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS, and according to The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data obtained by 32-36, and then decrypts it.
步骤5,对解密后的数据进行合法性确认,若是合法,有效的,则认证通过,把新加入的域的DDS节点加入本地的域参与者列表内;并给新加入域的DDS节点发送确认消息;若认证失败直接忽略该消息,执行步骤7。Step 5: Confirm the legality of the decrypted data. If it is legal and valid, the authentication is passed, and the DDS node of the newly joined domain is added to the local domain participant list; and a confirmation is sent to the newly joined DDS node Message; if authentication fails, ignore the message and go to step 7.
步骤6,若当前已加入域的DDS节点不需要进行域参与者安全认证,接收到新加入域的DDS节点SPDP消息后,直接把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息。 Step 6. If the current DDS node that has joined the domain does not need to perform domain participant security authentication, after receiving the SPDP message of the newly joined DDS node, directly add the newly joined DDS node of the domain to the local domain participant list. And send a confirmation message to the DDS node newly joining the domain.
步骤7,域参与者认证流程结束,继续监听DDS的消息。 Step 7. The domain participant authentication process ends and continues to monitor DDS messages.
实施例Example
针对现有的DDS域参与者的安全认证的方案种种不足,本发明充分利用DDS(Data Distribution Service,数据分发服务)DomainParticipantQoS的UserDataQosPolicy参数,设计了一种通用的,可以兼容不同DDS产品的域参与者安全认证方法;另外,提出了一种数据认证规则,在秘钥泄露的情况下,还能最大程度的保证安全认证的有效性和可靠性。In view of the various deficiencies of the existing DDS domain participant security authentication schemes, the present invention makes full use of the UserDataQosPolicy parameter of DDS (Data Distribution Service) DomainParticipantQoS, and designs a universal domain that can be compatible with different DDS products. In addition, a data authentication rule is proposed, which can guarantee the validity and reliability of the security authentication to the greatest extent in the case of the leakage of the secret key.
步骤1,所有上电的DDS节点会自动读取当前系统配置,具体的配置见表1。根据系统配置项信息,自动向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下,具体的目录见表1中的DDS_CERTIFICATE_PATH配置项。Step 1. All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
步骤2,若步骤1中同步最新证书文件失败,可以支持直接把最新的证书文件拷贝到当前DDS节点的指定目录下。 Step 2. If the synchronization of the latest certificate file fails in step 1, you can directly copy the latest certificate file to the specified directory of the current DDS node.
步骤3,如图4所示,尝试加入当前域的新的DDS节点会读取当前系统配置项:DDS_ENDPOINT_AUTH_SWITCH,若该配置项为true,则执行下一步骤,否则执行步骤7。 Step 3, as shown in Figure 4, a new DDS node trying to join the current domain will read the current system configuration item: DDS_ENDPOINT_AUTH_SWITCH. If the configuration item is true, proceed to the next step; otherwise, proceed to step 7.
步骤4,随机从DDS_CERTIFICATE_PATH配置的目录下取一个加密文件。(本发明没有特别规定选择加密文件的具体算法,具体的选择算法可以根据具体的业务场景需要确定)。 Step 4. Randomly fetch an encrypted file from the directory configured by DDS_CERTIFICATE_PATH. (The present invention does not specifically specify the specific algorithm for selecting encrypted files, and the specific selection algorithm can be determined according to the needs of specific business scenarios).
步骤5,使用已选择的通过加密文件对认证数据进行加密,本实例采用一个简单的加密规则,具体规则见图5,共48字节,第0-13字节取当前系统时间,精确到秒;第14-15字节是填写当前域ID,第16-31字节填写本节点参与DDS通信的IP地址(兼容IPV6),第32-35字节填写发送SPDP(组播/单播)消息的端口号,第36-41字节填写本节点参与DDS通信的IP地址对应的MAC地址,第42-44字节填写当前产品类型,第45-47字节填写校验和。具体的加密规则可以根据各个产品的要求自行商定。通过步骤4的加密文件对着48个字节数据信息进行加密。 Step 5. Use the selected encrypted file to encrypt the authentication data. This example uses a simple encryption rule. The specific rule is shown in Figure 5. A total of 48 bytes. The 0-13 bytes are the current system time, accurate to the second. ; The 14th-15th byte is to fill in the current domain ID, the 16th-31th byte is to fill in the IP address of this node in DDS communication (compatible with IPV6), the 32-35th byte is to fill in the SPDP (multicast/unicast) message The 36-41 bytes fill in the MAC address corresponding to the IP address of the node participating in DDS communication, the 42-44 bytes fill in the current product type, and the 45-47 bytes fill in the checksum. The specific encryption rules can be negotiated according to the requirements of each product. Encrypt 48 bytes of data information through the encrypted file in step 4.
步骤6,把数据写入UserDataQosPolicy参数中,UserDataQosPolicy参数的第0-31字节填写本节点加密文件名称,即步骤4中获取的信息;第32-35字节填写步骤5中加密后的数据长度;第36字节(包含第36字节)之后填写步骤5中加密后的数据信息内容。具体见图6所示。 Step 6. Write the data into the UserDataQosPolicy parameter. The 0-31 bytes of the UserDataQosPolicy parameter fill in the name of the encrypted file of this node, which is the information obtained in step 4; the 32-35 bytes fill in the length of the encrypted data in step 5 ; Fill in the encrypted data content in step 5 after the 36th byte (including the 36th byte). See Figure 6 for details.
步骤7,发送SPDP消息。 Step 7. Send the SPDP message.
步骤8,已加入域参与者接收到新加入域参与者发送的SPDP消息。主要流程如图7所示。 Step 8. The participant who has joined the domain receives the SPDP message sent by the participant who joins the domain. The main process is shown in Figure 7.
步骤9,已加入域参与者节点读取当前系统是否进行域参与者认证的配置项信息,配置项:DDS_ENDPOINT_AUTH_SWITCH。 Step 9. The joined domain participant node reads the configuration item information of whether the current system performs domain participant authentication, the configuration item: DDS_ENDPOINT_AUTH_SWITCH.
步骤10,若步骤9中读取的配置项为true,则执行下一步骤,否则执行步骤15。 Step 10. If the configuration item read in step 9 is true, execute the next step; otherwise, execute step 15.
步骤11,解析接收的SPDP消息中DomainParticipantQoS的UserDataQosPolicy参数信息;解析出加密证书名称,加密数据长度和加密的认证数据信息。Step 11: parse the UserDataQosPolicy parameter information of DomainParticipantQoS in the received SPDP message; parse out the encrypted certificate name, encrypted data length, and encrypted authentication data information.
步骤12,根据步骤11中解析出加密证书名称,从本地获取对应的解密文件;并加密认证数据进行解密。Step 12: According to the name of the encryption certificate parsed in Step 11, the corresponding decrypted file is obtained locally; and the authentication data is encrypted for decryption.
步骤13,判断步骤12中解密后的数据是否符合图5中的认证数据规则,若符合,执行下一步骤,否则执行步骤17。In step 13, it is judged whether the decrypted data in step 12 meets the authentication data rule in FIG. 5, if it meets, the next step is executed, otherwise, step 17 is executed.
步骤14,检查解密后的认证数据的合法性和有效性,比如IP地址和MAC是否匹配,是否正确,时间信息是否有效,产品类型是否一致,校验和是否正确等等。若认证数据合法、有效,则执行下一步骤,否则执行步骤17。 Step 14. Check the legality and validity of the decrypted authentication data, such as whether the IP address and MAC match, whether they are correct, whether the time information is valid, whether the product types are consistent, whether the checksum is correct, and so on. If the authentication data is legal and valid, go to the next step, otherwise go to step 17.
步骤15,把新加入的域参与者加入本地域参与者列表中。 Step 15. Add the newly joined domain participant to the local domain participant list.
步骤16,给新加入的域参与者发送确认消息。 Step 16. Send a confirmation message to the newly joined domain participant.
步骤17,域参与者认证流程结束,继续监听DDS的消息。Step 17, the domain participant authentication process ends and continues to monitor DDS messages.
本发明提供了一种实现DDS域参与者安全认证的方法,具体实现该技术方案的方法和途径很多,以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。本实施例中未明确的各组成部分均可用现有技术加以实现。The present invention provides a method for realizing the security authentication of DDS domain participants. There are many specific methods and ways to realize this technical solution. The above are only the preferred embodiments of the present invention. It should be pointed out that for those of ordinary skill in the art In other words, without departing from the principle of the present invention, several improvements and modifications can be made, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components that are not clear in this embodiment can be implemented with the existing technology.

Claims (7)

  1. 一种实现DDS域参与者安全认证的方法,其特征在于,包括如下步骤:A method for realizing security authentication of DDS domain participants, which is characterized in that it comprises the following steps:
    步骤1,所有上电的DDS节点会自动读取当前系统配置,根据系统配置项信息,自动向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下;Step 1. All powered-on DDS nodes will automatically read the current system configuration, and according to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node;
    步骤2,新加入域的DDS节点,根据当前节点的系统配置,判断是否需要域参与者安全认证,如果需要,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处理,然后执行步骤3;如果不需要,直接执行步骤4;Step 2. The DDS node newly added to the domain will determine whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then execute Step 3; if not needed, go directly to step 4;
    步骤3,新加入域的DDS节点,在DDS协议规范中的DomainParticipantQoS域参与者服务质量的UserDataQosPolicy用户数据实体策略参数的第0-31位填写选择加密证书的名称,第32-36位填写加密数据长度信息;37之后填写加密数据;Step 3. For the newly added DDS node of the domain, fill in the name of the selected encryption certificate in the 0-31 bits of the UserDataQosPolicy user data entity policy parameter of the DomainParticipantQoS domain participant service quality in the DDS protocol specification, and fill in the encrypted data in the 32-36 bits Length information; fill in the encrypted data after 37;
    步骤4,新加入域的DDS节点发送SPDP消息;Step 4. The DDS node that newly joins the domain sends an SPDP message;
    步骤5,已加入域的DDS节点接收到新加入域的DDS节点SPDP消息,会根据当前的系统配置,判断是否需要域参与者安全认证,如果需要,则会解析DomainParticipantQoS的UserDataQosPolicy参数内容,并根据UserDataQosPolicy参数中的第0-31位信息获取本地对应的解密文件,根据32-36获取加密数据的长度来获取37位之后的信息,进行解密,然后执行步骤6;如果不需要,接收到新加入域的DDS节点SPDP消息后,直接把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息,然后执行步骤7;Step 5: The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS and base it on The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data from 32-36 to obtain the information after 37 bits, and then performs step 6; if not needed, receive the new addition After the SPDP message of the DDS node of the domain, directly add the DDS node of the newly joined domain to the local domain participant list, and send a confirmation message to the newly joined DDS node, and then perform step 7;
    步骤6,对步骤5解密后的数据进行合法性确认,如果是合法、有效的,则认证通过,把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息;否则为认证失败,直接忽略所述SPDP消息;Step 6. Confirm the legality of the decrypted data in step 5. If it is legal and valid, the authentication is passed, the DDS node of the newly added domain is added to the local domain participant list, and the newly added domain DDS The node sends a confirmation message; otherwise, the authentication fails, and the SPDP message is directly ignored;
    步骤7,域参与者认证流程结束,继续监听DDS的消息。Step 7. The domain participant authentication process ends and continues to monitor DDS messages.
  2. 根据权利要求1所述的方法,其特征在于,步骤1中,所述系统配置包括如下配置项:The method according to claim 1, wherein in step 1, the system configuration includes the following configuration items:
    DDS_ENDPOINT_AUTH_SWITCH:值为true时表示本节点需要加解密,值为false时表示本节点不需要加解密;DDS_ENDPOINT_AUTH_SWITCH: When the value is true, it means that the node needs to be encrypted and decrypted, and when the value is false, it means that the node does not need to be encrypted or decrypted;
    DDS_CERTIFICATE_PATH:本节点加解密证书路径;DDS_CERTIFICATE_PATH: the path of the encryption and decryption certificate of this node;
    DDS_CERTIFICATE_SERVER_ADD:证书服务中心的IP地址和端口;DDS_CERTIFICATE_SERVER_ADD: IP address and port of the certificate service center;
    DDS_CERTIFICATE_SERVER_USER:证书服务中心用户名和密码。DDS_CERTIFICATE_SERVER_USER: User name and password of the certificate service center.
  3. 根据权利要求2所述的方法,其特征在于,步骤1中,所述指定目录,通过配置项DDS_CERTIFICATE_PATH获取。The method according to claim 2, wherein in step 1, the designated directory is obtained through a configuration item DDS_CERTIFICATE_PATH.
  4. 根据权利要求3所述的方法,其特征在于,步骤1中,如果向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下时,同步失败,则直接把最新的证书文件拷贝到当前DDS节点的指定目录下。The method according to claim 3, wherein, in step 1, if an application is made to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node, the synchronization fails, then the latest certificate file is directly transferred Copy to the specified directory of the current DDS node.
  5. 根据权利要求4所述的方法,其特征在于,步骤2中,如果当前节点的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处理,然后执行步骤3;否则判定为不需要域参与者安全认证,直接执行步骤4。The method according to claim 4, wherein in step 2, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the system configuration of the current node, it is determined that the domain participant security authentication is required, the current encrypted file is selected, and the selected The encrypted file encrypts the authentication data, and then performs step 3; otherwise, it is determined that the domain participant security authentication is not required, and step 4 is directly performed.
  6. 根据权利要求5所述的方法,其特征在于,步骤3中,DomainParticipantQos的参数信息包含UserDataQosPolicy用户实体数据策略和EntityFactoryQosPolicy实体工厂策略。The method according to claim 5, wherein in step 3, the parameter information of DomainParticipantQos includes UserDataQosPolicy user entity data policy and EntityFactoryQosPolicy entity factory policy.
  7. 根据权利要求6所述的方法,其特征在于,步骤5中,如果当前的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,否则判定为不需要。The method according to claim 6, characterized in that, in step 5, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the current system configuration, it is determined that the domain participant security authentication is required, otherwise it is determined that it is not required.
PCT/CN2020/089928 2019-11-26 2020-05-13 Method for realizing dds domain participant security authentication WO2021103431A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911173549.XA CN111031012B (en) 2019-11-26 2019-11-26 Method for realizing security authentication of DDS domain participant
CN201911173549.X 2019-11-26

Publications (1)

Publication Number Publication Date
WO2021103431A1 true WO2021103431A1 (en) 2021-06-03

Family

ID=70202280

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/089928 WO2021103431A1 (en) 2019-11-26 2020-05-13 Method for realizing dds domain participant security authentication

Country Status (2)

Country Link
CN (1) CN111031012B (en)
WO (1) WO2021103431A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031012B (en) * 2019-11-26 2021-04-27 南京莱斯电子设备有限公司 Method for realizing security authentication of DDS domain participant
CN114448979B (en) * 2021-12-29 2024-01-19 中国航空工业集团公司西安航空计算技术研究所 DDS-based dynamic binding communication system for publishing and subscribing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120266209A1 (en) * 2012-06-11 2012-10-18 David Jeffrey Gooding Method of Secure Electric Power Grid Operations Using Common Cyber Security Services
US8671135B1 (en) * 2006-04-24 2014-03-11 Real-Time Innovations, Inc. Flexible mechanism for implementing the middleware of a data distribution system over multiple transport networks
CN107637038A (en) * 2015-06-09 2018-01-26 英特尔公司 For the systems, devices and methods for the life cycle for managing safe distribution subscription system
CN111031012A (en) * 2019-11-26 2020-04-17 南京莱斯电子设备有限公司 Method for realizing security authentication of DDS domain participant

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6070245A (en) * 1997-11-25 2000-05-30 International Business Machines Corporation Application interface method and system for encryption control
CN102404347A (en) * 2011-12-28 2012-04-04 南京邮电大学 Mobile internet access authentication method based on public key infrastructure
US11010348B2 (en) * 2013-03-15 2021-05-18 Dataguise, Inc. Method and system for managing and securing subsets of data in a large distributed data store
EP3017582B1 (en) * 2013-07-01 2020-11-04 InterDigital CE Patent Holdings Method to enroll a certificate to a device using scep and respective management application
CN108614238A (en) * 2018-05-03 2018-10-02 中国科学院电子学研究所 Sonic location system, sonic location system and localization method for intelligent terminal
CN110427039A (en) * 2019-08-29 2019-11-08 山东大学 A kind of distributed cloud navigation system and air navigation aid based on ROS2

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8671135B1 (en) * 2006-04-24 2014-03-11 Real-Time Innovations, Inc. Flexible mechanism for implementing the middleware of a data distribution system over multiple transport networks
US20120266209A1 (en) * 2012-06-11 2012-10-18 David Jeffrey Gooding Method of Secure Electric Power Grid Operations Using Common Cyber Security Services
CN107637038A (en) * 2015-06-09 2018-01-26 英特尔公司 For the systems, devices and methods for the life cycle for managing safe distribution subscription system
CN111031012A (en) * 2019-11-26 2020-04-17 南京莱斯电子设备有限公司 Method for realizing security authentication of DDS domain participant

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI, MING-JUAN ET AL.: "Design of Authentication Protocol for High-security Data Distribution Service", AERONAUTICAL COMPUTING TECHNIQUE, vol. 45, no. 1, 31 January 2015 (2015-01-31), pages 103 - 107, XP055815897 *
OBJECT MANAGEMENT GROUP: "DDS Security Version 1.1", OBJECT MANAGEMENT GROUP, FORMAL/2018-04-01, 30 June 2018 (2018-06-30), pages 1 - 285, XP009528499 *

Also Published As

Publication number Publication date
CN111031012B (en) 2021-04-27
CN111031012A (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN111771390B (en) Self-organizing network
EP1226680B1 (en) Secured ad hoc network and method for providing the same
US6912657B2 (en) Method and arrangement in a communication network
EP3742696A1 (en) Identity management method, equipment, communication network, and storage medium
US7234058B1 (en) Method and apparatus for generating pairwise cryptographic transforms based on group keys
US7089211B1 (en) Directory enabled secure multicast group communications
CN107659406B (en) Resource operation method and device
CN107769914B (en) Method and network device for protecting data transmission security
US20080307110A1 (en) Conditional BGP advertising for dynamic group VPN (DGVPN) clients
WO2015157720A2 (en) Methods and apparatus for implementing a communications system secured using one-time pads
Tiloca et al. Axiom: DTLS-based secure IoT group communication
JP2006165984A (en) Authentication method of ad hoc network, and its radio communications terminal
US20180262352A1 (en) Secure Authentication of Remote Equipment
EP3813298A1 (en) Method and apparatus for establishing trusted channel between user and trusted computing cluster
US8958435B2 (en) Information management method and information processing device
CN102970135B (en) For finding method and apparatus of the shared secret without leaking non-shared secret
WO2021103431A1 (en) Method for realizing dds domain participant security authentication
US20080065778A1 (en) Method of managing information and information processing apparatus
US20060005010A1 (en) Identification and authentication system and method for a secure data exchange
CN111797378A (en) Multiple identity management authentication platform of people's society information
CN109995723B (en) Method, device and system for DNS information interaction of domain name resolution system
US20070055870A1 (en) Process for secure communication over a wireless network, related network and computer program product
JPH06318939A (en) Cipher communication system
JP2008097264A (en) Authentication system for authenticating wireless lan terminal, authentication method, authentication server, wireless lan terminal, and program
US7596223B1 (en) User control of a secure wireless computer network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20892976

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20892976

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20892976

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22/05/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20892976

Country of ref document: EP

Kind code of ref document: A1