WO2021103431A1 - Method for realizing dds domain participant security authentication - Google Patents
Method for realizing dds domain participant security authentication Download PDFInfo
- Publication number
- WO2021103431A1 WO2021103431A1 PCT/CN2020/089928 CN2020089928W WO2021103431A1 WO 2021103431 A1 WO2021103431 A1 WO 2021103431A1 CN 2020089928 W CN2020089928 W CN 2020089928W WO 2021103431 A1 WO2021103431 A1 WO 2021103431A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- dds
- node
- domain
- authentication
- file
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000012790 confirmation Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 6
- JWDFQMWEFLOOED-UHFFFAOYSA-N (2,5-dioxopyrrolidin-1-yl) 3-(pyridin-2-yldisulfanyl)propanoate Chemical compound O=C1CCC(=O)N1OC(=O)CCSSC1=CC=CC=N1 JWDFQMWEFLOOED-UHFFFAOYSA-N 0.000 claims 4
- 238000012423 maintenance Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000007812 deficiency Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 208000025697 familial rhabdoid tumor Diseases 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
Definitions
- the invention belongs to the field of distributed communication technology, and in particular relates to a method for realizing DDS domain participant safety authentication.
- the data distribution service DDS (Data Distribution Service) is a distributed real-time communication middleware standard formulated by the object management organization.
- the publish-subscribe mode it supports provides flexible decoupling capabilities for applications, and it has a wealth of QoS (Quality of Service, Service quality), DDS can well meet the functional and performance requirements of the Internet of Things system.
- QoS Quality of Service, Service quality
- DDS has been widely used in a variety of industrial IoT fields, including energy, medical, robotics, etc.
- DDS specifications include domain participants, publishers, subscribers, data types, data writers, data readers, topics, built-in topics, and QoS.
- DDS is above the operating system and below the user application, which can well shield the details of the underlying system and bus heterogeneity, and provide a unified API interface for application data, as shown in Figure 1. .
- DDS communicates through multicast (the UDP protocol used at the bottom of the multicast) to discover Domain participants
- this X.509-based authentication method generally requires the use of the TCP protocol and communication between two points; a new link needs to be established for the communication of authentication messages, and there is now a DDS automatic discovery mechanism
- There is no way to directly implement this method and there is no way to implement intercommunication between different vendors.
- the technical problem to be solved by the present invention is to provide a method for realizing DDS (Dat a Distribution Service, data distribution service) domain participant security authentication in view of the deficiencies of the prior art, including the following steps:
- Step 1 All powered-on DDS nodes will automatically read the current system configuration, and according to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node;
- Step 2 The DDS node newly added to the domain will determine whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then execute Step 3; if not needed, go directly to step 4;
- Step 3 For the newly added DDS node of the domain, fill in the name of the encryption certificate in the 0-31 digits of the UserDataQosPolicy (User Data Entity Policy) parameter of the DomainParticipantQoS (Domain Participant Quality of Service) in the DDS protocol specification, 32-36 Fill in the length of the encrypted data in bits; fill in the encrypted data after 37;
- UserDataQosPolicy User Data Entity Policy
- DomainParticipantQoS Domain Participant Quality of Service
- Step 4 The DDS node that newly joins the domain sends an SPDP message
- Step 5 The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS and base it on The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data from 32-36 to obtain the information after 37 bits, and then performs step 6; if not needed, receive the new addition After the SPDP message of the DDS node of the domain, directly add the DDS node of the newly joined domain to the local domain participant list, and send a confirmation message to the newly joined DDS node, and then perform step 7;
- Step 6 Confirm the legality of the decrypted data in step 5. If it is legal and valid, the authentication is passed, the DDS node of the newly added domain is added to the local domain participant list, and the newly added domain DDS The node sends a confirmation message; otherwise, the authentication fails, and the SPDP message is directly ignored;
- Step 7 The domain participant authentication process ends and continues to monitor DDS messages.
- step 1 the system configuration includes the following configuration items:
- DDS_ENDPOINT_AUTH_SWITCH When the value is true, it means that the node needs to be encrypted and decrypted, and when the value is false, it means that the node does not need to be encrypted or decrypted;
- DDS_CERTIFICATE_PATH the path of the encryption and decryption certificate of this node
- DDS_CERTIFICATE_SERVER_ADD IP address and port of the certificate service center
- DDS_CERTIFICATE_SERVER_USER User name and password of the certificate service center.
- step 1 the specified directory is obtained through the configuration item DDS_CERTIFICATE_PATH.
- step 1 if you apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node, the synchronization fails, then directly copy the latest certificate file to the specified directory of the current DDS node.
- step 2 if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the system configuration of the current node, it is determined that the domain participant security authentication is required, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then go to step 3. ; Otherwise, it is determined that the security authentication of the domain participant is not required, and proceed directly to step 4.
- the parameters of DomainParticipantQoS mainly include UserDataQosPolicy (user entity data policy) and EntityFactoryQosPolicy (entity factory policy):
- step 5 if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the current system configuration, it is determined that the domain participant security authentication is required, otherwise it is determined that it is not required.
- Figure 1 is a diagram of the DDS architecture.
- Figure 2 is a diagram of the naming specification of encryption and decryption certificates.
- Figure 3 is a schematic diagram of the overall message of the domain participants.
- Figure 4 is a flowchart of a newly joined domain participant.
- Figure 5 is a schematic diagram of authentication data rules.
- Figure 6 is a diagram of the composition of the domain participant authentication message.
- Figure 7 is a flowchart of authentication for newly joined domain participants.
- the RTPS protocol (Real-time Publish-Subscribe Wire Protocol) stipulates two methods for SPDP messages: multicast and unicast; in actual application scenarios, most SPDP messages are sent through multicast.
- the method can realize the automatic discovery of DDS, and each node can automatically join or exit the domain without any configuration or human intervention.
- the default value of the multicast IP is 239.255.0.1; the port is PB+DG*domainId (PB is 7400, DG is 250, and domainId is the domain ID value).
- PB is 7400
- DG is 250
- domainId is the domain ID value
- the first 0-1 is to distinguish whether the current certificate is encrypted or decrypted; the second 2-4 are to identify the product type, and the first Bits 5-9 are reserved fields, and bits 10-26 are the time when the file is generated (year, month, day, hour, minute, second, millisecond); 27-29 are reserved fields, and 30-31 are random numbers; see Figure 2 for details.
- the first 2 bytes are used to identify the current certificate type.
- the current encryption methods are mainly symmetric encryption and asymmetric encryption.
- the file names of symmetric encryption and decryption are the same; asymmetric encryption and decryption are distinguished by public and private keys; see Table 2 for details .
- the symmetric encryption algorithm of the present invention adopts MD5, and the asymmetric encryption algorithm adopts RSA; however, the present invention does not limit specific encryption algorithms, and does not perceive specific algorithms.
- the present invention proposes to maintain a certification file microservice, which stores the current encryption and decryption files of the entire company, and specifically stores them according to product categories; externally provides SFTP (Secret) File Transfer Protocol (secure file transfer protocol) message interface; according to different products, different user names are provided.
- the authentication file component is designed and implemented, which is deployed on each DDS node, and each DDS node is configured with the IP, port number, SFTP user name and password of the authentication file microservice; see Table 1 for specific parameters.
- the DDS node After the DDS node is powered on, it will synchronize the latest encryption and decryption certificate file information from the authentication file microservice at regular intervals (the current synchronization interval is 2 hours); at the same time, it also supports the direct copy of the corresponding encryption and decryption certificate files to the local.
- the authentication file microservice Through the authentication file microservice, the management of encryption and decryption certificates is unified and standardized, and the maintenance difficulty and cost of the encryption and decryption certificates are reduced.
- For the leaked secret key files only need to be deleted in the authentication file microservice, and each DDS node will automatically be synchronized during synchronization. Delete the leaked secret key file.
- the present invention considers corresponding countermeasures and proposes an authentication data rule. Even if the secret key is leaked, if it does not know the authentication rules of the data, it still cannot pass the security authentication and cannot join the current DDS. Domain.
- the implementation method of the present invention for realizing the security authentication of DDS domain participants combined with Figure 3, it mainly includes the following steps:
- Step 1 All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
- Step 2 The DDS node newly added to the domain judges whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file according to the corresponding algorithm (the present invention does not specifically specify the specific algorithm for selecting the encrypted file At present, the present invention adopts random selection, and the specific selection algorithm can be determined according to the needs of specific business scenarios). Use the selected encrypted file to encrypt the authentication data, the application itself does not need to perceive the current encrypted file, encryption method and other information.
- Step 3 For the newly added DDS node of the domain, fill in the name of the selected encryption certificate in the UserDataQosPolicy parameter of DomainParticipantQoS in bits 0-31, and fill in the encrypted data length information in the 32-36 bits; fill in the encrypted data after 37; then send the SPDP message.
- the parameter information of DomainParticipantQoS is as follows:
- Step 4 The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether the domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS, and according to The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data obtained by 32-36, and then decrypts it.
- Step 5 Confirm the legality of the decrypted data. If it is legal and valid, the authentication is passed, and the DDS node of the newly joined domain is added to the local domain participant list; and a confirmation is sent to the newly joined DDS node Message; if authentication fails, ignore the message and go to step 7.
- Step 6 If the current DDS node that has joined the domain does not need to perform domain participant security authentication, after receiving the SPDP message of the newly joined DDS node, directly add the newly joined DDS node of the domain to the local domain participant list. And send a confirmation message to the DDS node newly joining the domain.
- Step 7 The domain participant authentication process ends and continues to monitor DDS messages.
- the present invention makes full use of the UserDataQosPolicy parameter of DDS (Data Distribution Service) DomainParticipantQoS, and designs a universal domain that can be compatible with different DDS products.
- DDS Data Distribution Service
- a data authentication rule is proposed, which can guarantee the validity and reliability of the security authentication to the greatest extent in the case of the leakage of the secret key.
- Step 1 All powered-on DDS nodes will automatically read the current system configuration. See Table 1 for the specific configuration. According to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node. For the specific directory, see the DDS_CERTIFICATE_PATH configuration item in Table 1.
- Step 2 If the synchronization of the latest certificate file fails in step 1, you can directly copy the latest certificate file to the specified directory of the current DDS node.
- Step 3 a new DDS node trying to join the current domain will read the current system configuration item: DDS_ENDPOINT_AUTH_SWITCH. If the configuration item is true, proceed to the next step; otherwise, proceed to step 7.
- Step 4 Randomly fetch an encrypted file from the directory configured by DDS_CERTIFICATE_PATH. (The present invention does not specifically specify the specific algorithm for selecting encrypted files, and the specific selection algorithm can be determined according to the needs of specific business scenarios).
- Step 5 Use the selected encrypted file to encrypt the authentication data.
- This example uses a simple encryption rule.
- the specific rule is shown in Figure 5.
- the 0-13 bytes are the current system time, accurate to the second. ;
- the 14th-15th byte is to fill in the current domain ID
- the 16th-31th byte is to fill in the IP address of this node in DDS communication (compatible with IPV6)
- the 32-35th byte is to fill in the SPDP (multicast/unicast) message
- the 36-41 bytes fill in the MAC address corresponding to the IP address of the node participating in DDS communication
- the 42-44 bytes fill in the current product type
- the 45-47 bytes fill in the checksum.
- the specific encryption rules can be negotiated according to the requirements of each product. Encrypt 48 bytes of data information through the encrypted file in step 4.
- Step 6 Write the data into the UserDataQosPolicy parameter.
- the 0-31 bytes of the UserDataQosPolicy parameter fill in the name of the encrypted file of this node, which is the information obtained in step 4; the 32-35 bytes fill in the length of the encrypted data in step 5 ; Fill in the encrypted data content in step 5 after the 36th byte (including the 36th byte). See Figure 6 for details.
- Step 7 Send the SPDP message.
- Step 8 The participant who has joined the domain receives the SPDP message sent by the participant who joins the domain.
- the main process is shown in Figure 7.
- Step 9 The joined domain participant node reads the configuration item information of whether the current system performs domain participant authentication, the configuration item: DDS_ENDPOINT_AUTH_SWITCH.
- Step 10 If the configuration item read in step 9 is true, execute the next step; otherwise, execute step 15.
- Step 11 parse the UserDataQosPolicy parameter information of DomainParticipantQoS in the received SPDP message; parse out the encrypted certificate name, encrypted data length, and encrypted authentication data information.
- Step 12 According to the name of the encryption certificate parsed in Step 11, the corresponding decrypted file is obtained locally; and the authentication data is encrypted for decryption.
- step 13 it is judged whether the decrypted data in step 12 meets the authentication data rule in FIG. 5, if it meets, the next step is executed, otherwise, step 17 is executed.
- Step 14 Check the legality and validity of the decrypted authentication data, such as whether the IP address and MAC match, whether they are correct, whether the time information is valid, whether the product types are consistent, whether the checksum is correct, and so on. If the authentication data is legal and valid, go to the next step, otherwise go to step 17.
- Step 15 Add the newly joined domain participant to the local domain participant list.
- Step 16 Send a confirmation message to the newly joined domain participant.
- Step 17 the domain participant authentication process ends and continues to monitor DDS messages.
- the present invention provides a method for realizing the security authentication of DDS domain participants.
- the above are only the preferred embodiments of the present invention. It should be pointed out that for those of ordinary skill in the art In other words, without departing from the principle of the present invention, several improvements and modifications can be made, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components that are not clear in this embodiment can be implemented with the existing technology.
Abstract
Description
配置项Configuration item | 示例Example | 说明Description |
DDS_ENDPOINT_AUTH_SWITCHDDS_ENDPOINT_AUTH_SWITCH | true/falsetrue/false | 本节点是否需要加解密Does this node need to encrypt and decrypt |
DDS_CERTIFICATE_PATHDDS_CERTIFICATE_PATH | /dds/certificate//dds/certificate/ | 本节点加解密证书路径Encryption and decryption certificate path of this node |
DDS_CERTIFICATE_SERVER_ADDDDS_CERTIFICATE_SERVER_ADD | 192.168.1.1:22192.168.1.1:22 | 证书服务中心的IP地址和端口IP address and port of the certificate service center |
DDS_CERTIFICATE_SERVER_USERDDS_CERTIFICATE_SERVER_USER | dds_radar:ddsdds_radar:dds | 证书服务中心用户名和密码Certificate Service Center username and password |
证书类型字段取值Certificate type field value | 说明Description |
0000 | 对称加密Symmetric encryption |
0101 | 非对称加密(公钥)Asymmetric encryption (public key) |
1010 | 非对称加密(私钥)Asymmetric encryption (private key) |
Claims (7)
- 一种实现DDS域参与者安全认证的方法,其特征在于,包括如下步骤:A method for realizing security authentication of DDS domain participants, which is characterized in that it comprises the following steps:步骤1,所有上电的DDS节点会自动读取当前系统配置,根据系统配置项信息,自动向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下;Step 1. All powered-on DDS nodes will automatically read the current system configuration, and according to the system configuration item information, automatically apply to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node;步骤2,新加入域的DDS节点,根据当前节点的系统配置,判断是否需要域参与者安全认证,如果需要,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处理,然后执行步骤3;如果不需要,直接执行步骤4;Step 2. The DDS node newly added to the domain will determine whether the domain participant security authentication is required according to the system configuration of the current node. If necessary, select the current encrypted file, use the selected encrypted file to encrypt the authentication data, and then execute Step 3; if not needed, go directly to step 4;步骤3,新加入域的DDS节点,在DDS协议规范中的DomainParticipantQoS域参与者服务质量的UserDataQosPolicy用户数据实体策略参数的第0-31位填写选择加密证书的名称,第32-36位填写加密数据长度信息;37之后填写加密数据;Step 3. For the newly added DDS node of the domain, fill in the name of the selected encryption certificate in the 0-31 bits of the UserDataQosPolicy user data entity policy parameter of the DomainParticipantQoS domain participant service quality in the DDS protocol specification, and fill in the encrypted data in the 32-36 bits Length information; fill in the encrypted data after 37;步骤4,新加入域的DDS节点发送SPDP消息;Step 4. The DDS node that newly joins the domain sends an SPDP message;步骤5,已加入域的DDS节点接收到新加入域的DDS节点SPDP消息,会根据当前的系统配置,判断是否需要域参与者安全认证,如果需要,则会解析DomainParticipantQoS的UserDataQosPolicy参数内容,并根据UserDataQosPolicy参数中的第0-31位信息获取本地对应的解密文件,根据32-36获取加密数据的长度来获取37位之后的信息,进行解密,然后执行步骤6;如果不需要,接收到新加入域的DDS节点SPDP消息后,直接把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息,然后执行步骤7;Step 5: The DDS node that has joined the domain receives the SPDP message of the newly joined DDS node. It will determine whether domain participant security authentication is required according to the current system configuration. If necessary, it will parse the UserDataQosPolicy parameter content of DomainParticipantQoS and base it on The 0-31 bit information in the UserDataQosPolicy parameter obtains the local corresponding decrypted file, and obtains the information after 37 bits according to the length of the encrypted data from 32-36 to obtain the information after 37 bits, and then performs step 6; if not needed, receive the new addition After the SPDP message of the DDS node of the domain, directly add the DDS node of the newly joined domain to the local domain participant list, and send a confirmation message to the newly joined DDS node, and then perform step 7;步骤6,对步骤5解密后的数据进行合法性确认,如果是合法、有效的,则认证通过,把新加入的域的DDS节点加入本地的域参与者列表内,并给新加入域的DDS节点发送确认消息;否则为认证失败,直接忽略所述SPDP消息;Step 6. Confirm the legality of the decrypted data in step 5. If it is legal and valid, the authentication is passed, the DDS node of the newly added domain is added to the local domain participant list, and the newly added domain DDS The node sends a confirmation message; otherwise, the authentication fails, and the SPDP message is directly ignored;步骤7,域参与者认证流程结束,继续监听DDS的消息。Step 7. The domain participant authentication process ends and continues to monitor DDS messages.
- 根据权利要求1所述的方法,其特征在于,步骤1中,所述系统配置包括如下配置项:The method according to claim 1, wherein in step 1, the system configuration includes the following configuration items:DDS_ENDPOINT_AUTH_SWITCH:值为true时表示本节点需要加解密,值为false时表示本节点不需要加解密;DDS_ENDPOINT_AUTH_SWITCH: When the value is true, it means that the node needs to be encrypted and decrypted, and when the value is false, it means that the node does not need to be encrypted or decrypted;DDS_CERTIFICATE_PATH:本节点加解密证书路径;DDS_CERTIFICATE_PATH: the path of the encryption and decryption certificate of this node;DDS_CERTIFICATE_SERVER_ADD:证书服务中心的IP地址和端口;DDS_CERTIFICATE_SERVER_ADD: IP address and port of the certificate service center;DDS_CERTIFICATE_SERVER_USER:证书服务中心用户名和密码。DDS_CERTIFICATE_SERVER_USER: User name and password of the certificate service center.
- 根据权利要求2所述的方法,其特征在于,步骤1中,所述指定目录,通过配置项DDS_CERTIFICATE_PATH获取。The method according to claim 2, wherein in step 1, the designated directory is obtained through a configuration item DDS_CERTIFICATE_PATH.
- 根据权利要求3所述的方法,其特征在于,步骤1中,如果向证书文件微服务申请同步当前最新的证书文件到当前DDS节点的指定目录下时,同步失败,则直接把最新的证书文件拷贝到当前DDS节点的指定目录下。The method according to claim 3, wherein, in step 1, if an application is made to the certificate file microservice to synchronize the current latest certificate file to the specified directory of the current DDS node, the synchronization fails, then the latest certificate file is directly transferred Copy to the specified directory of the current DDS node.
- 根据权利要求4所述的方法,其特征在于,步骤2中,如果当前节点的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,选择当前的加密文件,使用已选择的加密文件对认证数据进行加密处理,然后执行步骤3;否则判定为不需要域参与者安全认证,直接执行步骤4。The method according to claim 4, wherein in step 2, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the system configuration of the current node, it is determined that the domain participant security authentication is required, the current encrypted file is selected, and the selected The encrypted file encrypts the authentication data, and then performs step 3; otherwise, it is determined that the domain participant security authentication is not required, and step 4 is directly performed.
- 根据权利要求5所述的方法,其特征在于,步骤3中,DomainParticipantQos的参数信息包含UserDataQosPolicy用户实体数据策略和EntityFactoryQosPolicy实体工厂策略。The method according to claim 5, wherein in step 3, the parameter information of DomainParticipantQos includes UserDataQosPolicy user entity data policy and EntityFactoryQosPolicy entity factory policy.
- 根据权利要求6所述的方法,其特征在于,步骤5中,如果当前的系统配置中,配置项DDS_ENDPOINT_AUTH_SWITCH为true,则判定需要域参与者安全认证,否则判定为不需要。The method according to claim 6, characterized in that, in step 5, if the configuration item DDS_ENDPOINT_AUTH_SWITCH is true in the current system configuration, it is determined that the domain participant security authentication is required, otherwise it is determined that it is not required.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911173549.XA CN111031012B (en) | 2019-11-26 | 2019-11-26 | Method for realizing security authentication of DDS domain participant |
CN201911173549.X | 2019-11-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021103431A1 true WO2021103431A1 (en) | 2021-06-03 |
Family
ID=70202280
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/089928 WO2021103431A1 (en) | 2019-11-26 | 2020-05-13 | Method for realizing dds domain participant security authentication |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111031012B (en) |
WO (1) | WO2021103431A1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111031012B (en) * | 2019-11-26 | 2021-04-27 | 南京莱斯电子设备有限公司 | Method for realizing security authentication of DDS domain participant |
CN114448979B (en) * | 2021-12-29 | 2024-01-19 | 中国航空工业集团公司西安航空计算技术研究所 | DDS-based dynamic binding communication system for publishing and subscribing |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120266209A1 (en) * | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
US8671135B1 (en) * | 2006-04-24 | 2014-03-11 | Real-Time Innovations, Inc. | Flexible mechanism for implementing the middleware of a data distribution system over multiple transport networks |
CN107637038A (en) * | 2015-06-09 | 2018-01-26 | 英特尔公司 | For the systems, devices and methods for the life cycle for managing safe distribution subscription system |
CN111031012A (en) * | 2019-11-26 | 2020-04-17 | 南京莱斯电子设备有限公司 | Method for realizing security authentication of DDS domain participant |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6070245A (en) * | 1997-11-25 | 2000-05-30 | International Business Machines Corporation | Application interface method and system for encryption control |
CN102404347A (en) * | 2011-12-28 | 2012-04-04 | 南京邮电大学 | Mobile internet access authentication method based on public key infrastructure |
US11010348B2 (en) * | 2013-03-15 | 2021-05-18 | Dataguise, Inc. | Method and system for managing and securing subsets of data in a large distributed data store |
EP3017582B1 (en) * | 2013-07-01 | 2020-11-04 | InterDigital CE Patent Holdings | Method to enroll a certificate to a device using scep and respective management application |
CN108614238A (en) * | 2018-05-03 | 2018-10-02 | 中国科学院电子学研究所 | Sonic location system, sonic location system and localization method for intelligent terminal |
CN110427039A (en) * | 2019-08-29 | 2019-11-08 | 山东大学 | A kind of distributed cloud navigation system and air navigation aid based on ROS2 |
-
2019
- 2019-11-26 CN CN201911173549.XA patent/CN111031012B/en active Active
-
2020
- 2020-05-13 WO PCT/CN2020/089928 patent/WO2021103431A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8671135B1 (en) * | 2006-04-24 | 2014-03-11 | Real-Time Innovations, Inc. | Flexible mechanism for implementing the middleware of a data distribution system over multiple transport networks |
US20120266209A1 (en) * | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
CN107637038A (en) * | 2015-06-09 | 2018-01-26 | 英特尔公司 | For the systems, devices and methods for the life cycle for managing safe distribution subscription system |
CN111031012A (en) * | 2019-11-26 | 2020-04-17 | 南京莱斯电子设备有限公司 | Method for realizing security authentication of DDS domain participant |
Non-Patent Citations (2)
Title |
---|
LI, MING-JUAN ET AL.: "Design of Authentication Protocol for High-security Data Distribution Service", AERONAUTICAL COMPUTING TECHNIQUE, vol. 45, no. 1, 31 January 2015 (2015-01-31), pages 103 - 107, XP055815897 * |
OBJECT MANAGEMENT GROUP: "DDS Security Version 1.1", OBJECT MANAGEMENT GROUP, FORMAL/2018-04-01, 30 June 2018 (2018-06-30), pages 1 - 285, XP009528499 * |
Also Published As
Publication number | Publication date |
---|---|
CN111031012B (en) | 2021-04-27 |
CN111031012A (en) | 2020-04-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111771390B (en) | Self-organizing network | |
EP1226680B1 (en) | Secured ad hoc network and method for providing the same | |
US6912657B2 (en) | Method and arrangement in a communication network | |
EP3742696A1 (en) | Identity management method, equipment, communication network, and storage medium | |
US7234058B1 (en) | Method and apparatus for generating pairwise cryptographic transforms based on group keys | |
US7089211B1 (en) | Directory enabled secure multicast group communications | |
CN107659406B (en) | Resource operation method and device | |
CN107769914B (en) | Method and network device for protecting data transmission security | |
US20080307110A1 (en) | Conditional BGP advertising for dynamic group VPN (DGVPN) clients | |
WO2015157720A2 (en) | Methods and apparatus for implementing a communications system secured using one-time pads | |
Tiloca et al. | Axiom: DTLS-based secure IoT group communication | |
JP2006165984A (en) | Authentication method of ad hoc network, and its radio communications terminal | |
US20180262352A1 (en) | Secure Authentication of Remote Equipment | |
EP3813298A1 (en) | Method and apparatus for establishing trusted channel between user and trusted computing cluster | |
US8958435B2 (en) | Information management method and information processing device | |
CN102970135B (en) | For finding method and apparatus of the shared secret without leaking non-shared secret | |
WO2021103431A1 (en) | Method for realizing dds domain participant security authentication | |
US20080065778A1 (en) | Method of managing information and information processing apparatus | |
US20060005010A1 (en) | Identification and authentication system and method for a secure data exchange | |
CN111797378A (en) | Multiple identity management authentication platform of people's society information | |
CN109995723B (en) | Method, device and system for DNS information interaction of domain name resolution system | |
US20070055870A1 (en) | Process for secure communication over a wireless network, related network and computer program product | |
JPH06318939A (en) | Cipher communication system | |
JP2008097264A (en) | Authentication system for authenticating wireless lan terminal, authentication method, authentication server, wireless lan terminal, and program | |
US7596223B1 (en) | User control of a secure wireless computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20892976 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20892976 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20892976 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22/05/2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20892976 Country of ref document: EP Kind code of ref document: A1 |