基于安全协商的DDS安全通信中间件设计  被引量：5

作　　者：沈卓炜 高鹏[1,2] 许心宇 SHEN Zhuowei;GAO Peng;XU Xinyu(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;Key Laboratory of Computer Network and Information Integration(Southeast University),Ministry of Education,Nanjing 211189,China)

机构地区：[1]东南大学网络空间安全学院,南京211189 [2]东南大学计算机网络和信息集成教育部重点实验室,南京211189

出　　处：《信息网络安全》2021年第6期19-25,共7页Netinfo Security

基　　金：国家重点研发计划[2018YFB1800602]。

摘　　要：针对关键核心领域中基于数据分发服务的分布式实时应用面临的安全威胁,文章以公钥基础设施为基础,提出一种支持身份认证、权限控制和数据加解密的插件化DDS安全通信中间件方案。该方案在保持API与原DDS中间件一致的同时,将安全协商过程与DDS发现机制相融合,利用自定义的安全服务质量,采用标准化的QoS协商手段,完成安全服务等级和加密算法的灵活配置,以非对称加密和对称加密相结合的方式实现数据分发的机密性和访问控制。理论分析和原型系统测试表明,文章提出的DDS安全通信中间件方案能解决数据分发过程中未授权的订阅、未授权的发布和非安全的信道传输等安全威胁,时延较原DDS通信中间件仅有少量增加,兼顾了安全性与高效性。In response to the security threats faced by distributed real-time applications based on DDS in critical areas,a PKI based DDS secure communication middleware scheme is proposed,which adopts plug-in design and supports the functions of identity authentication,access control and data encryption and decryption.The scheme not only keeps the APIs consistent with the original DDS middleware,but also integrates the security negotiation process with the discovery mechanism of DDS.By using the customized security QoS and standardized QoS negotiation mechanism,the security service level and encryption algorithm can be chosen and configured flexibly.The confidentiality of data distribution is achieved by combing asymmetric encryption and symmetric encryption.Theoretical analysis and prototype system test show that the proposed DDS middleware can solve the security threats such as unauthorized subscription,unauthorized publishing and insecure channel transmission in the process of data distribution,and the delay is only slightly increased compared with the original DDS middleware.This scheme gives consideration to both security and efficiency.

关 键 词：数据分发服务 中间件 身份认证 访问控制 数据机密性 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]