Toward a Safe and Secure Medical Internet of Things
2.3
Data Distribution Service Security
The OMG DDS Security Specification adds support for authentication, authorization, access
control, confidentiality, integrity and non-repudiation for the data sent over DDS. Moreover, it
provides a security auditing capability to evaluate the overall communication state. Due to the
data centric design of DDS, DDS Security can provide fine-grained access control over the
messages and sub-messages that include both data and meta-data. This allows DDS to control
and enforce which applications have authorization to publish and subscribe to the numerous data
types on the network.
DDS Security is designed to handle scalable deployment scenarios, specifically the one-to-many
(multicast) distribution of encrypted information while maintaining real-time quality-of-service.
It also provides an extensible plugin-based architecture, as well as a set of built-in plugins for outof-the-box interoperability. This architecture allows application developers to integrate with preexisting identity management mechanisms, authorization policy repositories or cryptographic
libraries, which might be program-specific.
Figure 2 shows the pluggable architecture of DDS Security. The authentication plugin supports
identity verification, mutual authentication and shared secret establishment. The access control
plugin enforces granular security policies. The cryptographic operations, such as encryption,
decryption, hashing, digital signatures and key derivation are implemented in the cryptographic
plugin. Finally, logging and data tagging plugins are used for auditing security-relevant events and
annotating data with a security label, respectively.
Figure 2: Architectural View of DDS Security
IIC Journal of Innovation
-9-