DDS-SECURITY 1.3b1 RTF Avatar
  1. OMG Issue

DDSSEC13 — Specify use of encryption by BuiltinParticipantVolatileMessageSecure and TypeLookupService Writer/Reader

Open Closed All
  • Key: DDSSEC13-92
  • Status: open  
  • Source: Real-Time Innovations ( Dr. Gerardo Pardo-Castellote, Ph.D.)
  • Summary:

    The security spec does not explicitly mention that the secure volatile channel must use encryption.

    This probably belongs to chapter 10, as the impacted configuration is the PluginEndpointSecurityAttributes.

    The specification should state that, for the BuiltinParticipantVolatileMessageSecureWriter & BuiltinParticipantVolatileMessageSecureReader, the attribute is_submessage_encrypted in the PluginEndpointSecurityAttributes (see 10.4.2.5) shall be set to TRUE .)

    The same applies to the endpoints used by the TypeLookupService.

    Additionally, we should discuss whether the TypeLookupService needs to be configurable to use origin authentication or this potential weakness is reasonable given the use to propagate type objects whose hashes are known.

    Additional Background

    The DDS Security 1.2 Specification already includes the PID_AVAILABLE_BUILTIN_ENDPOINTS_EXT Parameter ID, which advertises the availability of the Secure TypeLookup Built-In Endpoints.

    PID_PARTICIPANT_SECURITY_PROTECTION_INFO is about propagating the protection kind. It has a standard part (participant_security_attributes) and a vendor-specific part (plugin_participant_security_attributes).

    Proposed approach:


    Add a new boolean member to ParticipantSecurityConfig in section 9.4.2.4
    Add a new bit to the ParticipantSecurityAttributesMask mask in table 34:

    Field in ParticipantSecurityConfig Corresponding bit in the
    ParticipantSecurityAttributesMask
    is_type_lookup_protected 0x00000001 << 5


    Add two additional bits in the plugin_participant_security_attributes mask (table 67):

    Field in ParticipantSecurityConfig Corresponding bit in the
    PluginParticipantSecurityAttributesMask
    is_type_lookup_encrypted 0x00000001 << 7
    is_type_lookup_origin_authenticated 0x00000001 << 8


    The presence of these flags will depend on the protection kind that the user configures for the type lookup endpoints. This configuration will be done in the Governance Document.

    Add a new optional xml element, child of the domain_rule (similar to the existing monitoring_logging_protection_kind elements for configuring the monitoring endpoints). The name for the new element will be <type_lookup_protection_kind>. The possible values will be: NONE, SIGN, ENCRYPT, ENCRYPT_WITH_ORIGIN_AUTHENTICATION, SIGN_WITH_ORIGIN_AUTHENTICATION.
    If the Governance Document doesn’t include the <type_lookup_protection_kind> tag but the user configures type lookup service, then the default value of ENCRYPT will be used.
  • Reported: DDS-SECURITY 1.2 — Mon, 9 Jun 2025 22:53 GMT
  • Updated: Wed, 10 Dec 2025 15:53 GMT