RTI Connext DDS Secure – Secure Messaging for Intelligent Machines

Secure Messaging for Intelligent Machines

Connext DDS Secure provides a standards-compliant, off-the-shelf messaging platform that delivers the security, performance, and safety required for deployment of the Industrial Internet of Things. It complies with the new Data Distribution Service (DDS) Security specification from the Object Management Group (OMG).

Features and Benefits:

  • Provides authentication, authorisation, non-repudiation, confidentiality, and integrity
  • Protects discovery information, metadata, and data
  • Defends against unauthorised access, tampering, and replay
  • Operates without centralised servers for high performance, scalability, and availability
  • Runs over any transport including TCP, UDP, multicast, and shared memory
  • Integrates with existing security infrastructures and hardware acceleration
  • Secures unmodified existing DDS applications

Securing critical infrastructure is essential for safety and economic reasons and it must be pursued without sacrificing performance or reliability. The machines that make up medical, energy, manufacturing, transportation, and defence systems must perform at the speed of the physical-world processes they manage. Even brief unplanned outages can be disastrous.

Connext DDS Secure introduces a robust set of security capabilities to the Connext DDS Professional package. These include authentication, encryption, access control and logging. Secure multicast support enables efficient and scalable distribution of data to many subscribers. Performance is also optimised by fine-grain control over the level of security applied to each data flow, such as whether encryption or just message authentication is required.

Standard Capabilities

  • X.509 Public Key Infrastructure (PKI) with a pre-configured shared Certificate Authority (CA)
  • Digital Signature Algorithm (DSA) with Diffie-Hellman and RSA for authentication and key exchange
Access Control
  • Specifications via permissions file signed by shared CA
  • Control over ability to join DDS Domains and Partitions, read or write Topics
  • Control on individual objects and Quality of Service (QoS) via plugins
  • Protected key distribution
  • AES128 and AES256 for encryption
  • HMAC-SHA1 and HMAC-SHA256 for message authentication and integrity
Data Tagging
  • Used to specify security metadata, such as classification level
  • Sent during endpoint discovery
  • Can be used to determine access privileges (via plugin)
  • Log security events to a local file or distribute securely over Connext DDS


An optional SDK allows implementation of custom security plugins. These can be used to integrate with existing authentication infrastructures, support additional encryption algorithms or leverage hardware acceleration. The Plugin SDK includes source code to the standard RTI plugins as an example.

Transport Flexibility

Security is implemented above the transport layer and does not require a secure transport protocol such as TLS/SSL or DTLS. Any Connext DDS transport can be used securely, including UDP, TCP and shared memory. Support for UDP multicast (both reliable and best effort) enables very efficient data distribution when there are many subscribers to the same data.

Security is implemented at the middleware layer, between the application and underlying transport protocol.
Security is implemented at the middleware layer, between the application and underlying transport protocol.

Optimised Performance

Only data that must be private has to incur the overhead of encryption and decryption. This is much more efficient than TLS and other transport-layer security approaches that encrypt all data. For example, it is not necessary to encrypt the observable data reported by a weather station used to forecast power demand; the data only has to be signed with a Message Authentication Code (MAC) to prevent malicious manipulation.

Standards Compliance

Connext DDS Secure complies with the Data Distribution Service (DDS) Security specification from the Object Management Group (OMG). This provides interoperability with other compliant DDS implementation, as well as portability of custom plugins.