Closed hokeun closed 1 year ago
During a discussion, @soyerefsane suggested having TLS as an option as well. So we will try to get to that as well.
This is worked on https://github.com/lf-lang/lingua-franca/tree/auth. I linked a branch on this issue.
My branch currently uses
target C { auth: true }
option to include OpenSSL libraries, and use HMAC authentications between the RTI and the federate. It randomly creates nonce and creates a HMAC tag, and they process a 3 step handshake starting from the RTI.
For test, First build the RTI.
// org.lflang\src\lib\c\reactor-c\core\federated\RTI\
mkdir build && cd build
cmake -DAUTH=ON ../
make
sudo make install
Next, I made a simple test .lf file for test.
./gradlew runlfc --args test/C/src/federated/SimpleFederatedAuth.lf
./test/C/bin/SimpleFederatedAuth
RTI does not include OpenSSL libraries when -DAUTH=ON is not commanded. It is set OFF on default.
runlfc
command also does not include OpenSSL libraries if target C { auth: true }
is not coded.
Relevant branches that are currently being worked on to add HMAC-based simple authentication of federates:
Lingua-Franca: https://github.com/lf-lang/lingua-franca/tree/auth Reactor-c: https://github.com/lf-lang/reactor-c/tree/security
Motivation
The current implementation of federated execution lacks authentication and encryption mechanisms to prevent adversarial federates from joining the federation or sending malicious messages (e.g., bad tags or bad sensor readings) to RTI or other federates.
Goals
Approach
Target property for configuring authentication
To begin with, we can have following target property options:
In the future, we will be able to use full-fledged authentication, for example, using different keys for each federate or using public-key cryptography for authentication.
Target property for configuring communication security for network messages
Here are target property options to begin with
Once the SST's C API is ready in the future, we will be able to leverage that in LF federated execution for key distribution.
As future work, we can try to apply different encryption and message authentication algorithms for each federate in the same federation, to support a federation with federates running on heterogeneous platforms where some of platforms have limited resources or capabilities.
RTI Command-line Arguments
Because RTI is compiled separately, RTI should be able to support authentication & security by default.
#ifdef
to make the security optional. However, I think it should be rasonable to include OpenSSL in RTI by default.)Because RTI includes the authentication & security support by default, we will need additional command-line arguments for configuring authentication & security. Here are some examples where each option takes a string configuration (for example, --auth Hmac):
Future Work
How can we handle a scenario where some federates join without a security mechanism while other federates have to use secure authentication? For example, some bare-iron federates like sensor nodes for which we can filter the bogus sensor nodes even if they join a federation without secure authentication, and other federates like controllers which require secure authentication in the same federation.