Share Email Print

Proceedings Paper

Protecting publish/subscribe interactions via TLS and a system-wide certificate validation engine
Author(s): Tony Pierce; Andrew Alten; Michael R. Clark
Format Member Price Non-Member Price
PDF $17.00 $21.00

Paper Abstract

Multiple defense-relevant open architecture standards include the publish/subscribe messaging paradigm, which allows for dynamic network topology and scalability. Using the Transport Layer Security (TLS) protocol to secure such messaging is common; however, certificate validation must be performed. Typically, certificate validation is left to the application to configure, but history has shown that application developers often get incorrect certificate validation. In this paper, we explore the overhead costs of different security implementations under varying network conditions within a pub/sub system. Furthermore, we study how TrustBase strengthens and simplifies certificate validation within a pub/sub architecture. TrustBase allows a system administrator or integrator to specify a single certificate validation policy for all applications in the system. This ensures that even if application developers have misconfigured certificate validation, the policy is followed, which we believe could make system accreditation easier. Our study is conducted on a notional system with an Apache ActiveMQ messaging server. Handshake timing data are collected from several publishers and subscribers to understand the overhead resulting from using TLS with and without the TrustBase kernel module active on the system. Our experiments run with different certificate validation strategies including prepositioned public-keys and certificate chaining with a trusted root certificate authority. To our knowledge, we are the first to study TrustBase in an environment that emulates realistic network conditions and a messaging paradigm beyond the traditional client/server model. Our results confirm those of the original TrustBase work; TrustBase adds negligible overhead and is easily configurable as a universal certificate validation authority.

Paper Details

Date Published: 23 April 2020
PDF: 7 pages
Proc. SPIE 11425, Unmanned Systems Technology XXII, 114250G (23 April 2020); doi: 10.1117/12.2555930
Show Author Affiliations
Tony Pierce, Riverside Research (United States)
Andrew Alten, Riverside Research (United States)
Michael R. Clark, Riverside Research (United States)

Published in SPIE Proceedings Vol. 11425:
Unmanned Systems Technology XXII
Hoa G. Nguyen; Paul L. Muench; Charles M. Shoemaker, Editor(s)

© SPIE. Terms of Use
Back to Top
Sign in to read the full article
Create a free SPIE account to get access to
premium articles and original research
Forgot your username?