Protecting publish/subscribe interactions via TLS and a system-wide certificate validation engine

Abstract

Multiple defense-relevant open architecture standards include the publish/subscribe messaging paradigm, which allows for dynamic network topology and scalability. Using the Transport Layer Security (TLS) protocol to secure such messaging is common; however, certificate validation must be performed. Typically, certificate validation is left to the application to configure, but history has shown that application developers often get incorrect certificate validation. In this paper, we explore the overhead costs of different security implementations under varying network conditions within a pub/sub system. Furthermore, we study how TrustBase strengthens and simplifies certificate validation within a pub/sub architecture. TrustBase allows a system administrator or integrator to specify a single certificate validation policy for all applications in the system. This ensures that even if application developers have misconfigured certificate validation, the policy is followed, which we believe could make system accreditation easier. Our study is conducted on a notional system with an Apache ActiveMQ messaging server. Handshake timing data are collected from several publishers and subscribers to understand the overhead resulting from using TLS with and without the TrustBase kernel module active on the system. Our experiments run with different certificate validation strategies including prepositioned public-keys and certificate chaining with a trusted root certificate authority. To our knowledge, we are the first to study TrustBase in an environment that emulates realistic network conditions and a messaging paradigm beyond the traditional client/server model. Our results confirm those of the original TrustBase work; TrustBase adds negligible overhead and is easily configurable as a universal certificate validation authority.