Security question

[jasperdevries-tnl]

Hi,

I'm looking in the specification for RSMP core 3.2 and I have a question about section "4.3.2 security".
It states that if security is used (assuming it will be), "certificates should be used to verify the identities of the equipment". I read this as "the supervisor (our application) should ensure it is talking to an authenticated site".
In the meantime, the site is connecting to us, so in terms of opening a TCP socket, the server should provide a certificate too. Would it be better to state that if encryption is used on the supervisor, mutual SSL must be used? That would make things clear for both supervisor and site implementations.
Having your equipment connecting to an untrusted "supervisor" should be euqally harmful as the actual supervisor accepting connections from untrusted equipment.

And second: if the supervisor supports encryption, does that mean all sites connecting to this supervisor must use encryption? Or should the supervisor also allow for non-encrypted connections?

I've found some older issues regarding security, but those are already closed:

• Site id spoofing? #11
• Rework encryption #42

[otterdahl]

Thank you for the feedback.
This is a good point. We should consider changing this.

Regarding your second point.

Personally I believe that the supervisor needs to support both encrypted and non-encrypted connections since not all controllers supports encryption. But in general it depends of the requirements of the supervision system which may be different for each road authority.

Since encryption in RSMP is an optional requirement, it means that the road authority needs to specifically require it. Not all controllers supports encryption in RSMP so it really depends what types of controllers the road authority have installed.

[jasperdevries-tnl]

Hi David,

Can this be clarified in the next RSMP core version? I can imagine it is harder to change this in an already released version.
I agree that a supervisor must support both encrypted an non-encrypted connections. Can this also be documented more specific?

I would suggest that a supervisor may listen on two ports to differentiate between encrypted and non-encrypted connections. My experience so far is that the port number being used is an informal agreement between supervisor and site. I think it would be better to have documented port numbers for RSMP communication (both encrypted and non-encrypted)

[emiltin]

RSMP 4 will probably be based on MQTT, which can run over QUIC (rather thanTCP). QUIC is encrypted by default and exchanges TLS certificates as part of the QUIC connection handshake. See rsmp-nordic/rsmp_core_v4#2

[otterdahl]

I've opened a PR: #201. Please review it to ensure I've understood it correctly.