Design and Implementation of a Distributed Interactive Simulation Security Architecture Pierre Bieber, Pierre Siron ONERA-CERT Pierre.Bieber@cert.fr, Pierre.Siron@cert.fr Abstract The paper describes the design and implementation of a security architecture for a HLA/RTI prototype developed at ONERA/CERT. The major security objective is to protect the intellectual property of firms participating to a distributed interactive simulation. We describe the techniques used to implement the security services: controlled subscription lists and secure associations. We report the impact of these new services on the real-time behavior of our distributed interactive simulation environment. 1 Introduction It is an usual practice for a firm to build a simulation of some piece of equipment that it intends to manufacture. By using the simulations, a firm can gain knowledge of how the equipment will behave, this will help the firm to make design decisions. When various firms are participating to the cooperative design of a system made of several pieces of equipment, it is also important to know how these pieces of equipment will relate with each other. One promising solution is offered by distributed interactive simulation environments (such as the one conforming to the HLA standard [1]) that let a group of simulations to interoperate. Firms generally include in the simulation attributes that they regard as very sensitive. In order to protect their "intellectual property", firms would not want to reveal the value of these simulation attributes. If firms have to connect their simulation to a distributed simulation they might fear that the secret attributes get known by other firms participating to the simulation. So, some firms might be reluctant to join a federation of simulations. To overcome this problem, we propose to develop a security- aware distributed interactive simulation environment that could be trusted to distribute properly the values of sensitive attributes. ONERA/CERT has developed a prototype of HLA/RTI (see [2]) that has been extended with security services (see [3]). In this paper, we describe the techniques used to implement these security services. Several security architectures can be designed for distributed simulations (see [4]) that address various security requirements. But, when designing such an architecture, one should also have in mind that companies have other requirements such as good real-time performances. One of our goals was to limit the overhead caused by the security controls. For that reason we have focused on an architecture that deals with security within the HLA/RTI implementation. This solution seems more efficient with respect to performances than building a new layer devoted to security on top of simulation services. Furthermore, this approach leads to an architecture with a limited number of trusted software components. This last point is a good feature with respect to security. In the first section, we briefly describe the architecture of CERTI the HLA/RTI prototype we have developed. We also summarize the various security threats that should be addressed. Then, in the following sections, we review the three major security services that we have added to secure CERTI. For each of these security services we detail the threat they counter, how they are implemented and we report what is the impact of these new services on the real-time behavior of CERTI. In the following of the paper we assume that the reader is familiar with HLA/RTI standard (see [5] for an introduction). For instance, we will use federate to denote an individual simulation and federation to denote a group of federates. 2 Development of CERTI 2.1 A prototype architecture A small team at ONERA/CERT produced a RTI prototype implementing a significant subset of HLA services. As in the Familiarization version of the RTI [6], we implemented object-management and time- management services but we did not implement data distribution management and ownership management. Our prototype is made of several communicating processes: a local one (RTIA) and a global one (RTIG), and a library