Sei sulla pagina 1di 54

UnidirectionalSecureInformationTransferviaRabbitMQ

M.W.H.Maatkamp

AminorthesissubmittedinpartfulfilmentofthedegreeofM.Sc.in
ForensicComputingandCyberCrimeInvestigationwiththesupervision
ofDr.MartinvanDeldenandDr.
NhienAnLeKhac
.

SchoolofComputerScienceandInformatics
UniversityCollegeDublin
16December2015

Abstract
Protecting computersystemshandling possiblesensitiveinformationisoftheutmostimportance.
Those systems are typically airgapped with data diodes to assure that no information can
physically flow back. Traditional computer protocols like HTTP or SOAP which are normally
used to transport information between computers are typical bidirectional communication
protocolsandarethusunsuitabletobeusedoveradatadiode.
Currently the only commercially available protocols over a data diode sold by vendors are
filebased protocols. Other protocols can be custom made but are expensive and proprietary.
There are currently no open source solutions tostreamdata inageneric wayovera datadiode
otherthanthosefilebasedsolutions.
Purpose of the dissertation is to research if open source technology can be used to mirror the
contents of a messagebus over a data diode to get a cost effective securityproof and almost
maintenancefree solution. and to further researchifthistechnologycan be used to transfer not
only plain text databut alsodata sensitiveby naturebyusing endtoendencryptionsothatthis
informationcouldevenbeadmittedasevidence.
Methodused tovalidate the researchisapracticalcasestudythatshowshow asensorstreamcan
send unencrypted and encrypted events over a data diode of arbitrary size via a message bus
which are transparently and securely transferred and reemitted internally without any kind of
configurationmanagement.
Results showthatitisindeedpossibleto successfullymirrordatafromaMessageBusoveradata
diodeanditisthusworthwhiletofurtherinvestinthistechnology.

TableofContents

1. Introduction

2. LiteratureSurvey

3. ProblemStatement

4. AdoptedApproach

5. Descriptionofresults

6. EvaluationandDiscussionofresults

7. Listofreferences

8. Appendices

1.

Introduction

The Dutch National Police collects information from all kinds ofsources, frompublic (online)
sources,commercial, othergovernmentdepartments inoroutsidetheNetherlandsandevenfrom
within the police force itself. The collected information flows from lower into higherzones of
trust. The informationitselfcan be classified asopen datasuch aspubliclyaccessible news and
weatherreportsorevenhighlysensitiveinformationsuchasevidence.
Protecting those computer systems handling sensitive information is of the utmost importance.
Those systems are typically airgapped with data diodes to assure that no information can
physically flow back since these diodes have their hardware modified in such way that
information can physicallyflowonlyfrom thelower sideof thenetwork intothehigherside.[1]
These networks are commonly called black for the outside components and red for their
internalpart.

Currently the only protocols over a data diode sold by vendors are filebased protocols like
(S)FTP,Mail andandSamba[2][3][4][5].Whileotherprotocols canbecustommadebyvendors
but are (very) expensive, proprietary and the intellectual property rights of those custom made
software could even stay at the vendor oftheapplication. Somevendors evensupportoneway
TCPconnectionsovera datadiode.TCPprotocolslikeHTTPorSOAPwhicharenormallyused
to transport informationbetween computersarebidirectional protocolswhichmakesthis solution
unsuitabletodirectlyinterfacesuchprotocols.
A
literaturestudyhowevershowedthattherearecurrentlynoopensourcesolutionsavailableto
streamdatacomingfromamessagebusoveradatadiode.Evenongithub,theplacewhereopen
sourceprojectsarehostednoprojectscouldbefoundwhichprovidethisfunctionality.

RabbitMQisanopenOpensourceandcommerciallysupportedmessagingbrokerandanduses
AdvancedMessageQueuingProtocol(AMQP)asaprotocolwhichmakesitinterchangeablewith
otherMessageBusplatformslikeActiveMQ.

ThispaperistheevaluationofRabbitMQasamessagebustobeusedtransparentlyoveradata
diodetogetacosteffectiveandalmostmaintenancefreesolutionandtofurtherresearchifthis
technologycanbeusedtotransfernotonlyplaintextdatabutalsodatasensitiveinnatureby
usingendtoendencryptionsothatthisinformationcouldevenbeadmittedasevidence.
During thisresearch wefoundandimplemented such asolutiononhowtotransportmessagesin
a transparent way overdata diodeevenwhen encryption isusedmakingthediode functionality
literallytransparent.
Results showthatit isindeedpossible to mirrordata over adatadiodeintoasecondarymessage
busanditisthusworthwhiletofurtherinvestinthistechnology.

2.

LiteratureSurvey

The reason for startingthis researchisthatthere wereno other protocol solutions beingoffered
bycommercialvendors ofdatadiodesotherthanSAMBA,FTP,FTP/S,SMTP(Email),TCPand
UDP.Whiletheseprotocols are normally sufficientforfiletransfernoneoftheoptionsprovide a
streamingsolutionsotherthanTCP.
Thesecond place tolookforthepossibleexistenceofresearchfor suchaprotocolis googlewith
thefocuson searchingfor thetermsdatadiodetogetherwiththeterms esb,messagebusor
RabbitMQwhichalsoyieldednopracticalsolutions.
Google Scholar however turned up a document called Demonstration of a Cross Security
Domain Service Management Capability for Federated Missions [7] which talks about using
ESBs ina closedmilitary environment butdoesnotdisclosecode ortheexact detailshowtheir
custom solution works but ends with this interestingconclusion:
A keylesson learnt fromthis
experimentation process is that the service bus messaging pattern is a critical enabler in
implementing a distributed event and configuration management system. It can provide
persistence,throttlingandcachingandacommoninternalinterfacetothecrossdomaingateway.
This way multiple different ELMs can connect to the IOSS while the crossdomain solution
remains transparentandpossiblyinterchangeableorupgradeableinthefuture.
whichisexactly
whythisresearchwasstartedinthefirstplace.

While trying to find open source alternatives github.com was also queried but the query"data
diode"returnsonlyoneresultwhichisaprojecthowtoturntwoCiscoswitchesintoadatadiode.

3.

ProblemStatement

Normally whentwonetworksare beingconnected afirewall


isput between them.
Afirewallisanetworksecuritysystem,
either hardware or softwarebased, that controls incoming
and outgoing network trafficbased onasetofrules.Because
these rules can be added, changed or deleted by an
administrator (or bya hacker ormaliciouspieceofsoftware)
firewalls couldpossiblycontainerrorsintheirconfiguration
andthusneedtobeconstantlymonitored.
A data diode on the other hand is a device where data can
physically flow fromoneside totheotherbecause hardware
modifications have been made to make it physically
impossible for data to flow back [1]. These hardware
modificationscanbedone onmany types ofmedia like RS232 andevenopticalfiberwherethe
ideaisthatthehighersidecanonlylistenandthelowersidecanonlysendinformation.
In the case of anopticalfibersolution,thereisno fibreoptic linkbetweenthetransmitportofthe
transceiver onthereceiving sideof thedata diodeandthereceivingportofthetransceiveronthe
transmittingside ofthedatadiode. Visual inspectionofthetransceiversshouldeasilyshowthat
theyhavenotbeentamperedorreplacedwithacomponentthatcanbothtransmitandreceive.

Aprotocol like
TransmissionControlProtocol(
TCP)isunsuitable tobeusedbecauseTCPisa
bidirectional connectionoriented protocol.Aprotocolmoresuitabletobeusedovera datadiode
is
User Datagram Protocol (
UDP) because UDP is specifically designed as a unidirectional
communication protocol.. Because UDP has notion of state it provides no mechanism to
guarantee that packets arrive in the same order as they were being sent but also provide no
guaranteethatpacketsarriveatall.Theonlyway forthereceivingsidetoknowthatinformation
is missing is to include a sequence number in thepayload which isalsoneededfor datatobe
admittedasevidence.[7]
RabbitMQisanopenOpensourceandcommerciallysupportedmessagingbrokerandanduses
AdvancedMessageQueuingProtocol(AMQP)asanOpenStandardforMessagingMiddleware
whichmakesitinterchangeablewithotherMessageBusplatformslikeActiveMQ.Itsupports
clusteringandisthusfaulttolerantandusesflexiblerouting.RabbitMQisofficiallysupportedon
anumberofoperatingsystemsandseverallanguageswiththemostprominentbeingjavawhich
hasexcellentsupportbythewayofSpringBoot/SpringAMQPwhichwewilluseinthis
dissertation.

RabbitMQactslikeamailboxwheremessagescanbedeliveredtomultiplerecipientsbasedon
headersprovidedwiththemessage.Aproducerisaprocesswhichsendsmessagesanda
consumerisaprocesswhichwaitsformessages.Anexchangewaitsformessagesandsendsthem

tooneormorequeuesandqueuesarethebufferswhichstoresmessageswhicharenotyet
consumed.Inanidealsetupallthequeuesareconsumedbyconsumersandarethusempty.

WithinRabbitMQ:

thecoreisapublish/subscribemechanism
Foracreatingprocesswhenamessageispublisheditisbeingdeliveredasfastas
possibletothereceivingprocesseswithoutanylag,whichwouldbeintroducedby
polling.Forthereceivingsideitmeansthatanindividualreceivingprocesscansubscribe
itselfoneventsandthemessagebushandlesthepublishingofnewlycreatedmessagesto
allreceivingprocessesbycopyinganddeliveringthemessagesinparallel.

supportsextraheaderinformation
Justlikeemailextrainformationcanbeaddedtoamessagelikeroutingkeysorheaders
containingmimetypes.Receivingprocessescanfilteronthoseoruseittoaddextra
metainformationwiththecontentsofthemessagewhenaddedinadatabasefor
example.

supportmessagefiltering
receivingprocessescansubscribeitselftogetallmessagesbutthereisalsotheoptionto
getasubsetofmessages.Thesearefilteredonroutingkeysorspecificheaders.

supportloggingandmonitoring
Sincethecoreofamessagebusaremessages,thesebussesalsoexposeinformationlike
messageratesandqueuesizes(anincrementingqueuesizeindicatingafaultyreceiving
process)canall

supportusersandgroups
Areceivingprocessgetsonlythedatafromexchangesaprocesshasbeinggivenrightsto
bythemanagerofthemessagebusandthusitcannotdoadirectoryscanlikeina
filebasedsolutionitwouldbepossibleforareceivingprocess.

supporttransactions
sincethecoreofamessagebusaremessages,thesemessagesarekeptinmemoryuntil
themessagebusgetsanacknowledgmentthatthemessageisbeingsuccessfully
transferredtothereceivingprocessafterwhichthecopyisdeleted.Couldamessagenot
beingdeliveredbecauseofanerror,themessageisretransmittedtoanotherprocessoris
beingputbackinthequeue.

supportqueueing
couldamessagenotbeingdeliveredbecauseofatimeoutorerrorbecausethereceiving
processisnolongerthereforexample,messagesarebeingheldinaqueueforaslongas
amessageTimeToLive(TTL)signalsithasnotexpiredand
thereisenoughmemoryinthemessagebushostitself

Whenthereceivingprocessreattachesitselftothebus,allqueuedmessagesarebeing
deliveredtotheprocess.Thesendingprocesscouldinthisscenariodeliveritsmessages
evenwhenthereceivingprocesswasnolongerthereandthereceivingprocessstillgets
allthemessagesevenwhentheprocesswasmomentarilyinaccessibleduetoanerroror
anupgradeofthereceivingprocessitself.

MessagesthemselfcanbebiggerthanUDPallowsandhavetobesplitintosmallersegments.

Messagesplitter

MessageswhicharetransferredoverRabbitMQcanbebiggerthanthestandardUDPpacketsize
of1500bytes.Therehastobeasysteminplacewhichsplitsthemessagesupintosmaller
segmentstoanadjustablesizeandaddsaheaderwithallthebookkeepinginformationlike
originalmessagesizeandpreferablyachecksumtovalidatethattheoriginalmessageis
transferredcorrectly.Onthereceivingsidethemessageshouldbereconstructedandvalidatedby
itschecksum.

Redundancy

SincepacketdeliveryinUDPisnotguaranteed,datashouldbesentredundantlytocopewithlost
packets.Theredundancyfactorshouldbeadjustableandahighernumbermeansmoredatais
sendredundantlywhichmakesthesystemmorefaulttolerantbutatthecostoftransferspeed.

Cleanup

Whenpacketsarrivesomegetlost.Thesystemhastodobookkeepingtoreconstructthe
messagesbutwhentoomanypacketsaremissingitcannotreconstructtheoriginalmessageand
wouldwaitindefinitelyforthosepacketstoarrive.Periodicallyitshouldbecheckedwhethera
messagegetsnewpacketsbutthemessageshouldbediscardedwheneveracertainamountof
timehaspassedandnonewdataisbeingaddedtothemessage.Itshouldcleanupandprintaline
inthelogfilethatamessagewasdiscarded.Shouldthishappen,thethrottlecouldbesethigher
anddatacanbesendevenmoreredundantly.

Encryption
Connections toa messagebus can be forcedto useSSLanduserpermissionslikereadandwrite
permissionscan be set on individualexchangesforspecific users butallmessagesareuptillthis
pointstillreadablebyanybodywithadministratorprivileges.
For informationtobeadmittedas evidence authenticity andintegrityareneeded[8][9].Wewant
toverifythatencryptionofindividualmessagescanalsousedinthisenvironment andshould this
research be successful the encryption itself will most likely be replaced by an infrastructure
already present, but for now the encryption we are going to use will be a small encryption

framework which proves thepoint of encryption,integrity andauthenticity but is notindustrial


hardenedagainstanypossibleattack
Regular symmetric key encryption with a sharedkeylikeAESdoesnot provetheintegrity nor
authenticity of the message because nothing prevents an attacker from generating a random
message which the receiver will then decrypt and accept.[12] And when a symmetric key is
compromised all previousmessages becomealso readable.Therefora public/privatekeypairfor
theserverandforthesensor haveto be generated and used toencrypt anew symmetric key for
eachmessagetoprovide:

Integrity A hashing algorithm is used to calculate a hash of the message and when
received a difference between a calculated hash and the hashof the messageindicates
whetheramessagehasbeenmodified.

Authentication
To prove that the communication does indeed originate from an
identified party (senderauthenticity)thesendingpartysignsthehash
withtheprivatekey
so that the receiving party can validate with the public key (preferably being given
outofbandthatthemessageindeeddidcomefromthesender.

Nonrepudiation
Nonrepudiation means that after a message is signed and sent one
cannotdenyhavingsignedtheoriginalmessagebecausethemessagewassignedwiththe
privatekeyofthesenderwhichhopefullynobodyelseknows.

The sending process should encrypt the data with a new symmetric key for each message,
calculates a hash over the encrypted contents and signs the hash with the private key of the
sensor. The symmetric key is then encrypted with the public key oftheinsideprocess andthe
messageis transferredoverthedatadiode.This schemeiscalledEncryptthenMACand means
that ciphertext is generated by encrypting the plaintext and then appending a MAC of the
encryptedplaintextwhichisprovablysecure[12].
In this research we wantto prove that asmartdevice(a device which isecapableof doingtheir
own encryption) can encrypt its contents and add enough header information for the receiving
process to determine ifthemessage is tobe decrypted and canvalidate ifthesensor did indeed
send its information by checking the signed hash of the message. The device shouldtherefore
contain not only its public/private keypair but also the public key of the inside process. The
receiving process on the inside validates the message and when valid decrypts and send the
information theexchange where it originally came fromon the outsideorgiveanerrormessage
whenvalidationdidnotsucceed.
We also want to prove that a nonsmart device (which is a device which does not have the
computingpower todo encryptiononits own)cansendtoitsinformationtotheamessagebusto
theencryptexchange whereit getsencrypted andsendoveradata diodebyaseparateprocess.
Incoming messages are being encrypted, signed andsendovera datadiode wherea decrypting

process decrypts the messages and will validate and send them to the exchange where they
originallycamefrom.
Jumboframes
Jumbo frames can be enabled to send bigger packets over the data diode.Normally anetwork
woulddeclarethemaximum sizeof an UDP packettobe1500 bytes,but some drivershavethe
option toenablejumboframeswhichcanbe9k,16koreven64kbutthosearecalledsuperjumbo
framesandareveryrare.
Throttling
We wantto becapableofthrottlingthe speedat which UDPmessagesarebeingsentovera data
diodesincepacketsget missingbecause thereceivingside cannotkeepupwithpacketsarrivingat
a certain speed..Thesoftware should contain apropertywhich indicatesthe timetowait before
sending another packet as not to overflow the receiving buffer which would then drop the
packets.

4.

AdoptedApproach

Fig1:schematicoverview

Above is the schematic overview oftheinfrastructurewhat we wantto implement.Wewantto


researchifRabbitMQmessagescanbesendoveradiodeanddothatwithafictitioustemperature
sensor which sendsperiodicallya temperature sensorevent over totheredside.Thesensorcan
send its data in plain textmessages toan exchangewhich are mirroredoverthedatadiodeand

10

also by sending its data to the encryptedexchange where the data is encryptedbefore itsend
overtotheredside.
Theidea isthatthis isa realworld exampleofasensorwhichwecanusetodevelopandtestthe
serialisationandencryptionanddecryptionofsuchmessages.
This dissertation describes what has been developed to get RabbitMQ messages transparently
overadatadiode:
Application

Description

AutomaticQueue
creation&Listeners

Ontheredsiderunsanapplicationwhichchecksperiodicallyifnew
exchangesarecreatedandattachesalistenertoaqueueboundtothe
exchangetogetthemessages

Encryption

Allmessagesroutedtotheexchangeencryptarebeingencrypted
withthekeyofthereceivingsideandsignedwiththekeyofthesender

Cutapplication

Thecuttersplitsthosemessagesintosmallermessagesandappendsthe
exchangeandtypeofexchangethemessagecamefromandaddsa
headertoitcontainingtheUUIDandindexandcalculatesachecksum

UDPSenderwith
RateLimiter

TheUDPSendertransfersmessagesoverUDP.Whenthesendersends
UDPpacketstoofastoverthenetwork,packetsgetlost.Aratelimiter
limitshowmanypacketspersecondsarebeingtransferred.

UDPReceiver

AdedicatedcprogramhasbeendevelopedtotransferUDPmessages
intoRabbitMQ.Atthemeasuredspeedsofover12.000messages/sec
thegarbagecollectionofaninterpretedlanguagelikeJavaandNodeJS
cannotkeepup,buttheCimplementationprovedtobestable.

Mergeapplication

Reconstructsthemessageandcalculatesthechecksum.Ifthe
checksummatchesthechecksuminthemessage,theexchangeis
createdandthemessageisdeliveredtotheexchange.

Decryption

Whenmessagesarereconstructedandputintheexchangeencrypted
thosemessagesaredecryptedwiththeprivatekeyofthereceiverand
validatedwiththepublickeyofthesenderandifthevalidation
succeedsthemessageisdecryptedmessageisbeingtransferredtothe
originalexchange.

11

WORKFLOW
Thisistheflowofasensorwhichsendsitsdataoverinplantext.

Fig2:Sendingamessage

Whena sensorisdelivering amessage totheblack sideitsendsits messagestotheexchange.A


Message Listener isautomaticallyattachedtothis stream andwrapsthemessageinanExchange
Message adding extra metainformation of the exchange so that the receiving side has enough
information to reconstruct the exchange should it notexists and sendsthemessagetotheUDP
Sender. This takes the message, serialised it into a byte stream and sends the stream over the
diode.

12

Thisisthereceivingsideofasensoreventinplaintext.

Fig3:receivingsensormessage

Onthereceiving sidetheUDP Receiver reconstructstheexchange messagefromthebytestream


and hands it over totheRabbitMQ Service. This servicereconstructs the exchangeshoulditnot
exist and sends the message to the exchange. In the case of a sensor event a listener picksup
thosemessagesandprintsthecontentsofasensormessageintheconsole.
Messages
The core of AMQP is
org.springframework.amqp.core.Message which contains a field body
withthecontentand afield
org.springframework.amqp.core.
MessageProperties containingfields
usedfordeliveringamessagesuchasaroutingkeyandothermessagepropertieslikemimetype.

13

Fig4:MessageandMessageProperties.java

Amessage islikeanemailmessage:itcontainsabody,whereit shouldbesendto(inthiscasean


Exchange, which is something like a mailbox but is of a certaintype)andsomethingwhichis
called a routing key which is an arbitrary field on which a receiving process can make the
decisionthatthemessagemightbeofinterest.

The idea is to mirror thisexactmessageon the inside RabbitMQ. The problem isthatMessage
containsafieldreceivedExchangewhichcontainsonlythenameoftheexchangewhereitcame
from, butdoesnotcontainthe actual typeofanexchange.Whilethisis enoughinformationwhen
the exchange is already created (which is the typical usecase because an exchange has to be
created beforea Message canbesend toit)itisnotenoughtoreconstructanexchangeonthered
side.
Since
org.springframework.amqp.core.Exchange does not inherit from Serializable.java, is is
impossoble to send it without modification over to the red side Another classisneeded which
contains a copy of the contents of a instantiated amqp.Exchange.java. This is
org.datadiode.model.message.
ExchangeMessage where the contents of amqp.Exchange.java is
serialized with
XStream into a field exchangeData of type String which contains in
JSONformatallthe contentsofallthefieldsofanamqp.Exchange.Withthisinformationthered
sideis nowcapableofreconstructingtheExchangewithallofitspropertiesandsendthecontents
oftheMessagetothenewlycreatedExchangeoverontheredside.

14

FileX:EchangeMessage.java

The contents of exchangeData looks like the following figure where type=FanoutExchange,
name=sensor, durable=true and autoDelete=false are all parameters necessary when
creatinganExchange:

Fig5:exchangeData.json

The application looks up if an exchange with that name exists, if notcreatesoneandsends the
messagetothenewlycreatedExchange.

15

Fig6:messagesmirroredoveradatadiode
The application at startup periodically creates new queues with the same nameas any (newly)
created exchange but it an extra .dd appended to hint that these queues are being used for
sendingdataoverthediode. It attaches listeners toall these queuesand whena messagefroma
queue is received the listener adds enough information necessary for reconstruction of the
exchangeandmessageontheredsideandsendsthisasaUDPpacketoveradiode.
Also on the receiving side there is a receiving process which takes the information fromUDP,
transformstheinformationintoaMessage,recreatestheExchangeifitisnotthereyetandsends
themessagetotheExchangethuseffectivelymirroringtheRabbitMQoveradiode.

16

Messagesplitter

Fig7:Messageissplitinheaderandsegments
Messages can get bigger than the standard UDP message size of 1500 bytes or 8K if jumbo
frames are enabled. To transfer those messages they are split up into smaller chunks of a
predefined length before they are transferred over UDP. This is done in theCutterapplication
whichsplitsmessagesintoaspecifiedamountofbytes,addsaheader andindexandaddsthedata
redundantlyand shufflestheredundantdatatomitigatepacketloss.Thelengthofanindividual is
determinedbythefollowingproperty:

Thereceiversidethenremoves duplicatesandreconstructsthepacketsbyorderingthesegments
onthereceived index andchecksthechecksumof thereconstructedmessagewiththechecksum
intheheader.Ifthosematch themessageisthenresendintotheredsidetothespecifiedexchange
withtheoriginalmessagesize.

17

Segment

fig8:Segment.java

Asegment canbeidentifiedbythefirstbyteandcontainsanUUIDwhichistheuniqueidentifier
foreachtransmittedmessage.Thebackendaddseach segmenttothelistofothersegmentsfor the
same UUID and when the count of those received segments equals the number of the count
variable in the message the message can be reconstructed. Because packets can arrive
outoforderanindexinthesegmentdeterminesthepacketorder.Thebackendthenreordersall
thesegments on thevalueoftheindex andthe message istenreconstructedandvalidatedbythe
checksum. The segmentlength is used todetermine theactualsizeofthedata inthepacket.So
eachpacketcontainsanextra29bytesheaderinformation.

18

INDEX

NAME

TYPE

BYTES

0 type

BYTE

1 UUID

LONG*2

16

17 count

INT

21 index

INT

25 segment.length

INT

TOTAL

29

Redundancy
Should packets disappear due to a network error the data can still be reconstructed because
packets can be added multipletimes. This is donewiththeredundancyfactor whichis2 in this
examplewhereeverypacketisinsertedtwiceinthestream.Thepropertytoadjustthisvalueis

Shuffling
Whenthere ispacket loss packetsdisappear.To minimisetheimpact ofpacketlossredundantly
insertedsegmentsareshuffledrandomlytominimisetheimpactofpacketloss:

19

UDPSender
While testing the application it showed that the java implementation could not keep of with
message rates above 12.000 messages/sec of 8K each and caused packet loss. Another
implementationin NodeJShad thesame problemwhichalso caused packet loss atthereceiving
side. AdedicatedCprogram was developedwhichpublishesUDPmessagestoRabbitMQwhich
solvedtheproblemandprovedtobestableatover17.500messages/secwithnopacketloss.
Reconstruction
In the codethededuplication andreorderingis doneautomaticallybyinsertingthe messagesina
Treeset:

Treeset has2uniquefeatures: it contains only unique itemsandthoseitemsareordered whichis


exactly whatwewant: we wantdeduplicationandreordering.
Byinsertingduplicateitems inthe
TreeSetthoseduplicateitemsareautomaticallyremovedandthesetiskeptinorder.
Whenever there is packet loss this is mitigatedbecausepacketsareinsertedmultipletimesinthe
stream so that the original message can still be reconstructed even when some segments are
missing:

Fig9:Packetreorderandpacketloss

20

With allthesemeasuresinplacethisiseffectively whatwenow havecreated: atwoRabbitMQ


instances where the contents on theoutside RabbitMQisperfectlymirroredona RabbitMQon
theinside:

Fig10:RabbitMQmirrored

DMZ
Now that thissetupworks,amoretypicalscenariowouldbeamirrorthedatafirstinaDMZand
let somebody from the OPS department decide if the data stream should be mirrored into the
insideof anetworkbyusingsocalled
shovels
whichbydefinitionofRabbitMQ isapluginand
itsfunctionis
t
o reliablyandcontinuallytake messagesfrom aqueue(asource)in onebroker
andpublishthemtoexchangesinanotherbroker(adestination)
.

Fig11:RabbitMQinaDMZ

Theidea behindthis rationale ofa DMZisthatallnotallmessagesaretobetransportedintothe


insideOnly messagescomingfrom knownexchangescanbebroughttotheinsidebut
onlywhen
somebody inpersonaddsashovel fromtheoutsideto the insideinthemanagementinterfaceon
the black side on the inside mirror. Should messages being added byanunknown party, those
messageswillthusstayattheredRabbitMQoftheoutsidemirrorforfurtherinspection

21

Performanceproperty
The problem with UDP is that it does not guarantee delivery ofpackets. Normally packets are
dropped when the receiving side is not capable of keeping up with the arrival speed and the
sending process needs some way to throttle the message rate. A rate limiter has been
implemented and the rate canbeadjustedwiththe following property tomake it fasteror more
reliable:

ROUTING
Allheaders froma message arebeingtransferredintotheinside.Thismeansthattheroutingkey
is also being transferred into the inside. A routing key can contain everything but contains an
identifierwhere,attheinside,amessagecanberoutedonwithout decryptingthemessagecontent
itself.

Fig12:routingkeys

22

ENCRYPTION

Fig13:sendingencryptedmessage

HereanunencryptedsensorsendsitsdatatotheRabbitMQontheblacksidetothe
sensorexchange.Ashovelshovelsthemessageoverthethetheencryptexchangewherea
listenerEncryptMessageListenergetsthemessageandencryptsandsignsthemessageand
sendstheresultingmessagebacktotheRabbitMQtotheencryptedexchange.Thereageneric
MessageListenerpicksupthemessageandencapsulatedthemessagewithaexchangemessage
containingtheoriginalexchangeandsendstheresultoverUDPviatheUDPSenderoverthedata
diodetotheredside.

Fig14:receivingencryptedmessage

23

ThereaUDPReceiverreceivesthemessageandreconstructswherethemessagecamefrom:the
encryptedexchange.Itsendstheencryptedmessagetothisexchangewherethe
EncryptedMessageListenerlistensfornewmessagesandgetsthetheencryptedmessagewhichis
validatedanddecryptedandisthensendtotheoriginalsensorexchange

Whichencryptionmethodisusedandthekeysizesarespecifiedinapplication.properties.

black

src/main/resources/application.properties

red

src/main/resources/application.properties

Thefirstpropertyistheprovider,inthiscaseBouncyCastlewhichisanalternativetothestandard
cryptographiclibrarycalledJavaJavaCryptographicExtension(JCE)whichcontainsmanymore
ciphersuitesandalgorithms.

Thesecondpropertyisthewaymessagesaresigned.UsedhereisSHA256WithRSAwhich
meansthatamessageishashedwithSHA256andsignedwithaRSAprivatekey.

ThemessageitselfisencryptedwithAES256andusestheAES/EAX/PKCS7Paddingwhere
EAXisa
modeofoperationforcryptographicblockciphers.ItisanAuthenticatedEncryption
withAssociatedData(AEAD)algorithmdesignedtosimultaneouslyprovidebothauthentication
andprivacyofthemessage(authenticatedencryption)
[13]andusespaddingforthelastblock.

ThekeyusedtoencryptthemessageisthenencryptedwiththepublickeyoftheserverwithRSA
using2048bitsandusespaddingforthelastblock.Shouldtheseparametersbenotsufficientjust
modifyapplication.propertiesandstarttheapplicationagain.

Whentheapplicationstartsitwillstarta
org.datadiode.black.
listener
.EncryptMessageListener
whichislisteningformessagesbeingsendtotheexchangeencrypt.Itwillencryptthese
messageswiththepublickeyoftheredside,signsthehashwiththeprivatekeyoftheblackside
andemitstheencryptedmessagetoanexchangeencrypted.Theexchangeencryptis
specificallynotmirroredbuttheexchangebuttheexchangeencryptedis.

24

On the receiving side a listener will decrypt the contents of the messages coming from the
mirrored exchange encrypted with the private key from the red side and validates that the
messagereallycamefrom theblacksidewiththedecryptionof thehashwiththepublickeyfrom
theblacksideandifvalidsendsthemessagetotheexchangeitcamefromontheblackside.

Fig16:SecureMessage.java

This solution has been made so generic that it can be used to encrypt any stream of data by
shovelingdatafromanyqueueintotheencryptexchange.

Fig17:UnencryptedandEncryptedstreamarebothmirrored

25

Messages from outside can be send to an exchange at the black side. The creation of new
exchanges is being picked up a new instance on each of GenericMessageListener is attached
which starts to broadcasting messages over the data diode. On the receiving side the UDP
receiver transformsanUDPmessageback totheoriginalmessageandisbeingtransmittedtothe
exchange it originally came from. It also watches an index in the message to detect missing
packetsbycomparingtheindexwithacountercontainingthenumberfromthepreviousmessage.
Should the value of indexnotbe the the same asthe previousindexplusone,awarningisbeing
displayedinthelogoftheapplication.
When encryption is used a message is thus first encryptedintoanEncryptedMessage whichin
turnis added into aExchangeMessagesothatitcanberouted andthatexchangemessageissplit
into smaller chunks (a header and some segments) which are theunits beingtransferredovera
diodeviaUDP.
The receiving side then reconstructs the ExchangeMessage and validates the checksum after
which it sends the EncryptedMessage to the EncryptExchange.This isbeing picked up bythe
listener,decryptedandvalidatedandresendtotheoriginalexchange.

Fig18:EncryptedMessageinExchangeMessage

26

5.

Descriptionofresults

Withtheapplicationitisnowpossibletosendmessagesofarbitrarysizeoveradiodewhere
exchangesareautomaticallymirroredandcompressionisusedtomaximisethedatainamessage.
Belowfollowsamoredetailedexplanationoftheresults.

Testsetup

Fig19:testsetup

Thenetworkisagigabitnetworkconnectingaworkstationrunningtheblackandredprocesses
andaserverrunningbothRabbitMQsandNodeREDandavirtualdatadiodewithsocat:

$socatUDP4RECVFROM:4321,forkUDP4SENDTO:<<IP_OF_WORKSTATION>>:4321

27

Semiproductionsetup

Fig20:Semiproductionsetup

28

Productionsetup

Fig21:Productionsetup

Automaticcreationofexchanges
The following are screenshots that show the application where a fictitious sensor which is
declared in the class
TemperatureSensor
sends periodically
TemperatureSensorEvent events
over to the red side. Without any management exchanges andqueues are created automatically
andthedatalandsoveradatadiodeintothetrustedzone:

29

Blackexchanges

Redexchanges

Message rate hasbeen measuredofover14.500messages/seconalaptoprunningbothblackand


red applications and and gigabit ethernet between the laptop and a Intel NUC running both
RabbitMQsandtheNodeREDapplications.

30

Performance

Fig22:graphicalthroughputofUDPreceiver

IntheabovefiguretheactualthroughputoverUDPcanbeobserved.
Ontheblackside ascriptgradlerunClientisstartedwhichsendspacketswithrandomcontents
over UDP to the red side. In each packet the first 4 bytes contain an index number and each
packet increments the index.Onthe receivingsidea dedicated Cprogram(udp) takesaUDP
message and puts into theexchange UDP. Then asecondprocess (gradle runServer)receives
themessageandtheindexiscomparedtotheprevious receivedindex.Iftheindexdoesnotequal
theprevious index+ 1 the server outputs an errormessage.Therateatwhichnopacketsarelost
can thus be determined. The highest message ratewhereno packets are lost is arateof14.500
packets/sec with packet size of 8K whichis (14.500*8192)/1024/1024= 113MB/secwhichis
89%ofthetheoreticallimitofofGigabitethernetat128M/sec.
Now the practical test: the script
datadiode/contrib/nodejs/sendMessages.js generates 1MB
messages intheexchangenodejsExchangewhicharethenautomaticallytransferred tothe red
side. Becausethosemessages are exactly1MBinsizethemessageratereflectsthethroughputin
MB/sec.

31

Fig23:Measuredthroughputof1MBmessages
Thebest performance was found with 8K jumboframesenabledcurrentlygivingathroughputof
around25MB/secwithnopacketloss. Because packets aresenttwice (redundancyfactoris2in
this example) the actual throughput is around 50MB/sec which is far below the 128MB/sec
maximum ofa gigabitnetwork. The reasonitdoesnot perform asfastastheprevioustestisthe
cut and merge function both sides have to do which cannot put packets faster than 700
packets/sec and message digest calculations both sides have to do. This can be solved by
performancetuning boththe cutand mergeapplicationsandto putthoseapplicationsondifferent
computer(s) connected to both RabbitMQs instead of running all these processes on a single
computationalinstanceasisdoneinthisexample.

32

MQTT
These screenshots show the NodeRED applications where MQTT messages are successfully
beingtransferredoverthedatadiode.

Fig24:ExampleofMQTToverthedatadiodeviaNodeRED

OtherthatdeclaringabindingfortheroutingkeybecauseMQTTsendsto theTopicexchange,no
further modifications had to made to support MQTT. More screenshots can be found in the
appendixonhowtostarttheapplicationstoreproducetheresults.

33

Compression
WiresharkanalysisshowedthattheserializedTemperatureSensorEvents,usedtomimicareallife
sensor,are2378bytes:

Visual inspection of the data showed that there is quite some text and compression and
decompression in the form of
Inflater and
Deflater couldbeused toreducethepacketsize. An
fieldinapplication.propertiescalled

canswitchofforoncompressionandshowedthefollowingresult:

bodyin
bytes

Message
inbytes

Exchange
Message

compressed
inbytes

reduction

temperatuur
sensor

810

2041

2378

1247

52%

MQTT
message

13

1297

1636

927

56%

Withcompression,messagesshowa50%reduction.

34

Encryption
Afterthatweapply encryption tothe sensorstream.Aswecan seepacketsarriveataround750
messages/sec at the black side which are then encrypted and sent over the data diode. This
happens at a rate of 100 messages/sec. On the red side those messages are validated and
decryptedandarrive atthespeedof around100messages/secin the sensorexchangeonthe red
side.

Blackexchanges

Redexchanges

35

Blackqueues

Redqueues

The encryption process cannot keep up because messages arrive at a faster rate than the
encryption process can encrypt them. Normally messages wouldbelostwhena process cannot
keepupbutmessagesarenow storedinthe encryptqueueuntiltheycanbeprocessed.Asolution
would be tostart more encryptionprocessesand becauseasshowncompressionhappensat100
messages/sec and messages arrive at around750messages/sec we wouldprobablyneed7more
encryptionprocesses.
Missingmessages
On the red side missing messages are detected at the SensorListener. The TemperatureSensor
sendsperiodicallyTemperatureSensorEvent tothered side.Since it inherits from
Event ishas a
field index which is an incrementing counter. At the red side it is now trivial to measure
missingpackets:ifthelastindexvalueisnotcurrentindexcountervalueaddedbyone,awarning
isbeingdisplayedinthelogfile.

36

Discussionofresults

Thedevelopedapplication for this dissertationprovides aworkingreferenceimplementationofa


mirrored RabbitMQ over a data diode and includes all the scripts used to measure the
performance. The results of this application show that it possible to transfer data of arbitrary
messagelength over adata diodeandfurthershows that encryption can successfully beusedfor
messages containing sensitive information. Exchangesareautomatically createdandunencrypted
and encrypted messages can successfully be mirrored and decrypted over a data diode.
Everythingismaintenancefree,except forkeymanagement ifencryptionisused.Thetransferred
messages canbe ofarbitrary sizebecause biggermessages aresplitintosmallersegmentsbefore
theyaretransferredoverthediodeandeachtransferredmessageisvalidatedbyachecksum.
Evaluation oftheresultsthusshowthatitisdefinitelyworthtodofurtherresearchtoincreasethe
throughput even further than the currently measured 25MB/sec but in its current form the
applicationissuccessfullydeployedintoproduction.
Followon work in this area isto performance tunethe cut andmerge applicationsand touse a
database asa backendforthereconstructionofmessages.Thecurrentsetupismoreofaproofof
concept: it works but does all the reconstruction in memory. This has the disadvantage that a
restart of theapplicationmeans lossof dataandalso meansthatthesizeofmessages cannot be
bigger thantheamount offree memoryand willenablethepossibilityofreconstructingmessages
inparallelandevenimplementpriorityqueues.

Alsothecurrentimplementationsendspacketsdatatwiceoverthediode tominimisetheimpact
ofpacketloss.Thiscould alsobeaccomplishedbyputtingForwardErrorCorrectionblocksinthe
stream,where theresultofXORingblockscanbeusedtoreconstructamissingblockbuthasthe
advantage that the redundancy factor can be minimised by sending 4 blocksdata and 1block
FECinsteadofsendingeachblocktwice.
Followon work alsoincludesthe useof multiple decryptionkeysfora single messagewiththe
helpofgnupgsothatasinglemessagecouldbedecryptedbymultiplerecipients.

37

6.

Listofreferences

[1]Stevens,MalcolmW.,andM.Pope.AnImplementationofanOpticalDataDiode.
Citeseer,1999.Print.

[2]FoxIT,Products&service,datadiode,protocols,accessed26september2015,

https://www.foxit.com/en/products/datadiode/protocols/

[3]Secunet:SinaOneWayGateway2,accessed29september2015,
http://www.secunet.com/fileadmin/sina_downloads/Produktinfo_englisch/sn_SINA_OWG2_FS_E.pdf

[4]OwlComputingTechnologies:DualDiodeApplications&SoftwareConnectors,
accessed29september2015,

http://www.owlcti.com/products/products_services.html

[5]Advenica:SecuriCDSDataDiodesforNetworkConfidentiality,
accessed29september2015,
https://advenica.com/en/system/files/page/16478v1.0ProductSheet_Data_Diodes_for_Network_Confidentia
lity%281%29.pdf

[6]Seclab:DenelisDataDiode,accessed29sept2015,

http://www.seclabsolutions.com/products/denelisdatadiode

[7]
Dimou,I.,etal."DemonstrationofaCrossSecurityDomainServiceManagement
CapabilityforFederatedMissions."
MilitaryCommunicationsConference(MILCOM),
2014IEEE
.IEEE,2014.

[8]
Wetenregelgeving,Besluittechnischehulpmiddelenstrafvordering,
Artikel10.Datumentijdregistratie,26october2015

[9]Wetenregelgeving,Besluittechnischehulpmiddelenstrafvordering,

Artikel12.Beveiligingtechnischhulpmiddel,26october2015

[10]Wetenregelgeving,Besluittechnischehulpmiddelenstrafvordering,

Artikel14.Opslagsignalen,
26october2015

[11]Bellare,Mihir,andChanathipNamprempre."Authenticatedencryption:Relationsamongnotions
andanalysisofthegenericcompositionparadigm."
AdvancesinCryptologyASIACRYPT2000

(2000):page531545.

[12]Menezes,AlfredJ,PaulCVanOorschot,andScottAVanstone.
Handbookofapplied
cryptography
.CRCpress,1996.

[13]Bellare,Mihir,PhillipRogaway,andDavidWagner."TheEAXmodeofoperation."
FastSoftware
Encryption
1Jan.2004:389407.

[14]Pitt,Esmond.
FundamentalnetworkinginJava
.SpringerScience&BusinessMedia,2005
page258

38

7.

Appendices

Allofthesourcecodeforthereferenceapplicationcanbefoundongithub:

RabbitMQApplications
:DataDiode

Checkthecodeoutwithgitonbothnodesandstarttheinfrastructurewithdockercompose:

39

Tunethenetworkparametersforhighperformancethroughput
#!/bin/bash
ifconfigp1p1192.168.1.1mtu9710txqueuelen1000up
arps192.168.1.2<<INTERFACEMACADDRESSRED>>
iprouteadddefaultvia192.168.1.1
sysctlw\
net.core.wmem_max=26214400\
net.core.wmem_default=8388608\
fs.filemax=100000\
vm.swappiness=10\
net.core.optmem_max=40960\
net.core.netdev_max_backlog=50000\
net.ipv4.udp_mem='838860883886088388608'\
net.ipv4.udp_wmem_min=8388608\
net.ipv4.conf.all.send_redirects=0\
net.ipv4.conf.all.accept_redirects=0\
net.ipv4.conf.all.accept_source_route=0\
net.ipv4.conf.all.log_martians=1\
net.netfilter.nf_conntrack_max=262144\
net.nf_conntrack_max=262144

network_tune.sh:tuneblackside(sender)

#!/bin/bash
ifconfigp1p1192.168.1.2mtu9710
arps192.168.1.1<<INTERFACEMACADDRESSBLACK>>
sudosysctlw\
net.core.rmem_max=86214400\
net.core.rmem_default=46214400\
fs.filemax=2097152\
vm.swappiness=10\
net.core.optmem_max=80960\
net.core.netdev_max_backlog=70000\
net.ipv4.udp_mem='262144002621440026214400'\
net.ipv4.udp_rmem_min=26214400\
net.ipv4.conf.all.send_redirects=0\
net.ipv4.conf.all.accept_redirects=0\
net.ipv4.conf.all.accept_source_route=0\
net.ipv4.conf.all.log_martians=1\
net.netfilter.nf_conntrack_max=262144\
net.nf_conntrack_max=262144

network_tune.sh:tuneredside(receiver)

40

http://rabbitblack/#/exchanges

http://rabbitred/#/exchanges

41

STARTBLACK

STARTRED

42

Verify that asensor sendsitsmessagesperiodicallyto the blackside,whicharemirroredoverto


theredside.

http://rabbitblack/#/exchanges

http://rabbitred/#/exchanges

Go to the NodeRED instance and add aInject inputnodeandcallittimestamp whichwill


send a timestamp everytimethebutton is pushedandaddit to aMQTToutputnode where the
brokeristheblacksideRabbitMQ.

43

http://nodered/#

Test the setup by pushing a few times on the button in NodeRED and see that messages are
indeedbeingsendfromtheblacksideovertotheredside.

44

http://rabbitblack/#/exchanges/%2F/amq.topic

http://rabbitred/#/exchanges/%2F/amq.topic

45

http://rabbitblack/#/exchanges/%2F/amq.topic

http://rabbitred/#/exchanges/%2F/amq.topic

The MQTT events will be send to the topicexchange butwillnot landinthequeueonthe red
side because the messages contain arouting key.To get the MQTTmessagesfrom NodeRED,
webindthetopicexchangewiththeroutingkeytimestamp.

46

http://rabbitred/#/queues/

47

Now that the queue timestamp is bound to the exchange amqp.topicwiththerightrouting


keymessagesarebeingcollectatthequeueontheinside.

http://rabbitred/#/queues/%2F/timestamp

48

ThisisthecontentsoneoneofthoseMQTTmessages.

49

DOCKERCOMPOSE.YML
volumes:
image:
tianon/true

volumes:

"./volumes/nodered/:/root/.nodered/"

"./volumes/rabbitmq/lib:/var/lib/rabbitmq/"

"./volumes/ldap/:/var/lib/ldap"

"./volumes/slap/:/etc/ldap/slapd.d"

proxy:
image:
jwilder/nginxproxy

ports:

"80:80"
volumes:

"/var/run/docker.sock:/tmp/docker.sock:ro"

restart:
always

log_driver:
"jsonfile"

log_opt:
maxsize:
"100k"

maxfile:
"20"
rabbitblack:
build:
rabbitmq/

restart:
always

environment:
RABBITMQ_NODENAME:
rabbitblack

VIRTUAL_HOST:
rabbitblack

VIRTUAL_PORT:
15672

hostname:
rabbitblack

volumes_from:

"volumes"

ports:

"1884:1883"

"5673:5672"

"25673:25672"

"1234:1234/udp"

expose:

"15672"

links:

proxy

50

rabbitred:
build:
rabbitmq/

restart:
always

environment:
RABBITMQ_NODENAME:
rabbitred

VIRTUAL_HOST:
rabbitred

VIRTUAL_PORT:
15672

hostname:
rabbitred

volumes_from:

"volumes"

ports:

"1885:1883"

"5674:5672"

"25674:25672"

"1235:1234/udp"

expose:

"15672"

links:

proxy

nodered:
image:
beevelop/nodered

environment:
VIRTUAL_HOST:
nodered

VIRTUAL_PORT:
1880

expose:

"1880"

volumes_from:

"volumes"

restart:
always

links:

rabbitblack
pro
xy

51

CONTENTSOFENCRYPTEDANDDECRYPTEDCLASSESINJSON
SecureMessage.java:
{
"secureMessage":{
"index":1,
"signature":
"EQE6lLamLrnf5QEaivpaW6XFUrZYQbLpuN0WI10qLQSX2MwLkMni9Iv4Kn
oF/z9OIMPonk1EWNtn\nyza7JD+sPc1nyOd4frRs+NqWQqmJ7xGnFcnxAGv
FjbVUg50kpCs2xu9f8F1GMLOhLHih3wKkiX5T\nfQTh/YgTjOQt/aeVTbd7
W6JM479cB6D+9OQrhTQa/Yz+ut+0+ppBublX9drSizpoasnsWXWJbqLn\nC
AG/xWow7co/zYcg9FznaOJXWaX/trDaKfL1WGmHIEXBNWHzlko8925uw3zL
YGujmR5TlxHMidrz\n78l/AlasX3ur8yDizVRmuham1Tlj0PlXLclOHg==",
"encryptedKey":
"T6rqFFtYNxZ4C2GQFG7UGyzNH0tpvVNKlSB5jZZh5ATCF5H3NrHCNEsBU5
LGlkomk0AsmSRH5JwQ\nFQQCSiEJa32OEroGFnqqKyK3csBkcchlPWsYwp6
Z7dPmphMKK4gVzm5XGlGZ9La2m3JOqjLMQkAd\nxCXgxBGdhD9jyGl1XwGh
mmsNlI1aOGB62F4lCz69IOqPjkKkRO6L6RakFZvdCId8glDoMxc3V/xu\nr
Q090VfasifihKfaIwos4b/jaqEM+AJzYzaFKUX3turQ/JSatlt7TLTtJQKR
xllbCpJOJkSHagxH\n99evUwDai5cBvjkZmVj+xea/mI9zaxKUTrmiVw==",
"encryptedData":
"MFKbRKjxCbcXAe+BdNt0nfsfhz0ARaJsnYzFCCoZWz4L/+/hdnuIakQCx0
m4SBZRWE19xm1TaAsV\nh1qBz4WVXbayVP/OIhAqlscNtbceuESjmkHRqW8
Bj334YsxPoT1nNy++A0MVmn7KpVFIhhvzdwB7\nqMJ9uJI9aMUwzj9RaizU
GOmiMMuZfKo999+q36tNaVbhv4za7mk0LlgARRasXm0owSSvPnYLxIHw\n3
ozh7q5bKHbBq4oENkfPcoOdqUHX4l+k3+tZxnD9Fk0ndRZTkCi4nGywfelM
U4GM4wHewdeZlpiF\nRzA5VRXB3tSRIEc2whbiFECeB8+oLXI+JYCpE0Cln
m2ITag1iOaA20XRDORAQhYHFPFaP/DlbzR7\nmP9hCUp4Yh9efg/PoM99Z0
QhV/o7vmUscuzx7SABR/fnntvy/CFnfTWpNzS7TLyPxrbKaZ3IQbb\n6Vgv
l2BUNf6Q/crgVtVslMfIjYNhHiAVUjtJmSjodXTtv2brW1KcIGAlbYBUxk9
3P+w70wFwF8Hb\ndQ==",
"iv":"ggAWY9MQYfcYs9PpZ6/kMg=="
}
}
ExchangeMessage.java:
{
"org.datadiode.model.message.ExchangeMessage":{
"message":{
"messageProperties":{
"headers":[
""

52

],
"contentType":"application/xjavaserializedobject",
"contentLength":0,
"contentLengthSet":false,
"deliveryMode":"PERSISTENT",
"priority":0,
"redelivered":false,
"receivedExchange":"sensor",
"receivedRoutingKey":"bWFyY2Vs",
"deliveryTag":1,
"deliveryTagSet":true,
"messageCount":0,
"consumerTag":"amq.ctagpwWjY2tzUjdS01cdVEnQQw",
"consumerQueue":"encrypt"
},
"body":[

"rO0ABXNyAENvcmcuZGF0YWRpb2RlLm1vZGVsLmV2ZW50LnNlbnNvci50ZW1wZXJhdHVyZS5UZW1w\nZXJhdHVy
ZVNlbnNvckV2ZW50vqbEUzgjq5cCAAFEAAt0ZW1wZXJhdHVyZXhyACxvcmcuZGF0YWRp\nb2RlLm1vZGVsLmV2Z
W50LnNlbnNvci5TZW5zb3JFdmVudAmQNj9AL5ShAgABTAAGc2Vuc29ydAAp\nTG9yZy9kYXRhZGlvZGUvbW9kZW
wvZXZlbnQvc2Vuc29yL1NlbnNvcjt4cgAfb3JnLmRhdGFkaW9k\nZS5tb2RlbC5ldmVudC5FdmVudNLl636osM1
5AgADSQAFaW5kZXhMAARkYXRldAAQTGphdmEvdXRp\nbC9EYXRlO0wABHV1aWR0ABBMamF2YS91dGlsL1VVSUQ7
eHAAAAABc3IADmphdmEudXRpbC5EYXRl\naGqBAUtZdBkDAAB4cHcIAAABUMijD9J4c3IADmphdmEudXRpbC5VV
UlEvJkD95hthS8CAAJKAAxs\nZWFzdFNpZ0JpdHNKAAttb3N0U2lnQml0c3hwpkAZpTilJvLObegL2JVCfnNyAD
5vcmcuZGF0YWRp\nb2RlLm1vZGVsLmV2ZW50LnNlbnNvci50ZW1wZXJhdHVyZS5UZW1wZXJhdHVyZVNlbnNvcnj
ZPEmG\nuRW0AgAAeHIAJ29yZy5kYXRhZGlvZGUubW9kZWwuZXZlbnQuc2Vuc29yLlNlbnNvcjHcbb41TAJ6\nAg
AESQACaWRMAAtnZW9Mb2NhdGlvbnQAJ0xvcmcvZGF0YWRpb2RlL21vZGVsL2V2ZW50L0dlb0xv\nY2F0aW9uO0w
ACHRhcmdldGlkdAASTGphdmEvbGFuZy9TdHJpbmc7TAAEdHlwZXEAfgAOeHAAAAAB\nc3IAJW9yZy5kYXRhZGlv
ZGUubW9kZWwuZXZlbnQuR2VvTG9jYXRpb26jX4d5RdqQaAIAAkQACGxh\ndGl0dWRlRAAJbG9uZ2l0dWRleHBAS
jCJQ+EAYEATmQRwqAjIdAAIYldGeVkyVnN0AAt0ZW1wZXJh\ndHVyZUA1dmRNFdwU"
]
},

"exchangeData":"{\"org.springframework.amqp.core.FanoutExchange\":{\"shouldDeclare\":tr
ue,\"declaringAdmins\":[{\"@class\":\"list\"}],\"name\":\"sensor\",\"durable\":true,\"a
utoDelete\":false,\"arguments\":[{\"@class\":\"linkedhashmap\"}]}}"
}
}

53

TemperatureSensorEvent.java
{
"org.datadiode.model.event.sensor.temperature.TemperatureSensorEvent":{
"index":1,
"date":"2015110214:39:01.74UTC",
"uuid":"ce6de80bd895427ea64019a538a526f2",
"sensor":{
"@class":"
org.datadiode.model.event.sensor.temperature.TemperatureSensor",
"type":"temperature",
"id":1,
"geoLocation":{
"longitude":4.899431,
"latitude":52.379189
},
"targetid":"bWFyY2Vs"
},
"temperature":21.4624679735535
}
}

54