1
00:00:00,780 --> 00:00:05,850
In the local networking lecture in this section, we saw how easy it is to communicate over the local

2
00:00:05,850 --> 00:00:09,210
network to retrieve data from other raw systems.

3
00:00:09,570 --> 00:00:14,970
There may be times where you want to secure that data from prying eyes, in which case you can secure

4
00:00:14,970 --> 00:00:18,900
your Ross message streams using Ross two Security features.

5
00:00:20,290 --> 00:00:23,990
These security configurations are part of the Se ROS package.

6
00:00:24,010 --> 00:00:29,050
You can check out the ROS index page for more information about ROS, but in my opinion, one of the

7
00:00:29,050 --> 00:00:36,070
best resources to learn is ROS is the introduction to ROS two security tutorial page on the ROS docks.

8
00:00:36,070 --> 00:00:41,200
So in this lecture we're going to follow this tutorial together to create a keystore, generate keys

9
00:00:41,200 --> 00:00:47,260
and certificates and then use them to encrypt our ROS message streams by passing it in as arguments

10
00:00:47,260 --> 00:00:49,060
when we launch our notes.

11
00:00:49,900 --> 00:00:55,090
Keep in mind that these keys and certificates we generate should never be stored with your code base,

12
00:00:55,090 --> 00:01:01,330
such as part of a GitHub repo for your package, but instead generated and copied on an as needed basis

13
00:01:01,330 --> 00:01:03,580
on the computers you are using them on.

14
00:01:03,940 --> 00:01:09,130
That is because you do not want others to be able to access these keys and certificates to decode your

15
00:01:09,130 --> 00:01:14,590
message streams should your code be compromised or accessed by an unauthorized individual.

16
00:01:15,040 --> 00:01:20,650
Examples of this in real life is Uber's 2016 data breach in which they stored private keys on a GitHub

17
00:01:20,650 --> 00:01:26,290
repo which became compromised, leading to 57 million customers data being leaked.

18
00:01:26,710 --> 00:01:32,230
Keep in mind that the most realistic ROS applications will generally only be related to specific message

19
00:01:32,230 --> 00:01:38,290
streams, such as image feeds, which may showcase a trade secret process at a manufacturing facility,

20
00:01:38,440 --> 00:01:42,430
or sending any personal info over ROS for a robot to process.

21
00:01:42,820 --> 00:01:44,320
But with that, let's jump in.

22
00:01:45,160 --> 00:01:49,600
So at the beginning of this tutorial it goes over some background as well as some arguments which you

23
00:01:49,600 --> 00:01:53,350
need to pass in if you're building ROS two from source.

24
00:01:53,350 --> 00:01:58,360
So if you want to use these features utilizing what we did in the last lecture, make sure to include

25
00:01:58,360 --> 00:02:00,610
these C make arguments D security on.

26
00:02:00,610 --> 00:02:05,260
But if you're going to be utilizing your binary installation, that's fine.

27
00:02:05,260 --> 00:02:07,120
We can just go ahead and move on.

28
00:02:07,120 --> 00:02:12,760
Then it talks about using alternative middleware, such as using alternative communication architectures.

29
00:02:12,760 --> 00:02:18,970
This is a more advanced topic and would generally only be pursued if you had incredibly strict or specific

30
00:02:18,970 --> 00:02:20,440
security implementation options.

31
00:02:20,440 --> 00:02:22,690
So for now, we are not going to worry about this.

32
00:02:22,690 --> 00:02:28,090
So finally getting started, we will be creating a directory to store our keys and certificates.

33
00:02:28,090 --> 00:02:33,850
So in this tutorial they just create a directory in the user's home directory called SW Ros to demo,

34
00:02:33,850 --> 00:02:36,520
which I'll just go ahead and follow along with for simplicity.

35
00:02:36,520 --> 00:02:42,850
So I'll just go ahead and drag this browser tab to the side and open up a terminal on the other side.

36
00:02:44,790 --> 00:02:47,010
Then we can run the command to make the directory.

37
00:02:50,770 --> 00:02:51,160
All right.

38
00:02:51,160 --> 00:02:55,360
So that's gone ahead and created our Rasta demo directory.

39
00:02:56,980 --> 00:02:59,660
Then step two has us create a keystore.

40
00:02:59,680 --> 00:03:05,860
So we'll go over to our terminal and change it to our directory and run this ROS to security terminal

41
00:03:05,860 --> 00:03:09,580
command to configure a keystore which we are calling demo Keystore.

42
00:03:10,840 --> 00:03:15,010
Now, normally you would name this according to the project you are working on to better describe what

43
00:03:15,010 --> 00:03:16,690
the keys are trying to secure.

44
00:03:16,690 --> 00:03:19,450
But again, I'll just keep it as is for simplicity.

45
00:03:19,450 --> 00:03:25,150
So now I can open up my file explorer window, go into my two demo folder, and here we have our demo

46
00:03:25,150 --> 00:03:25,930
Keystore.

47
00:03:25,930 --> 00:03:30,670
And here we see that that command has generated some folders, which includes information about our

48
00:03:30,670 --> 00:03:36,190
keystore and is going to be storing our keys and certificates that we're going to be generating in step

49
00:03:36,190 --> 00:03:36,700
three.

50
00:03:37,030 --> 00:03:42,040
So the way we go about doing this is using the ROS to security's create Enclave command.

51
00:03:42,040 --> 00:03:46,420
Essentially we just pass it in the name of the Keystone, which in this case ours is demo underscore

52
00:03:46,450 --> 00:03:51,850
keystore, which we just created, followed by the name of these keys and certificates.

53
00:03:51,850 --> 00:03:57,790
This name is usually organized as a type of project description, followed by a forward slash, and

54
00:03:57,790 --> 00:04:00,310
then the node names you plan to use it on.

55
00:04:00,310 --> 00:04:04,890
You need to make sure to run this create enclave command for each node you plan to secure.

56
00:04:04,900 --> 00:04:10,750
So for this tutorial, we're going to be launching the demo talker and listener nodes that we've been

57
00:04:10,750 --> 00:04:12,310
launching in previous lectures.

58
00:04:12,310 --> 00:04:16,300
So the naming is relatively arbitrary, but it's a good rule of thumb to help keep your enclaves organized

59
00:04:16,300 --> 00:04:17,410
and understandable.

60
00:04:17,410 --> 00:04:19,330
So let's go ahead and run these commands.

61
00:04:22,900 --> 00:04:25,400
And with that, we've created our enclave.

62
00:04:25,420 --> 00:04:30,370
So if I go into the Enclaves folder, we now have the Talker listener hierarchy, and if we go into

63
00:04:30,370 --> 00:04:34,870
that, we see the entries created for the Talker node and the entries created for the listener node.

64
00:04:34,870 --> 00:04:41,200
And this contains various keys and certificates which will be utilizing to secure our message streams.

65
00:04:43,010 --> 00:04:47,930
Now that we've generated our keys and certificates, we need to define some environment variables so

66
00:04:47,930 --> 00:04:50,300
Ross knows where to look for our key stores.

67
00:04:50,300 --> 00:04:52,850
You'll need to do this for each terminal environment.

68
00:04:52,850 --> 00:04:58,460
So in production you can include these environment variables in a launch file or bash C file, but for

69
00:04:58,460 --> 00:05:02,000
now we will just run the commands manually for each new terminal.

70
00:05:02,000 --> 00:05:05,630
So just go ahead and copy this, which basically points to our keystore directory.

71
00:05:05,630 --> 00:05:11,540
Enable security and the type of strategy which we just claim as in force.

72
00:05:12,950 --> 00:05:18,590
Then I can scroll down and we can see we can run my talker node by calling Ros to run and configuring

73
00:05:18,590 --> 00:05:25,370
the Ross arguments to utilize the Enclave Talker listener slash talker for the Talker node.

74
00:05:25,370 --> 00:05:27,260
So I'll go ahead and copy this.

75
00:05:31,780 --> 00:05:35,160
And here we see our Hello World messages publishing to the screen.

76
00:05:35,220 --> 00:05:40,150
So now if I open up a new terminal and let's see if we can access the chatter topic that is publishing

77
00:05:40,150 --> 00:05:41,080
these messages.

78
00:05:43,750 --> 00:05:46,510
And we only see the parameter events and Ros alt topics.

79
00:05:46,510 --> 00:05:48,460
No indication of the chatter topic at all.

80
00:05:48,460 --> 00:05:50,200
So let's, let's try checking for the note.

81
00:05:52,860 --> 00:05:53,520
Still nothing.

82
00:05:53,520 --> 00:05:56,640
So for safekeeping, let's try run our listener node like normal.

83
00:06:06,400 --> 00:06:08,380
And we see no messages are being received.

84
00:06:08,380 --> 00:06:10,120
So I'll just go ahead and stop this.

85
00:06:10,120 --> 00:06:14,530
And now let's try and set our environment variables for our keystore.

86
00:06:19,260 --> 00:06:25,770
And now relaunch the node using the ROS arguments with our Enclave Talker listener, listener, keys

87
00:06:25,770 --> 00:06:26,550
and certificates.

88
00:06:26,600 --> 00:06:27,810
I'll go ahead and copy that.

89
00:06:31,080 --> 00:06:37,620
And now we're actually able to receive our Hello World messages being published from our Talker note.

90
00:06:37,800 --> 00:06:42,840
So compared to having everything open as we did before, we have secured our communication streams from

91
00:06:42,840 --> 00:06:43,850
prying eyes.

92
00:06:43,860 --> 00:06:48,420
You can implement this feature across devices as well as using what we learned from the local networking

93
00:06:48,420 --> 00:06:49,050
lecture.

94
00:06:49,050 --> 00:06:54,720
You'll just need to make sure you copy your keystore to any additional devices and use them accordingly.

95
00:06:54,750 --> 00:06:59,100
Now, by all means, this is a pretty sufficient introduction to Ross security, but there are so much

96
00:06:59,100 --> 00:07:04,140
more fine tuned control which you can implement if you and your organization desires, such as setting

97
00:07:04,140 --> 00:07:07,470
up access control by generating policies and creating permissions.

98
00:07:07,470 --> 00:07:11,550
So if that interests you, feel free to check out the following tutorial, which you can find on the

99
00:07:11,550 --> 00:07:14,250
left side of the page in the security section.

100
00:07:15,840 --> 00:07:21,000
So this goes into actually setting up permissions documents for finer tuned control of your security.

101
00:07:21,000 --> 00:07:24,380
But again, this is more advanced than most users will have to get into.

102
00:07:24,390 --> 00:07:26,790
So we're not going to worry about that for right now.

103
00:07:28,540 --> 00:07:34,750
But with that you are able to secure your Ross message streams by creating a keystore generating enclaves

104
00:07:34,750 --> 00:07:40,930
for each node, then configuring our environment variables to use the enclave and implemented them at

105
00:07:40,930 --> 00:07:42,040
Node runtime.

106
00:07:42,550 --> 00:07:48,460
As always, a constant reminder to never store these key stores within your code base as it can compromise

107
00:07:48,460 --> 00:07:49,780
your production systems.

108
00:07:49,780 --> 00:07:54,640
If someone gains access to your code, such as through an online GitHub repository.