CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

1

Data Link Security BOF

An ESA contribution on Lessons Learned and Issues/Questions for the WG Charter

I. Aguilar/D. Fischer

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

2

Some lessons learned (1)

• Padding or no padding?– Consider the impact of data padding:

• A pseudo protocol required to handle padding generation at source and processing/removal at sink.

• Need to identify and define the length and position of padding data.• Impacts throughput.• Feasibility for very high data rates?

– A solution:• Choose cryptographic algorithms that eliminate the need for padding

• Key synchronization– Critical operational concern: how to make sure that both ends of the

secured communication session achieve and maintain cryptographic key synchronization in all conditions.

– A solution:• Use data-driven synchronization;• The transmitted message contains pointer to the key to be used;• Telemeter on-board set pointer.• Mirror on-board and on-ground key memories.

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

3

Some lessons learned (2)

• Secure and clear modes management: accommodation and impacts– Presence or absence of security protocol may imply presence or

absence of certain data structures.– Throughput needs to be adapted according to mode.– Change data rate:

• An obvious solution with significant implications on implementations, e.g., more complexity.

– A preferred solution:• Use data structures whose data length can be modulated (short for secure mode,

long for clear mode).

• Exceptions– Critical operational concerns: COP-1 not always present. Telemetry

not always present. – Still, Telecommand security has to work.

• Problem with anti-replay management and blind commanding.

– A solution:• Relax anti-replay management condition: rather than anti-replay parameter

equality accept a window of parameter values.• Caveat: security is degraded.

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

4

Some lessons learned (3)

• Logical and physical placement interaction– Same protocol design can have different throughput impacts

according to physical implementation.– Position before on-board segment processor:

• Timing and flow control between control and data frames managed with guard times.

• Strong throughput impact: up to 50% reduction.

– Choice driven by industrial planning considerations.– Throughput penalty acceptable for that application (GSO

telecom satellite).– Solution would not be acceptable for other applications (e.g.,

short contact times).

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

5

Some lessons learned (4)

• Command authentication/decryption are Vital functions as defined by ESA.– function that is essential to mission success and that can

cause permanent mission degradation if not executed when it should be, or wrongly executed, or executed in the wrong context.

• Need to have ALWAYS indication of TC authentication/decryption protocol status, regardless of spacecraft telemetry process. – Similar to CLCW with RF flags and COP-1. – Two free bits in CLCW (4 indications?).

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

6

Some questions for the WG Charter (1)

What does a Security Association comprise in our context?– Cryptographic algorithm and configuration.– Configuration implies mode of operation, IV, cryptographic key length.– Freshness parameter.

• Entities on the ground and entities on the spacecraft: typically 2 on each side. Implication: – at least 4 security associations.

• Protocol data structures shall support the identification of the ongoing security association between ground and spacecraft. – Ability for the ground to address a primary or secondary on-board

security function. – Ability for the spacecraft to identify and manage all the security

associations.

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

7

Some questions for the WG Charter (2)

Data Link Security protocol• What does it mean to protect the data

link? Which are the data structures within the data link format that would be protected/affected?– Input for the WG Charter: Options need to be identified and

studied. – Preliminary work already reported in Green Book. – One proposal provided by NASA for this meeting. – Others were reported in various papers at ESA TT&C 2007

Workshop, ESA studies.

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

8

Some questions for the WG Charter (3)

Payload Data Encryption

• Very High Speed Downlink requires a multi-carrier signal ergo multiple parallel data streams.

• Multiple instances of encryption or a single instance before de-multiplexing?

• Where is the Data link de-multiplexed? Virtual Channel?

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

9

Some questions for the WG Charter (4)

Anti-replay management

• Freshness required on Authenticated Data.

• Freshness field shall be used not only for MAC generation but it shall also be transmitted.

• COP-1 assumptions?• Freshness field length and key

management: independent?

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

10

Some questions for the WG Charter (5)

Channel error propagation: relationship with security

• Security shall not multiply transmission channel errors.

• Does security protocol design need to consider a minimum channel error performance?

Authentication• Protects against intentional manipulation of data.• Protection against random data manipulation (e.g.,

transmission channel errors) is the responsibility of other protocols. CRC and coding provides detection and sometimes correction of channel errors

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

11

Some questions for the WG Charter (6)

Interoperability/integration with COP-1

• What are the COP-1 assumptions for the definition and operation of a Data Link Security protocol?

• AD mode? BD mode? BC mode?• Should data link security protocol be

concerned with COP-1 control frames?

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

12

Some questions for the WG Charter (7)

How to accommodate both secure and clear modes without impacting much the other protocol layers?

• Consider secured and clear modes management.

CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin)

13

Some questions for the WG Charter (8)

Which implementation assumptions, if any, need to be considered?

• Experience has shown (see previous slides on lessons learned) that implementation constraints can drive protocol design.

• A protocol designed in full isolation of implementation realities is likely to fail to be adopted.

• Some implementation realities and constraints are Agency dependent.

• Is there a chance to find some common ground for the benefit of all Agencies?