Security WG: Report of the Spring 2006 Meeting Rome, Italy June 16, 2006 Howard Weiss NASA/JPL/SPARTA

Planned Meeting Agenda  12 June 2006  : CCSDS Opening Plenary  : Systems Engineering Area (SEA) Plenary  : Lunch  : Welcome, opening remarks, logistics, agenda bashing,  : Review results of Fall 2005 SecWG meeting in AtlantaAtlanta  : Security Architecture Document Discussions (Kenny)  : Coffee break  : Encryption Algorithm Document (Weiss)  : Authentication/Integrity Algorithm Document (Weiss)  13 June 2006  : Joint meeting with Navigation, Asynchronous Messaging Service (AMS), and Spacecraft Monitoring & Control WGs, SANA  : Lunch  : Charter and Workplan revision (forward directions, new work items, etc) (All)  : Secure Interconnection Guide (Weiss)  : Coffee break  : Key management discussion (Kenny)  : Any other business (SCID resolution?, others?)

Attendance NameOrganization Address Howard Weiss Martin Stephane Ignacio Stefano Daniel Peter Jean Pierre Gavin Kenny Marc Wallace Bob Kelvin Lorenzo

Executive Summary  Attendees from CNES, BNSC, ESA/ESOC, ESA/ESTEC, ESA/ESRIN, DLR, NASA/MSFC, ASI, CSA (Viagenie) and NASA/JPL.  Major participation by ESA! Majority of attendees from multiple establishments.  Discussed and revised the SecWG Security Architecture documents and decided that it should not be Blue but rather (probably) Magenta. Fold key management into architecture document.  Discussions regarding whether this architecture should be informational or proscriptive  Final thoughts that it should be informational  Discussed the encryption and authentication draft documents.  Some controversy on this – ESA did not see the need for standardizing on algorithms They didn’t need it for interoperability They want more than just algorithms  Agreement to add more “meat” to the drafts to further explain the need and desirability to have such recommendations.  Revised the charter and workplan. Working group to think more about the workplan and provide comments to finalize the revision.  Discussed the draft of the secure interconnection guide. Major concern was that it was too generic whereas the original NIST was too US Govt centric. Agreed to make the document more space-centric.  Discussed and agreed to a resolution of the public exposure of SCIDs.  Held a successful joint meeting with SM&C, Navigation, AMS, and SANA  Agreed to develop a strawman security architecture/design in response to SM&C requirements.

Summary of Goals and Deliverables 1. Security Green Book revision is complete rev 2 has been posted to the CCSDS web site. 2. Threat Document – a few more CESG comments from the 2 nd round of polling need to be folded in and then it should be competed. 3. Security Architecture document will be revised and restructured based on meeting discussions. Threat/architectural response restructuring. 4. Encryption and Authentication Algorithm documents will be revised with more rationale and explanation of need for adoption by CCSDS. 5. Secure Interconnection Guideline will be revised. 6. Development of security design/architecture for SM&C. 7. Continue to work with other Areas and their WGs with respect to security.

Progress Achieved  Agreed that the Security Architecture should not be proscriptive but rather informational. Key management will be folded into the architecture rather than be stand-alone. Still some issues to be resolved regarding “universal” use of public key mechanisms vs. “traditional” symmetric systems. ESA perceives public key as much too complicated. ESA also perceives a need for non-proscriptive architecture, although AMS and SM&C tended to want security handed to them so that they could just use it.  Reviewed the encryption and authentication algorithm documents.  ESA/ESTEC did not see a need for such algorithms for interoperability. They do not plan any interoperability.  They did not want a proscriptive standard forcing them to use a specific algorithm.  Agreed that a CCSDS recommendation would not force any Agency into algorithm usage even though all agreed that AES was a “no-brainer.”  Joint meeting with SM&C, Navigation, AMS, and SANA. SecWG, SANA, AMS, and SM&C presented overviews of their respective working groups. All the other WGs were unanimous in looking for proscriptive, off-the-shelf security solutions that they could pick up and use for their work areas!  SecWG agreed to provide a security architecture/design to meet SM&C needs.  Agreed to enhance the draft secure interconnection guide to make it more space-centric  Current draft is perceived to be too generic after removal of US Government-centricities.

SEA Area MID-TERM REPORT SUMMARY TECHNICAL STATUS 1.Security WG Goal: Working Status: Active __X_ Idle ____ Summary progress: Three documents actively being produced (Security Architecture, Threat, Encryption, Authentication, Secure Interconnection). All docs green except for security architecture. Progress since last meeting: Completed Green Book, completed Threat, draft Encryption and Authentication Algorithm documents, draft secure interconnection doc. Problems and Issues: Security Architecture. Resources – need to ensure continued participation from all member agencies status:OKCAUTIONPROBLEM Comment: Working Group is advancing and producing good products. Docs OK. New work OK. Security Architecture Doc.– but things are looking much better.

Near-Term Schedule DeliverableMilestoneDate Green Book revisions Completed – rev2 posted to CCSDS web site Done Threat Document Final CESG comments to be integrated & resent to CESG (Weiss) 07/06 CCSDS Security Architecture Revise & update per comments Restructure into threat/response (Kenny, Weiss, Fischer) 07/06 10/06 Encryption Algorithm Comments & additions per meeting (Aguilar) 09/06

Schedule (cont) Authentication /Integrity Review existing document for additions a la encryption document (All) 09/06 Encryption and Authentication Trade Studies Provide trade studies performed last year to secretariat to be published as magenta or green books (Weiss) 07/06 Charter Revisions Update workplans (All)08/06

Schedule (cont) Key Management document Revise and integrate into Security Architecture 10/06 Secure Interconnection Guide  Develop a rough draft Security Policy Guide based on NIST  Send out to WG (again) for comments and revise to make more space-centric 04/06 12/06 Mission Planners Security Guide Not being worked yet. Look at the tailoring of the CCToolbox to develop mission protection profiles 04/07

Open Issues  Security Architecture  Magenta rather than Blue book  Public key vs. symmetric cipher systems  Fold key management into architecture One size does not fit all?  Encryption and Authentication Algorithms  ESA – Conflicting points of view Do we need it for interoperability? Do we need it at all? We need something specific standardized.

Action Items Item NumberAction Item:Assigned to:Date Due: SecWG0606:1Rewrite Security Architecture and edit into mission classes with threat and mechanisms to mitigate threats. Gavin Kenny with help from Daniel Fischer and Howie Weiss 07/06 (rewrite for existing comments) 12/06 (restructured) SecWG0606:2Generate a architecture/design response to SM&C security requirements. Ensure that stacking of security in AMS and SM&C is analyzed. Howe Weiss coordinate with Mario Merri (ESA) 08/06 SecWG0606:3Update encryption algorithm document per meeting discussions Ignacio Aguilar09/06 SecWG0606:4Provide encryption and authentication trade study documents to secretariat to be published as magenta or green books (strictly background information) Howie Weiss07/06

Action Items (2) SecWG0606:5Review the Authentication Algorithm document per the meeting discussions Working Group09/06 SecWG0606:6Review the charter and workplan for any changes Working Group08/06 SecWG0606:6Resend the Secure Interconnection Guide to working group for comments Howie Weiss06/06 SecWG0606:8Comments on Secure Interconnection Guide from working group Working Group09/06 SecWG0606:9Develop a CCSDS key management trade study analysis for space environments Daniel Fischer09/06

Action Items (3) SecWG0606:10Set up telecons to occur every other month Howie Weiss and/or Gavin Kenny 07/06 for 1 st telecon SecWG0606:11Send SCID resolution to AD, CESG, CMC Howie Weiss06/06

Resource Problems  Resources are adequate to perform the current tasks, however limited resources to work on the security architecture (only NASA and BNSC).  Resources are increasing:  ESA has provided additional resources although at very low LOE.

Risk Management Update  Must ensure that the current trend of additional resources remains and that resources don’t shrink.

Cross Area WG / BOF Issues  Security is a cross-cutting discipline that needs to be included in many other Areas and WGs. In the plenary, we asked that the CESG be alerted that other Areas and WG should request support from the Security WG (in addition to the SecWG being proactive). We believe that the mandatory security section in documents will encourage the other Areas and WG to seek out help!  Joint meeting held with Navigation, AMS, SM&C, and SANA. Both SM&C and AMS were interested in SecWG providing them with “out-of-the-box” solutions they could employ.  Suggestion from last time: Maybe provide a SecWG overview briefing at the Fall meeting opening plenary to cover everyone at one time?  Security 101 and SecWG initiatives within CCSDS?

Resolutions to be Sent to CESG and Then to CMC  The CCSDS Security Working Group has studied the issue of allowing public access to Spacecraft Identification (SCID) and has found that the public disclosure of such information was not a security problem.  Rationale: The SCID is only a maximum of 12 bits and a determined attacker would not have much trouble generating all combinations of the SCID in an attempt to disrupt a spacecraft especially given speeds of current (and future) generation computers. ‘  If a mission depended on SCID confidentiality for security, the mission security is severely compromised.  The CCSDS Security Working Group has studied the issue of allowing public access of the locations of ground sites and has found that because they are typically easy to find because they are hard to hide that public disclosure is not a security problem.  Rationale: There is nothing inherently wrong with reviewing such information from a threat perspective and keeping some of this information on access controlled web sites.  Rationale: Other security mechanisms should be used to provide ground site and mission protection.

New Working Items, New BOFs, etc.  Encryption algorithm blue book.  Authentication algorithm blue book.  Security Architecture restructured and folded in key management resulting in magenta book.  Key Management trade analysis for space.  Secure Interconnection Guide based on NIST magenta book revised to be more space-centric.  Mission Planning Guide.