Application Layer Security Mike Pajevski (NASA/JPL) April 2009
Agenda What is Application Layer Security Review Berlin discussions Benefits of Application Layer Security Drawbacks of Application Layer Security Objectives for Application Layer Security Useful approaches Priorities 4/22/2009
What is Application Layer Security? Space extensions to FTP SCPS-FP FTP Features FTP Other Apps Application Layer Security operates here Space extensions to the Socket Interface SCPS-TP “TCP Tranquility” options TCP Options TCP UDP Space-optimized IPSec variant SCPS-SP IPSec Common Network- Layer Interface Space-optimized IP variant SCPS-NP IP Space Link Subnet: CCSDS Data Link
Berlin Discussions Concern raised about APIs – given that the most popular application layer security service is SSL/TLS which only supports TCP (and soon UDP), what would we support in CCSDS given the wide variety of transport layer protocols we have (e.g., AOS, TM, TC, TCP/IP). Can we specify application layer security, in-general, for the wide variety of protocols that space missions use now and the even greater number they might use in the future? Another question is where (or how) might S/MIME fit into this? Could we base application layer security on the S/MIME model where it is assumed that the receiver has no prior knowledge of the sender (e.g., no credentials) and therefore all the information needed by the receiver has to be sent along with the secured data? Even more, what are the kinds of applications being used for space missions? Do they live on top of operating systems (e.g., Flight Linux, VXWorks, Green Hills) or do they run directly on the hardware? Do they operate on top of Frameworks or Messaging Services (e.g., AMS) which might provide or expose lower layer security services? Action: Mike Pajevski should investigate the development of use cases for application layer security. He should further define and categorize the problems, identify interoperability issues, investigate the potential use of messaging systems/frameworks (such as AMS) as security ‘shims’ much in the same manner as done by SM&C by building their Message Abstraction Layer (MAL) on top of AMS. Action: Howie Weiss will set up a meeting with the CFDP folks to look at how they plan to address security at their next revision of the CFDP specifications. He will also investigate what missions are using CFDP and those that are planning to use it.
Benefits of Application Layer Security Application layer security offers fine-grained access control Useful when different sources of commands or file service requests have differing rights Application layer security supports widest range of interaction patterns Application layer security can provide (additional) confidentiality protection i.e., over-and-above lower layer controls, or without lower layer confidentiality (depending on needs) Useful for highly sensitive data (e.g., keys) 4/22/2009
Drawbacks of Application Layer Security Needs to be incorporated into each application More complexity More to manage (credentials, roles, permissions) More overhead Most likely layered over lower layer security
Objectives for Application Layer Security Provide fine-grained access control Authentication of entity requesting access Could be a user, service, proxy Authorization Relies on policies and (optionally) groups/roles Common (& Federated?) authentication credentials For multiple applications Confidentiality? Should this be handled only at lower layer? Credential, Policy, & Key Management Creation, Update, Deletion, Distribution, Synchronization of data used by app layer security 4/22/2009
What approaches are useful? Integrate security into each application protocol? e.g., add authentication data fields (& encryption?) into CFDP protocol (and/or other?) Benefit: Details needed for access control are contained within the protocol Drawback: Details are specific to each application Use a common shim like TLS Benefits: Defined standard; Can be used under any application Drawbacks: The filename/action or subsystem information about the exchange is not part of this protocol – thus cross-protocol interaction is needed to provide access control AND TLS requires handshaking to establish session keys Authentication credentials can be preplaced, but session keys are negotiated when sessions start Would a session key management protocol be useful? Note that TLS sessions can be “resumed” Message-based security e.g., Cryptographic Message Syntax (CMS), S/MIME, WS-Security Benefits: Defined standards Drawbacks: The filename/action or subsystem information about the exchange is not (usually) part of these protocols – thus cross-protocol interaction is needed 4/22/2009
Priorities? What is most important? e.g., incorporating security into CFDP and/or other application layer protocols What objectives are most important? e.g., access control, confidentiality, federation, evolve-ability, flexibility, extensibility? When might this capability be needed? e.g., CxP Lunar Sortie or Surface Missions? What other missions might involve partnerships? 4/22/2009
Next Steps? Should the Security WG take this on as a new program of work? How should we approach this? Study? Just adopt CMS? Write a new protocol? Go home and call it a day?