CCSDS Security Working Group - Fall 2007 Meeting Research Activities on Encryption and Authentication for Space Applications by the Telecommunications Group of the Università Politecnica delle Marche Ancona, ITALY Susanna Spinsante – 3-5 October 2007 ESA/ESOC, Darmstadt Germany (Hotel am Bruchsee, Heppenheim)
2 2003/2004: Analysis of the ESA Telecommand Authentication Procedure (ESA PSS ): Numerical analysis performance and security evaluation by means of suited tests for authentication systems (NIST test suite, technical literature) detected flaws: weaknesses in hard knapsack and LFSR-based hashing suggested modifications according with a conservative approach: improved hashing and selection of the hard knapsack factors
3 Performance and security evaluation of the modified TC Authentication scheme proposed: by means of simple modifications, the randomness and security levels of the overall system have been increased, so obtaining better performance also in the case of short TCs processing the suggested new scheme showed a processing time reduction and a possible optimization on 32 bit data bus Suggested modifications: Theoretical analysis cryptanalysis of the ESA authentication system: choice of the LFSR coefficients, attacks based on internal and external collisions, reconstruction of the erased bits of the key the percentage of cases in which cryptanalysis permits the total break of the system is significant
4 Our analysis showed that: The secrecy of the HK factors (2880 bits) is questionable when the opponent can apply a chosen text attack The Erasing Block (EB), that deletes the 8 least significant bits of the Knapsack output, makes more complex for an opponent to invert the transformation S = f(m) but an attack has been conceived for discovering the last part of the key The weakest part of the system is the Hard Knapsack The Hash Function (linear) is rather simple to violate Difficulties for an opponent are due the Erasing Block The very long length of the secret key does not provide any specific protection Most of the key can be discovered fast, while the disclosure of (most of) the remaining part is possible by ad hoc software The probability of success for a total break attack is high The results of our study strenghtened the idea of conceiving a new and more robust authentication solution Our analysis showed that: The secrecy of the HK factors (2880 bits) is questionable when the opponent can apply a chosen text attack The Erasing Block (EB), that deletes the 8 least significant bits of the Knapsack output, makes more complex for an opponent to invert the transformation S = f(m) but an attack has been conceived for discovering the last part of the key The weakest part of the system is the Hard Knapsack The Hash Function (linear) is rather simple to violate Difficulties for an opponent are due the Erasing Block The very long length of the secret key does not provide any specific protection Most of the key can be discovered fast, while the disclosure of (most of) the remaining part is possible by ad hoc software The probability of success for a total break attack is high The results of our study strenghtened the idea of conceiving a new and more robust authentication solution
5 Related Bibliography: F. Chiaraluce, G. Finaurini, E. Gambi, S. Spinsante “Analysis and Improvement of the ESA Telecommand Authentication Procedure”, in Proc. TTC 2004 Workshop on Tracking, Telemetry and Command Systems for Space Applications, September 2004, ESA/ESOC, Darmstadt (Germany), pp F. Chiaraluce, E. Gambi, S. Spinsante “Efficiency Test Results and New Perspectives for Secure Telecommand Authentication in Space Missions: Case-study of the European Space Agency”, in ETRI Journal, Vol. 27, Number 4, August 2005, ISSN , pp F. Chiaraluce, E. Gambi, S.Spinsante “Numerical verification of the historicity of the ESA telecommand authentication approach”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, June 2006, Rome (Italy) S. Spinsante, F. Chiaraluce, E. Gambi “Telecommand Authentication in Space Missions: Cryptanalysis of the ESA Approach and Evaluation of Alternative AES-Based Schemes”, submitted to IEEE Trans. On Aerospace & Electronic Systems
6 2005/2006: Evaluation of AES-based authentication and encryption for space applications Following the results provided by the analysis of the old ESA authentication scheme, and confirmed by preliminary proposals expressed within the CCSDS Security WG, a research activity on the adoption of the Advanced Encryption Standard (AES) for TC authentication and TM encryption has been developed Telemetry Encryption comparison among several AES operational modes error propagation over AWGN and burst channels data cancellations effects and recovery computational requirements: evaluation and comparison Telecommand Authentication AES-based Message Authentication Code generation schemes for TC Authentication CBC and CFB MAC generation Telecommand authentication and Forward Error Control coding (Correct Authentication Rate)
7 Contribution of the study Numerical results on: AES based authentication schemes applied to TC data AES based encryption schemes applied to TM data Evaluation of the interactions between encryption/authentication services and FEC services: TC authentication and BCH FEC coding TM encryption and RS FEC coding in the case of sparse errors and burst errors Definition of a CAR (Correct Authentication Rate) figure to evaluate error propagation effects No substantial differences between AES-based CFB and CBC MAC authentication of TC data, w.r.t. transmission errors: further constraints should be taken into account for selection AES OFB mode should be chosen for TM encryption, under the error propagation point of view, even if weaker than CFB mode against message stream modification attacks Contribution of the study Numerical results on: AES based authentication schemes applied to TC data AES based encryption schemes applied to TM data Evaluation of the interactions between encryption/authentication services and FEC services: TC authentication and BCH FEC coding TM encryption and RS FEC coding in the case of sparse errors and burst errors Definition of a CAR (Correct Authentication Rate) figure to evaluate error propagation effects No substantial differences between AES-based CFB and CBC MAC authentication of TC data, w.r.t. transmission errors: further constraints should be taken into account for selection AES OFB mode should be chosen for TM encryption, under the error propagation point of view, even if weaker than CFB mode against message stream modification attacks
8 Example: different behaviors of the operational modes w.r.t. errors – no FEC TM encryption required in high security missions for satellite telemetry (navigation and communication) Huge amount of TM data: symmetric stream ciphers needed AES CFB mode: self synchronising stream cipher mode, error propagation AES OFB mode: not synchronised stream cipher mode, no error propagation AES based encryption schemes applied to TM data
9 AES OFB gives an error probability after decryption lower than AES CFB, at a parity of the error probability along the channel (AWGN) – no FEC
10 CFB and OFB TM Encryption RS FEC – frame correction rate – BURST channel CFB and OFB TM Encryption RS FEC – frame correction rate – BURST channel RS FEC – byte correction rate – BURST channel
11 No FEC BCH FEC CBC MAC generation AES based authentication schemes applied to TC data
12 No FEC BCH FEC CFB MAC generation
13 Related Bibliography: S. Spinsante, M. Baldi, F. Chiaraluce, E. Gambi, G. Righi “Evaluation of Authentication and Encryption Algorithms for Telecommand and Telemetry in Space Missions”, in Proc. 23rd AIAA International Communications Satellite Systems Conference (ICSSC 2005), Joint Conference 2005, September 2005, Aurelia Convention Centre, Rome (Italy) S. Spinsante, F. Chiaraluce, E. Gambi “Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite Applications”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, June 2006, Rome (Italy) S. Spinsante, F. Chiaraluce, E. Gambi “Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite applications” In “Space Operations: Mission Management, Technologies, and Current Applications”, Chapter 22, Loredana Bruca, J. Paul Douglas, Trevor Sorensen, Editors, Progress in Astronautics and Aeronautics Series, AIAA Publication Books, to be published September 2007
14 2006/2007: Further insights into AES-based MAC generation, and Authenticated Encryption with Associated Data (AEAD) modes Besides classical operational modes usually adopted for MAC generation purposes, new and more recent solutions have been evaluated and are currently under consideration, given the peculiarities of the space context, w.r.t. more “traditional” contexts, like IP networks The main target of such analysis is to define functional figures suited for a “fair” comparison among the available schemes MAC generation MAC generation by classical techniques CBC MAC and its variants CFB MAC MAC generation by alternative solutions (EAX) Definition of functional figures for comparison EAX processing
15 MAC generation by classical techiques: definition of functional figures
16 CFB MAC generation CFB 8 CFB 64 CFB 128, OMAC EAX Efficiency comparison: number of calls to the underlying block cipher
17 Authentication overhead comparison Number of block cipher calls Data expansion EAX and CBC processing comparison
18 Together with the analysis of innovative AEAD schemes, other solutions proposed by CCSDS SEC WG during its last meetings are under evaluation. More specifically, during the Winter 2006 meeting, the WG confirmed the choice of DSA DSA with SHA-1 for TC Authentication Standard techniques applied to TC authentication Sample hardware platform selected as a benchmark (COTS: Microchip dsPIC microcontroller based on Harvard architecture) Evaluation of complexity and computational requirements Implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison
19 Two TC structures tested: Example: SHA-1 computational requirements CCSDS Recommendation for Space Data System Standards, "TC Space Data Link Protocol," CCSDS – B – 1, Blue Book, September 2003 ESA PSS
20 Errors in AWGN channel Effects of residual errors, due to the communication channel, on the correct verification of the TC segments at the receiver For each simulated communication session: - number of TCs corrupted in Data field only - number of TCs corrupted in Signature field only - number of TCs corrupted in both fields Last case: verify if the corrupted Signature corresponds to the DSA/SHA-1 Signature computed over the corrupted Data. This potentially dangerous condition never occurs Robustness of the authentication scheme confirmed also in presence of residual errors on the channel Preliminary performance evaluations of the DSA with SHA-1 applied to the authentication of TC. Proposed implementation on a commercial dsPIC Further developments: implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison
21 S. Spinsante, F. Chiaraluce, E. Gambi “New perspectives in Telecommand security: the application of EAX to TC segments”, in Proc. Data Systems In Aerospace DASIA 2007, 29th May – 1st June, Naples, ITALY S. Spinsante, E. Gambi, F. Chiaraluce “Operational Modes Comparison of the Advanced Encryption Standard for Space Data Security Applications”, in Proc. TTC 2007 Workshop on Tracking, Telemetry and Command Systems for Space Applications, September 2007, ESA/ESOC, Darmstadt (Germany) S. Spinsante, E. Gambi, M. Leggieri “DSA with SHA-1 for Space Telecommands Authentication”, in Proc. 15 th International Conference on Software Telecommunications & Computer Networks, September , Split - Dubrovnik, Croatia L. Zhang, S. Spinsante “Application and Performance Analysis of Various AEAD Techniques for Space Telecommand Authentication”, Accepted for presentation at IEEE 29 th International Aerospace Conference, Big Sky (MT, USA), March 2008 Related Bibliography:
22 Does this research approach meet CCSDS SEC WG needs? Open Issues Should we focus on the exam of encryption solutions, authentication solutions, or both? Are there some “priority” items? In regard to the errors impact on authentication/encryption performances, the suitability of this analysis depends on the reference model adopted, and on the collocation of the security layer AEAD modes represent promising approach: does CCSDS SEC WG share this point of view? Should we focus on this topic, by extending the range of solutions under exam? In order to provide more realistic results about security algorithms, “real” data should be available as a test bed. Is this approach feasible? Should we limit our analyses to a parametric approach? Does CCSDS SEC WG have different priorities or expectations about the research activities to be carried on?