11 Authentication Algorithm Trade Study CCSDS Security WG Fall 2005 Atlanta, GA USA Howard Weiss NASA/JPL/SPARTA September 2005

22 Agenda 14 September 2005 – : Welcome, opening remarks, logistics, agenda bashing, : Review results of Spring 2005 SecWG meeting in Athens Mtg Notes Mtg Notes – : RASDS Review wrt Security Architecture (Kenny) – : coffee break – : Security Architecture Document Discussions (Kenny) – : Lunch – :Review CNES Mission Security Req Development using EDIOS (Pechmalbec/Belbus) – : Encryption Algorithm Trade Study (Weiss) – : coffee break – : Authentication/Integrity Algorithm Trade Study (Weiss) 15 September 2005 – : Key management discussion (Kenny) – : Coffee break – : Identity Management, Spacecraft IDs (Weiss) – : CNES Interconnection Rules (Pechmalbec/Belbus) – : Lunch – : CNES Security Development Process (Pechmalbec/Belbus) – : Security Policy Document/Common Criteria (Weiss)

33 Discussion Topics Standard Authentication/Integrity Algorithm adoption by CCSDS – Previous proposal submitted (Montreal, Toulouse, Athens) to adopt Digital Signature Standard (FIPS PUB 186-2). – Athens resulted in creating an action item to perform an authentication algorithm trade study.

44 Background Discussions As previously discussed, CCSDS does not have standards for: – Encryption – Authentication – Integrity – (or much of anything security-wise) Previous discussions in the (old) P1A (link layer) panel to create such “link-layer” standards (Spring 2002 mtg in Darmstadt) – Good discussion which didn’t lead to anything (P1A Security Briefing)P1A Security Briefing Created a “draft” P1A Security White Book to address some “strawman” proposals

55 Previous Encryption Algorithm Proposal: Propose FIPS PUB – Digital Signature Standard (DSS) algorithm standard. Consensus??? Agreement??? NO AGREEMENT – perform Trade Study

66 Trade Study Background Proposal in Montreal was pre-mature – Digital signature is one way to provide authentication » But NOT the only way – Two other kinds of Message Authentication Codes (MAC) in use: » Hash-based MACs » Encryption-based MACs

77 Digital Signature Background Digital Signature – Based on public/private key (asymmetric) cryptography – Hash/CRC performed over data, check-word encrypted using sender’s private key – Receiver re-calculates check-word, verifies transmitted check-word by decrypting with sender’s public key. – Requires generation of public/private key pairs – Requires “Certificate Authority” signing of generated public keys to guarantee their authenticity – Requires a means to distribute/populate public keys for every sender at every receiver. » Public Key Infrastructure (PKI) » Pre-loaded public keys or public key certificates requiring a potentially large on-board cache

88 Hash-based Message Authentication Code Background Based on the concept of a keyed hash – Shared secret key Hash calculated over data and the shared secret key to create a check-word, for example: – H { Mary had a little lamb} » where “ ” is the shared secret Keyed hash is authenticated by the receiver (who possesses the shared secret) by re-calculating the check-word and comparing it with the one transmitted with the data.

99 Encryption Based Message Authentication Code Background A hash is calculated over the raw data to create a check-word. The check-word is encrypted using a symmetric algorithm using a shared secret key. The encrypted check-word is authenticated by the receiver by recalculating the check-word, then decrypting the transmitted check-word using the symmetric algorithm and the shared secret key, and then comparing the two check-words.

10 Candidate Algorithms Digital Signature candidates: – Digital Signature Algorithm (DSA) – RSA – Elliptic Curve Digital Signature (ECDSA) Hash-based MAC – HMAC-SHA1-96 – HMAC-MD5-96 » Hashing algorithms SHA (1,256,384,512) MD5 UMAC RIPEMD-160 TIGER Encryption-based MAC – DES-CBC-MAC – CMAC – CCM

11 Digital Signature Algorithms NameTypeCharacteristicsMin. Key Size Digital Signature Standard (DSS) FIPS digital signature Digital signature based on SHA1 hash, un-encumbered (no patents, no licenses) 1024 bits RSA Digital Signature RSA digital signature (FIPS approved) Previously patented digital signature (expired 2000) 1024 bits Elliptic Curve Digital Signature (ECDSA) Elliptic curve digital signature Digital signature based on elliptic curve key technology which uses smaller keys than other public key technologies but may be encumbered by various Cirticom intellectual property, licenses, and patents. Apparently, ECDSA is not covered by any Certicom patents and there are open source ECC libraries, but Certicom does have over 300 patents on various aspects of ECC including “efficient implementations of ECC in hardware and software,” key agreements, etc. 160 bits

12 Hash Based MACs NameTypeCharacteristicsOutput Hash Size Secure Hash Algorithm 1 (SHA1) Hash algorithmFIPS approved – other versions (SHA256, SHA384, SHA512) provide longer outputs 160 bits Message Digest 5 (MD5)Hash algorithmPotential weaknesses – can be used as a keyed hash 128 bits Universal Message Authentication Code (UMAC) Hash AlgorithmDesigned to be the fastest hash algorithm ever 32, 64, or 96 bits (64 bits recommended) RACE Integrity Primitives Evaluation Message Digest 160 (RIPEMD-160) Hash AlgorithmDeveloped as part of the EC’s Research and Development in Advanced Communications Technologies in Europe (RACE) 160 bits TIGERHash AlgorithmDesigned for efficient operation on 64-bit platforms 192 bits HMAC-SHA1-96Hash-based MAC Uses SHA-1 for hash96 bits – truncates SHA1 160 bit output HMAC-MD5-96Hash-based MAC Uses MD5 for hash96 bits – truncates MD5 128 bit output

13 Encryption Based MACs NameTypeCharacteristicsKey Size DES-CBC- MAC Cryptographic MAC DES-based (FIPS PUB 113 dated 30 May bits CMACCryptographic MAC Encrypted-based MAC using any symmetric key block cipher algorithm 64, 128, 192, 256 (depending on block cipher algorithm used) CCMCryptographic MAC Uses cipher-block-chaining (CBC) with counter mode encryption to provide both authentication and confidentiality using a block cipher algorithm with 128- bit key or greater) 128, 192, 256

14 Conclusions and Recommendations Digital signature authentication might not be the universal, fit-all-missions solution – PKI and/or distribution, public/private key generation, key size, CPU intensive Shared secret key technology might be more suitable – Small(er) key size, less CPU intensive, shared secret used many times requiring less caching and less lookups Adopt dual standards: – DSA (FIPS PUB 186) – HMAC w/SHA1 (FIPS PUB 198)

15 Discussion Is digital signature the only right answer? Should there be multiple “right answers” because of mission constraints? – For example, shared symmetric keys will be smaller, and may be easier to deal with than public keys. Should CCSDS adopt both a digital signature AND a symmetric technology authentication algorithm?