Security Association / Security Context Bruno Saba DCT/TV/IN 03/05/2010.

Slides:



Advertisements
Similar presentations
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Advertisements

Assume that a file is transferred from a node A to a node B. The file has been fragmented in 5 frames (denoted as f0, f1, f2, f3, f4). Show the flow of.
Assume that a file is transferred from a node A to a node B. The file has been fragmented in 5 frames. Frame 0 is corrupted, the ACK of frame 1 is corrupted,
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Space Data Link Security Protocol Compatibility with other standards Bruno Saba DCT/TV/IN 26/10/2010.
SDLS impact on TM, AOS, TC Space Data Link Protocols Greg Kazz NASA/JPL Oct 16/17, 2012.
GVCID parameter for Encapsulation - V2 - Oct2009 Encapsulation Service: Specifying the channel in the underlying Space Data Link Protocol Version 2/3 (Last.
A General Purpose CCSDS Link layer Protocol Next Generation Data Link Protocol (NGDLP) Ed Greenberg Greg Kazz 10/17/
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Evaluate IEEE e EDCA Performance Tyler Ngo CMPE 257.
Wired Equivalent Privacy (WEP)
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CCSDS october 2008 meeting – Berlin 1 Space Data Link Security BOF SEA/SLS October 14, 2008 meeting.
CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Network Layer Security: Run over non-IP Protocol? Howie Weiss (NASA/JPL/Parsons) San Antonio, TX October 2013.
Next Generation Space Link Protocol – Raison d’etre Greg Kazz Ed Greenberg SLS-SLP WG Fall 2013 CCSDS Meeting - San Antonio, TX, USA.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
An Introduction to CDMA Air Interface: IS-95A
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
CCSDS Security WG meeting October 2008, hosted by DLR at DIN premises (Berlin) 1 Data Link Security BOF An ESA contribution on Lessons Learned and Issues/Questions.
Karlstad University IP security Ge Zhang
ESA UNCLASSIFIED – For Official Use Network Layer Security - Food for Thought D. Fischer, I Aguilar-Sanchez CCSDS Fall Meetings.
Network Security David Lazăr.
March 7, 2008Security Proposal 1 CCSDS Link Security Proposal Ed Greenberg Greg Kazz Howard Weiss March 7, 2008.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.
FSH/security SLS-SLP fall2009 (version 4) Page 1 Security Headers + Homogeneous approach to FSH and Insert Zone in TM/AOS/TC frames: some problems and.
Proposal for a TC-2 Protocol Ed Greenberg Greg Kazz Oct /27/20151.
BZUPAGES.COM Presentation on TCP/IP Presented to: Sir Taimoor Presented by: Jamila BB Roll no Nudrat Rehman Roll no
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
SDLS Protocol Padding concept Ignacio Aguilar Sanchez (ESA) CCSDS Spring Meeting 2010 | Portsmouth, VA.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Apr SLS-SLP WG Goal: Progress TM, AOS Space Data Link Protocol Pink Sheets to Blue (OID frame)* Hold due to FSH/Insert Zone/Security discussion.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Space Data Link Secure Protocol Simulator Bruno Saba DCT/TV/IN 15/04/2010.
Key Management V 0.4 Discussion of document revision SeaSec Intermediary Meeting, Heppenheim, October 07 Daniel Fischer Uni Lux SECAN-Lab / ESA OPS-GDA.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
ESA UNCLASSIFIED – For Official Use SDLS Key Management Extended Procedures Daniel Fischer, Ignacio Aguilar Sanchez CCSDS Fall Meetings 2012 Oct 2012.
Space Data Link Secure Protocol Interoperability Testing Interfaces Definition Proposal Bruno Saba DCT/TV/IN 26/04/2010.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Figure 2-6: Internal Organization of Protocol Entity (Sending End) Figure 4-14: Internal Organization of Protocol Entity (Sending End) MAP Packet Service.
Packet Service Packet Extraction VC Access Service VC_FSH Service VC Frame Service MC_Insert Service MC Frame Service MC_OCF Service Virtual Channel Reception.
Key Management and Distribution Anand Seetharam CST 312.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
10-Dec-2012-cesg-1 Presentation to ESTEC Nordwijk, Netherlands 8 April 2014 CCSDS Space Link Services (SLS) Area Area Director: Gian Paolo Calzolari (ESA/ESOC)
Apr SLS-SLP WG Goal: Progress TM, AOS Space Data Link Protocol Pink Sheets to Blue (OID frame)* Hold due to FSH/Insert Zone/Security discussion.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
CSE 4905 IPsec.
Encryption and Network Security
Bruno Saba DCT/TV/IN 26/04/2010
Figure 2-6: Internal Organization of Protocol Entity (Sending End)
How Updated CCSDS Protocols can Simplify Data Formatting for the Constellation Project Ed Greenberg Greg Kazz.
Agenda CCSDS Network Layer Security IPSec+IKE Profile for CCSDS
CCSDS Link Security Proposal
March 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [SG SECN Call for Proposals] Date Submitted:
Submission Title: Algorithm agility without frame by frame information
Rekeying Protocol Fix Date: Authors: Month Year
An Introduction to CDMA Air Interface: IS-95A
Counter With Cipher Block Chaining-MAC
Presentation transcript:

Security Association / Security Context Bruno Saba DCT/TV/IN 03/05/2010

Space Data Link Secure Protocol Simulator CNES DCT/TV/IN B. Saba 14/04/ Security Association ■Defines cryptographic communication parameters to be used by both the sending and receiving ends of a Secure Channel ■Secure Channel =  One or more Global Virtual Channels (TM and AOS)  One or more Global VC/MAP (TC) ■SA uniquely identified by the Security Parameter Index (SPI) over a defined physical channel. The SPI is transmitted in each frame ■Up to 254 simultaneous SA per physical channel ■Each SA defines a cryptographic service :  Authentication Only (AO)  Encryption Only (EO)  Authenticated Encryption (AE) ■At least one cryptographic key associated to each SA ■SA can be pre-loaded prior to the launch, or dynamically created (mission dependant)

Space Data Link Secure Protocol Simulator CNES DCT/TV/IN B. Saba 14/04/ Security Context ■Defines cryptographic communication parameters to be used by both the sending and receiving ends of a Secure Channel ■Secure Channel =  One or more Global Virtual Channels (TM and AOS)  One or more Global VC/MAP (TC) ■SC uniquely identified by the Security Context Index (SCI) over a defined master channel. The SCI is transmitted in each frame ■Up to 255 simultaneous SC per master channel ■Each SC defines a cryptographic service :  Clear Mode  Authentication Only (AO)  Encryption Only (EO)  Authenticated Encryption (AE) ■No cryptographic key associated to the SC ■Key index transmitted in plaintext in the Security Header ■SC are pre-loaded prior to the launch, NOT dynamically created

Space Data Link Secure Protocol Simulator CNES DCT/TV/IN B. Saba 14/04/ Main Differences between SA / SC ■Security Associations can be dynamically created, Security Contexts are only pre-loaded before flight and can not be changed in flight  For SA, this is a mission dependant feature   If SA are pre-loaded before launch and not modified on flight, then no difference between SA and SC on this point ■Key management  Key directly associated with each Security Association  Key index transmitted in clear mode with Security Context concept  Max 254 pre-loaded keys with Security Association concept  Much more (K index length dependant) when using Security Context concept   If 254 pre-loaded keys is an acceptable limit, then no difference between SA and SC on this point  In each case, key management is to be defined (key revocation, key uploading, key activation, etc.)

Space Data Link Secure Protocol Simulator CNES DCT/TV/IN B. Saba 14/04/ Conclusion ■The main difference is in the key management  Key index transmitted in Security Header when using Security Context Concept  No key index transmitted when using Security Association concept  Less pre-loaded keys with Security Association concept  Max 254 pre-loaded keys when using SA  More key changes during satellite lifetime  Need to maintain a key change log file for deciphering old raw TM data  As the same SPI will be reused with different keys during satellite lifetime

Space Data Link Secure Protocol Simulator CNES DCT/TV/IN B. Saba 14/04/ Proposition ■Amend the proposed SDLS protocol standard  Add an additional attribute to SA : transmission of key index in-line or not. In this case, key index is no more an SA attribute  if key index transmitted in-line, add an additional field in security HDR (16-bit)