Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCSDS Security Working Group - Fall 2007 Meeting

Published byClarence Harper Modified over 6 years ago

Similar presentations

Presentation on theme: "CCSDS Security Working Group - Fall 2007 Meeting"— Presentation transcript:

1 Susanna Spinsante – s.spinsante@univpm.it
CCSDS Security Working Group - Fall 2007 Meeting Research Activities on Encryption and Authentication for Space Applications by the Telecommunications Group of the Università Politecnica delle Marche Ancona, ITALY Susanna Spinsante – 3-5 October 2007 ESA/ESOC, Darmstadt Germany (Hotel am Bruchsee, Heppenheim)

2 2003/2004: Analysis of the ESA Telecommand Authentication Procedure (ESA PSS-04-151):
Numerical analysis performance and security evaluation by means of suited tests for authentication systems (NIST test suite, technical literature) detected flaws: weaknesses in hard knapsack and LFSR-based hashing suggested modifications according with a conservative approach: improved hashing and selection of the hard knapsack factors

3 Suggested modifications:
Performance and security evaluation of the modified TC Authentication scheme proposed: by means of simple modifications, the randomness and security levels of the overall system have been increased, so obtaining better performance also in the case of short TCs processing the suggested new scheme showed a processing time reduction and a possible optimization on 32 bit data bus Theoretical analysis cryptanalysis of the ESA authentication system: choice of the LFSR coefficients, attacks based on internal and external collisions, reconstruction of the erased bits of the key the percentage of cases in which cryptanalysis permits the total break of the system is significant

4 Our analysis showed that:
The secrecy of the HK factors (2880 bits) is questionable when the opponent can apply a chosen text attack The Erasing Block (EB), that deletes the 8 least significant bits of the Knapsack output, makes more complex for an opponent to invert the transformation S = f(m) but an attack has been conceived for discovering the last part of the key The weakest part of the system is the Hard Knapsack The Hash Function (linear) is rather simple to violate Difficulties for an opponent are due the Erasing Block The very long length of the secret key does not provide any specific protection Most of the key can be discovered fast, while the disclosure of (most of) the remaining part is possible by ad hoc software The probability of success for a total break attack is high The results of our study strenghtened the idea of conceiving a new and more robust authentication solution

5 Related Bibliography:
F. Chiaraluce, G. Finaurini, E. Gambi, S. Spinsante “Analysis and Improvement of the ESA Telecommand Authentication Procedure”, in Proc. TTC 2004 Workshop on Tracking, Telemetry and Command Systems for Space Applications, September 2004, ESA/ESOC, Darmstadt (Germany), pp F. Chiaraluce, E. Gambi, S. Spinsante “Efficiency Test Results and New Perspectives for Secure Telecommand Authentication in Space Missions: Case-study of the European Space Agency”, in ETRI Journal, Vol. 27, Number 4, August 2005, ISSN , pp F. Chiaraluce, E. Gambi, S.Spinsante “Numerical verification of the historicity of the ESA telecommand authentication approach”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, June 2006, Rome (Italy) S. Spinsante, F. Chiaraluce, E. Gambi “Telecommand Authentication in Space Missions: Cryptanalysis of the ESA Approach and Evaluation of Alternative AES-Based Schemes”, submitted to IEEE Trans. On Aerospace & Electronic Systems

6 2005/2006: Evaluation of AES-based authentication and encryption for space applications
Following the results provided by the analysis of the old ESA authentication scheme, and confirmed by preliminary proposals expressed within the CCSDS Security WG, a research activity on the adoption of the Advanced Encryption Standard (AES) for TC authentication and TM encryption has been developed Telemetry Encryption comparison among several AES operational modes error propagation over AWGN and burst channels data cancellations effects and recovery computational requirements: evaluation and comparison Telecommand Authentication AES-based Message Authentication Code generation schemes for TC Authentication CBC and CFB MAC generation Telecommand authentication and Forward Error Control coding (Correct Authentication Rate)

7 Contribution of the study
Numerical results on: AES based authentication schemes applied to TC data AES based encryption schemes applied to TM data Evaluation of the interactions between encryption/authentication services and FEC services: TC authentication and BCH FEC coding TM encryption and RS FEC coding in the case of sparse errors and burst errors Definition of a CAR (Correct Authentication Rate) figure to evaluate error propagation effects No substantial differences between AES-based CFB and CBC MAC authentication of TC data, w.r.t. transmission errors: further constraints should be taken into account for selection AES OFB mode should be chosen for TM encryption, under the error propagation point of view, even if weaker than CFB mode against message stream modification attacks

8 AES based encryption schemes applied to TM data
TM encryption required in high security missions for satellite telemetry (navigation and communication) Huge amount of TM data: symmetric stream ciphers needed AES CFB mode: self synchronising stream cipher mode, error propagation AES OFB mode: not synchronised stream cipher mode, no error propagation Example: different behaviors of the operational modes w.r.t. errors – no FEC

9 AES OFB gives an error probability after decryption lower than AES CFB, at a parity of the error probability along the channel (AWGN) – no FEC

10 CFB and OFB TM Encryption
RS FEC – frame correction rate – BURST channel RS FEC – byte correction rate – BURST channel

11 AES based authentication schemes applied to TC data
CBC MAC generation No FEC BCH FEC

12 CFB MAC generation No FEC BCH FEC

13 Related Bibliography:
S. Spinsante, M. Baldi, F. Chiaraluce, E. Gambi, G. Righi “Evaluation of Authentication and Encryption Algorithms for Telecommand and Telemetry in Space Missions”, in Proc. 23rd AIAA International Communications Satellite Systems Conference (ICSSC 2005), Joint Conference 2005, September 2005, Aurelia Convention Centre, Rome (Italy) S. Spinsante, F. Chiaraluce, E. Gambi “Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite Applications”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, June 2006, Rome (Italy) “Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite applications” In “Space Operations: Mission Management, Technologies, and Current Applications”, Chapter 22, Loredana Bruca, J. Paul Douglas, Trevor Sorensen, Editors, Progress in Astronautics and Aeronautics Series, AIAA Publication Books, to be published September 2007

14 2006/2007: Further insights into AES-based MAC generation, and Authenticated Encryption with Associated Data (AEAD) modes Besides classical operational modes usually adopted for MAC generation purposes, new and more recent solutions have been evaluated and are currently under consideration, given the peculiarities of the space context, w.r.t. more “traditional” contexts, like IP networks The main target of such analysis is to define functional figures suited for a “fair” comparison among the available schemes MAC generation MAC generation by classical techniques CBC MAC and its variants CFB MAC MAC generation by alternative solutions (EAX) Definition of functional figures for comparison EAX processing

15 MAC generation by classical techiques: definition of functional figures

16 Efficiency comparison: number of calls to the underlying block cipher
CFB MAC generation CFB8 CFB64 CFB128, OMAC EAX Efficiency comparison: number of calls to the underlying block cipher

17 Authentication overhead comparison
EAX and CBC processing comparison Number of block cipher calls Data expansion

18 Together with the analysis of innovative AEAD schemes, other solutions proposed by CCSDS SEC WG during its last meetings are under evaluation. More specifically, during the Winter 2006 meeting, the WG confirmed the choice of DSA DSA with SHA-1 for TC Authentication Standard techniques applied to TC authentication Sample hardware platform selected as a benchmark (COTS: Microchip dsPIC microcontroller based on Harvard architecture) Evaluation of complexity and computational requirements Implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison

19 Two TC structures tested:
ESA PSS CCSDS Recommendation for Space Data System Standards, "TC Space Data Link Protocol," CCSDS – B – 1, Blue Book, September 2003 Example: SHA-1 computational requirements

20 Errors in AWGN channel Effects of residual errors, due to the communication channel, on the correct verification of the TC segments at the receiver For each simulated communication session: - number of TCs corrupted in Data field only - number of TCs corrupted in Signature field only - number of TCs corrupted in both fields Last case: verify if the corrupted Signature corresponds to the DSA/SHA-1 Signature computed over the corrupted Data. This potentially dangerous condition never occurs Preliminary performance evaluations of the DSA with SHA-1 applied to the authentication of TC. Proposed implementation on a commercial dsPIC Robustness of the authentication scheme confirmed also in presence of residual errors on the channel Further developments: implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison

21 Related Bibliography:
S. Spinsante, F. Chiaraluce, E. Gambi “New perspectives in Telecommand security: the application of EAX to TC segments”, in Proc. Data Systems In Aerospace DASIA 2007, 29th May – 1st June, Naples, ITALY S. Spinsante, E. Gambi, F. Chiaraluce “Operational Modes Comparison of the Advanced Encryption Standard for Space Data Security Applications”, in Proc. TTC 2007 Workshop on Tracking, Telemetry and Command Systems for Space Applications, September 2007, ESA/ESOC, Darmstadt (Germany) S. Spinsante, E. Gambi, M. Leggieri “DSA with SHA-1 for Space Telecommands Authentication”, in Proc. 15th International Conference on Software Telecommunications & Computer Networks, September , Split - Dubrovnik, Croatia L. Zhang, S. Spinsante “Application and Performance Analysis of Various AEAD Techniques for Space Telecommand Authentication”, Accepted for presentation at IEEE 29th International Aerospace Conference, Big Sky (MT, USA), March 2008

22 Open Issues Does this research approach meet CCSDS SEC WG needs?
Should we focus on the exam of encryption solutions, authentication solutions, or both? Are there some “priority” items? In regard to the errors impact on authentication/encryption performances, the suitability of this analysis depends on the reference model adopted, and on the collocation of the security layer AEAD modes represent promising approach: does CCSDS SEC WG share this point of view? Should we focus on this topic, by extending the range of solutions under exam? In order to provide more realistic results about security algorithms, “real” data should be available as a test bed. Is this approach feasible? Should we limit our analyses to a parametric approach? Does CCSDS SEC WG have different priorities or expectations about the research activities to be carried on?

Download ppt "CCSDS Security Working Group - Fall 2007 Meeting"

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CCSDS Security Working Group - Fall 2007 Meeting Research Activities on Encryption and Authentication for Space Applications by the Telecommunications.

CCSDS Security Working Group - Fall 2007 Meeting Research Activities on Encryption and Authentication for Space Applications by the Telecommunications.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Similar presentations

Ads by Google