Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Layer Security Mike Pajevski (NASA/JPL) April 2009

Published byHoward Mathews Modified over 6 years ago

Similar presentations

Presentation on theme: "Application Layer Security Mike Pajevski (NASA/JPL) April 2009"— Presentation transcript:

1 Application Layer Security Mike Pajevski (NASA/JPL) April 2009

2 Agenda What is Application Layer Security Review Berlin discussions
Benefits of Application Layer Security Drawbacks of Application Layer Security Objectives for Application Layer Security Useful approaches Priorities 4/22/2009

3 What is Application Layer Security?
Space extensions to FTP SCPS-FP FTP Features FTP Other Apps Application Layer Security operates here Space extensions to the Socket Interface SCPS-TP “TCP Tranquility” options TCP Options TCP UDP Space-optimized IPSec variant SCPS-SP IPSec Common Network- Layer Interface Space-optimized IP variant SCPS-NP IP Space Link Subnet: CCSDS Data Link

4 Berlin Discussions Concern raised about APIs – given that the most popular application layer security service is SSL/TLS which only supports TCP (and soon UDP), what would we support in CCSDS given the wide variety of transport layer protocols we have (e.g., AOS, TM, TC, TCP/IP). Can we specify application layer security, in-general, for the wide variety of protocols that space missions use now and the even greater number they might use in the future? Another question is where (or how) might S/MIME fit into this? Could we base application layer security on the S/MIME model where it is assumed that the receiver has no prior knowledge of the sender (e.g., no credentials) and therefore all the information needed by the receiver has to be sent along with the secured data? Even more, what are the kinds of applications being used for space missions? Do they live on top of operating systems (e.g., Flight Linux, VXWorks, Green Hills) or do they run directly on the hardware? Do they operate on top of Frameworks or Messaging Services (e.g., AMS) which might provide or expose lower layer security services? Action: Mike Pajevski should investigate the development of use cases for application layer security. He should further define and categorize the problems, identify interoperability issues, investigate the potential use of messaging systems/frameworks (such as AMS) as security ‘shims’ much in the same manner as done by SM&C by building their Message Abstraction Layer (MAL) on top of AMS. Action: Howie Weiss will set up a meeting with the CFDP folks to look at how they plan to address security at their next revision of the CFDP specifications. He will also investigate what missions are using CFDP and those that are planning to use it.

5 Benefits of Application Layer Security
Application layer security offers fine-grained access control Useful when different sources of commands or file service requests have differing rights Application layer security supports widest range of interaction patterns Application layer security can provide (additional) confidentiality protection i.e., over-and-above lower layer controls, or without lower layer confidentiality (depending on needs) Useful for highly sensitive data (e.g., keys) 4/22/2009

6 Drawbacks of Application Layer Security
Needs to be incorporated into each application More complexity More to manage (credentials, roles, permissions) More overhead Most likely layered over lower layer security

7 Objectives for Application Layer Security
Provide fine-grained access control Authentication of entity requesting access Could be a user, service, proxy Authorization Relies on policies and (optionally) groups/roles Common (& Federated?) authentication credentials For multiple applications Confidentiality? Should this be handled only at lower layer? Credential, Policy, & Key Management Creation, Update, Deletion, Distribution, Synchronization of data used by app layer security 4/22/2009

8 What approaches are useful?
Integrate security into each application protocol? e.g., add authentication data fields (& encryption?) into CFDP protocol (and/or other?) Benefit: Details needed for access control are contained within the protocol Drawback: Details are specific to each application Use a common shim like TLS Benefits: Defined standard; Can be used under any application Drawbacks: The filename/action or subsystem information about the exchange is not part of this protocol – thus cross-protocol interaction is needed to provide access control AND TLS requires handshaking to establish session keys Authentication credentials can be preplaced, but session keys are negotiated when sessions start Would a session key management protocol be useful? Note that TLS sessions can be “resumed” Message-based security e.g., Cryptographic Message Syntax (CMS), S/MIME, WS-Security Benefits: Defined standards Drawbacks: The filename/action or subsystem information about the exchange is not (usually) part of these protocols – thus cross-protocol interaction is needed 4/22/2009

9 Priorities? What is most important?
e.g., incorporating security into CFDP and/or other application layer protocols What objectives are most important? e.g., access control, confidentiality, federation, evolve-ability, flexibility, extensibility? When might this capability be needed? e.g., CxP Lunar Sortie or Surface Missions? What other missions might involve partnerships? 4/22/2009

10 Next Steps? Should the Security WG take this on as a new program of work? How should we approach this? Study? Just adopt CMS? Write a new protocol? Go home and call it a day? 

Download ppt "Application Layer Security Mike Pajevski (NASA/JPL) April 2009"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
Protocols and the TCP/IP Suite

Protocols and the TCP/IP Suite
Chapter 1 Read (again) chapter 1.

Chapter 1 Read (again) chapter 1.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Chapter 5: TCP/IP and OSI Business Data Communications, 6e.

Chapter 5: TCP/IP and OSI Business Data Communications, 6e.
CCSDS Message Bus Comparison Shames, Barkley, Burleigh, Cooper, Haddow 28 Oct 2010.

CCSDS Message Bus Comparison Shames, Barkley, Burleigh, Cooper, Haddow 28 Oct 2010.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
Internet Security - Farkas1 CSCE 813 Midterm Topics Overview.

Internet Security - Farkas1 CSCE 813 Midterm Topics Overview.
Lectured By: Vivek Dimri Assistant Professor, CSE Dept. SET, Sharda University, Gr. Noida.

Lectured By: Vivek Dimri Assistant Professor, CSE Dept. SET, Sharda University, Gr. Noida.
© McLean 20061 HIGHER COMPUTER NETWORKING Lesson 1 – Protocols and OSI What is a network protocol Description of the OSI model.

© McLean HIGHER COMPUTER NETWORKING Lesson 1 – Protocols and OSI What is a network protocol Description of the OSI model.
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.

Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
1 Network Layer Security Howie Weiss (NASA/JPL/Cobham Analytic Solutions) Mike Pajevski (NASA/JPL) October 2010.

1 Network Layer Security Howie Weiss (NASA/JPL/Cobham Analytic Solutions) Mike Pajevski (NASA/JPL) October 2010.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.

Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.

Similar presentations

Ads by Google