1. Application Layer Security Mike Pajevski (NASA/JPL) April 2009

2. 4/22/20092 Agenda What is Application Layer Security Review Berlin discussions Benefits of Application Layer Security Drawbacks of Application Layer Security Objectives for Application Layer Security Useful approaches Priorities

3. What is Application Layer Security? SCPS-NPIP Space Link Subnet: CCSDS Data Link SCPS-SP Other Apps IPSec UDPTCP SCPS-FP TCPOptionsTCPOptions FTP FTPFeaturesFTPFeatures Space extensions to the Socket Interface Common Network- Layer Interface SCPS-TP “TCP Tranquility” options Space-optimized IP variant Space-optimized IPSec variant Space extensions to FTP Application Layer Security operates here

4. Berlin Discussions Concern raised about APIs – given that the most popular application layer security service is SSL/TLS which only supports TCP (and soon UDP), what would we support in CCSDS given the wide variety of transport layer protocols we have (e.g., AOS, TM, TC, TCP/IP). Can we specify application layer security, in-general, for the wide variety of protocols that space missions use now and the even greater number they might use in the future? Another question is where (or how) might S/MIME fit into this? Could we base application layer security on the S/MIME model where it is assumed that the receiver has no prior knowledge of the sender (e.g., no credentials) and therefore all the information needed by the receiver has to be sent along with the secured data? Even more, what are the kinds of applications being used for space missions? – Do they live on top of operating systems (e.g., Flight Linux, VXWorks, Green Hills) or do they run directly on the hardware? – Do they operate on top of Frameworks or Messaging Services (e.g., AMS) which might provide or expose lower layer security services? Action: Mike Pajevski should investigate the development of use cases for application layer security. He should further define and categorize the problems, identify interoperability issues, investigate the potential use of messaging systems/frameworks (such as AMS) as security ‘shims’ much in the same manner as done by SM&C by building their Message Abstraction Layer (MAL) on top of AMS. Action: Howie Weiss will set up a meeting with the CFDP folks to look at how they plan to address security at their next revision of the CFDP specifications. He will also investigate what missions are using CFDP and those that are planning to use it.

5. 4/22/20095 Benefits of Application Layer Security Application layer security offers fine-grained access control – Useful when different sources of commands or file service requests have differing rights Application layer security supports widest range of interaction patterns Application layer security can provide (additional) confidentiality protection – i.e., over-and-above lower layer controls, or without lower layer confidentiality (depending on needs) – Useful for highly sensitive data (e.g., keys)

6. Drawbacks of Application Layer Security Needs to be incorporated into each application More complexity – More to manage (credentials, roles, permissions) More overhead – Most likely layered over lower layer security

7. 4/22/20097 Objectives for Application Layer Security Provide fine-grained access control – Authentication of entity requesting access » Could be a user, service, proxy – Authorization » Relies on policies and (optionally) groups/roles Common (& Federated?) authentication credentials – For multiple applications Confidentiality? – Should this be handled only at lower layer? Credential, Policy, & Key Management – Creation, Update, Deletion, Distribution, Synchronization of data used by app layer security

8. 4/22/20098 What approaches are useful? Integrate security into each application protocol? – e.g., add authentication data fields (& encryption?) into CFDP protocol (and/or other?) – Benefit: Details needed for access control are contained within the protocol – Drawback: Details are specific to each application Use a common shim like TLS – Benefits: Defined standard; Can be used under any application – Drawbacks: The filename/action or subsystem information about the exchange is not part of this protocol – thus cross-protocol interaction is needed to provide access control AND TLS requires handshaking to establish session keys » Authentication credentials can be preplaced, but session keys are negotiated when sessions start » Would a session key management protocol be useful? Note that TLS sessions can be “resumed” Message-based security – e.g., Cryptographic Message Syntax (CMS), S/MIME, WS-Security – Benefits: Defined standards – Drawbacks: The filename/action or subsystem information about the exchange is not (usually) part of these protocols – thus cross-protocol interaction is needed

9. 4/22/20099 Priorities? What is most important? – e.g., incorporating security into CFDP and/or other application layer protocols What objectives are most important? – e.g., access control, confidentiality, federation, evolve- ability, flexibility, extensibility? When might this capability be needed? – e.g., CxP Lunar Sortie or Surface Missions? – What other missions might involve partnerships?

10. Next Steps? Should the Security WG take this on as a new program of work? How should we approach this? – Study? – Just adopt CMS? – Write a new protocol? – Go home and call it a day?