CCSDS Security Credentials Blue Book

04/09/2018 CCSDS Glenn Research Center (GRC)CHARLES SHEEHE, GRC Point of Contact

JOHN WANG, GRC Test Engineer MICHAEL MARSDEN, GRC Test Engineer

1

Security Credentials Project Overview

Documented the Simple log-in, utilized in Space Link Extension Blue Book

Develop Security Credentials Document Security Credentials in White Book / Blue Book• Area Director Approval of test plan and authority to proceed Vet Security Credentials structure locally (NASA GRC) validate

Security Credentials• Vet Security Credentials structure locally The Centre national

d'études spatiales (CNES) validate Security Credentials • Perform Compatibility testing Security Credentials for IPsec (Yellow

Book) NASA GRC & CNES• Provide feed back to (White Book / Blue Book)• Publish Yellow book• Publish Blue book

2

Project Process

• CCSDS Security Credentials Authority to proceed 3/1/2018 from GRC management. Evaluate IPsec and Certificate management related standards Define CCSDS/IPsec Security Credentials needs Develop work plan Develop document outline Develop draft document Refine draft document Develop Test Plan • Approval of Test Plan • Perform independent testing • Modify test plan• Connection between agencies test devices• Started compatibility testing• Completed compatibility tests• Documentation of test results• Document Lessons Learned• Present results to CCSDS working group• Update Blue Book and publish Yellow Book

• Key deliverable• Yellow Book • Blue Book

3

Update

• Current Status Blue Book: is ready for prototyping.

• Comments have been addressed.

• Yellow Book / test plan drafted.

• Local prototyping in progress at GRC.

4

Lessons Learned

Need to validate certificate structure to verify completeness of the certificate. Reason is most of / or some of development software will change the certificates based on the parameters selected.

5

We at NASA Glenn would like to thank; Julien Airaud and the team from CNES, it will be a pleasure working with them again.

6

Area Director Action needed

• Approval of the draft test plan, to ensure that resources are not consumed by a misunderstanding of required interoperability requirements prior to starting.

– Notification of GRC and CNES of approval or re-working draft plan prior to Authority to Proceed.

7

Questions

8

Backup

9

Script generation and test##

# To generate a self-signed SSL certificate using the OpenSSL,

complete the following steps:

# Write down the Common Name (CN) for your SSL Certificate. The CN is

the fully qualified name for the system that uses the certificate. If you

are using Dynamic DNS, your CN should have a wild-card, for example:

*.api.com. Otherwise, use the hostname or IP address set in your Gateway

Cluster (for example. 192.16.183.131 or dp1.acme.com).

# Run the following OpenSSL command to generate your private key and

public certificate. Answer the questions and enter the Common Name when

prompted.

#

##

# pull from autoGen_config.ini file for Country Name, Org...Only edt it

there

openssl req -newkey rsa:2048 -nodes -keyout ccsds_key.der -x509 -days

365242 -out nasa-grc_cert.der -config autoGen_config.ini

openssl x509 -text -noout -in nasa-grc_cert.der -trustout

openssl pkcs12 -inkey ccsds_key.der -in nasa-grc_cert.der -export -out

nasa-grc_cert.p12 -password pass:"Password7"

#openssl ca -in nasa-grc_cert.der -inkey ccsds_key.der -out signed_nasa-

grc_cert.der ## SOMETHING TO DO WITH SELF SIGNING???

## VALIDATE PASSWORD for KEY.DER

“Test script commented out” ## openssl x509 -in nasa-grc_cert.der –text

# openssl pkcs12 -in nasa-grc_cert.p12 -noout -info

##Tutorial commands

#openssl req -config /etc/pki/tls/openssl.cnf -new -key

private/private.key -out cert-request.csr

#openssl req -text -in cert-request.csr

#openssl ca -in cert-request.csr -out user-certificate.crt

#openssl x509 -text -noout -in user-certificate.crt

10

Cert_config• [ req ]• prompt = no• default_bits = 2048• default_md = sha256• default_keyfile = ccsds_key.der• distinguished_name = req_distinguished_name• x509_extensions = v3_ca # The extentions to add to the self signed cert• req_extensions = v3_req• x509_extensions = usr_cert

• [ req_distinguished_name ]• C= US• ST= OHIO• L= CLEVELAND• O= NASA-GRC • OU= CCSDS STANDARDS TESTING• CN= CCSDS CERT TESTING• emailAddress= ccsdstwo@gmail.com

• [ usr_cert ]• basicConstraints =CA:TRUE• nsCertType = client, server, email• keyUsage = nonRepudiation, digitalSignature, keyEncipherment• extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping• nsComment = "OpenSSL Generated Certificate for CCSDS Testing!"• subjectKeyIdentifier =hash• authorityKeyIdentifier =keyid,issuer

• [ v3_req ]• #fill in extensions to use here with OIDs• extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection, timeStamping #1.3.6.1.5.5.7.3.4, 1.3.6.1.5.5.7.3.6, 1.3.6.1.5.5.7.3.5,

1.3.6.1.5.5.7.3.6, • basicConstraints = CA:TRUE• keyUsage = nonRepudiation, digitalSignature, keyEncipherment

11

Cert_Dump• X509 Certificate:

• Version: 3

• Serial Number: ea062d5086e95c28

• Signature Algorithm:

• Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

• Algorithm Parameters:

• 05 00

• Issuer:

• E=ccsdstwo@gmail.com

• CN=CCSDS CERT TESTING

• OU=CCSDS STANDARDS TESTING

• O=NASA-GRC

• L=CLEVELAND

• S=OHIO

• C=US

• Name Hash(sha1): 7578249f521e92e925dc4881a7973f56e8827ac3

• Name Hash(md5): 6a429a0cafae4416241e14387ad1d842

• NotBefore: 3/14/2018 4:25 PM

• NotAfter: 3/14/3018 4:25 PM

• Subject:

• E=ccsdstwo@gmail.com

• CN=CCSDS CERT TESTING

• OU=CCSDS STANDARDS TESTING

• O=NASA-GRC

• L=CLEVELAND

• S=OHIO

• C=US

• Name Hash(sha1): 7578249f521e92e925dc4881a7973f56e8827ac3

• Name Hash(md5): 6a429a0cafae4416241e14387ad1d842

• Public Key Algorithm:

• Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA

• Algorithm Parameters:

• 05 00

• Public Key Length: 2048 bits

• Public Key: UnusedBits = 0

• 0000 30 82 01 0a 02 82 01 01 00 b4 59 c6 21 73 d3 ef

• 0010 e7 62 9f 73 2f d1 e6 da 78 3a 1b fd b2 34 14 ef

• 0020 80 e1 4e a7 a0 5e 85 4f cf 86 ff fe ab 8e 50 0c

• 0030 60 d6 b5 21 cd be 87 c3 3e 64 55 e3 a5 08 b7 f5

• 0040 cf 56 ba 91 f5 32 cd 68 5d 0b de fd 9b 5a 64 61

• 0050 39 b4 4d 7b 7b ff e7 76 05 03 fa 80 65 05 0b f5

• 0060 8f 5d 7a 31 fc e1 b9 d2 33 01 be 73 ff 37 a0 b9

• 0070 4b f9 28 7f e8 47 42 a1 c5 bc 98 cf af 82 b7 1e

• 0080 06 05 bf 14 d2 a2 3d 61 fe be 8a 71 ad f0 61 f4

• 0090 5e 43 a4 85 fe 10 44 5b fd 37 03 97 ca 01 40 73

• 00a0 f0 3d 0a ad 7f d8 76 bc 92 b2 7d 40 fd b9 23 92

• 00b0 38 53 f1 63 bf 70 5a 93 12 d3 0f d3 d6 65 4b 78

• 00c0 16 b3 57 62 b5 1a 96 79 e1 85 28 0a e7 3d 5b 15

• 00d0 84 e3 0f b3 b5 89 b2 a5 b1 3f a8 8a 4a 29 6f a7

• 00e0 e2 29 db 33 72 2f 36 84 a9 ca 6a ea 98 1a e6 e5

• 00f0 b5 94 e2 cf b8 a7 ef 73 db 76 21 1c 1b 16 d1 98

• 0100 af 21 7d 77 9f 80 00 b0 03 02 03 01 00 01

• Certificate Extensions: 7

• 2.5.29.19: Flags = 0, Length = 5

• Basic Constraints

• Subject Type=CA

• Path Length Constraint=None

• 2.16.840.1.113730.1.1: Flags = 0, Length = 4

• Netscape Cert Type

• SSL Client Authentication, SSL Server Authentication, SMIME (e0)

• 2.5.29.15: Flags = 0, Length = 4

• Key Usage

• Digital Signature, Non-Repudiation, Key Encipherment (e0)

• 2.5.29.37: Flags = 0, Length = 34

• Enhanced Key Usage

• Server Authentication (1.3.6.1.5.5.7.3.1)

• Client Authentication (1.3.6.1.5.5.7.3.2)

• Code Signing (1.3.6.1.5.5.7.3.3)

• Secure Email (1.3.6.1.5.5.7.3.4)

• Time Stamping (1.3.6.1.5.5.7.3.8)

• 2.16.840.1.113730.1.13: Flags = 0, Length = 32

• Netscape Comment

• OpenSSL Generated Certificate for CCSDS Testing!

• 2.5.29.14: Flags = 0, Length = 16

• Subject Key Identifier

• KeyID=24 f4 29 eb 40 32 1b e8 ba 22 d0 39 de 1e 2b 4c e4 0b 5e 5e

• 2.5.29.35: Flags = 0, Length = 18

• Authority Key Identifier

• KeyID=24 f4 29 eb 40 32 1b e8 ba 22 d0 39 de 1e 2b 4c e4 0b 5e 5e

• Signature Algorithm:

• Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

• Algorithm Parameters:

• 05 00

• Signature: UnusedBits=0

• 0000 76 ac 20 81 f7 e0 f3 12 15 55 f0 3c 05 ea f0 34

• 0010 12 ff 39 08 b9 3c 20 7f 9b 25 3b 23 d7 77 7b b5

• 0020 ee dd a8 8c ec 0f 96 f0 f1 c1 19 6a 24 75 73 c1

• 0030 fa 80 43 44 69 2e 80 dc 9c f7 a6 fd 8a 47 62 fa

• 0040 4b 2a 74 cd 9e 72 6b 74 b9 d5 04 9e af 66 5b 7b

• 0050 29 56 91 04 64 37 24 23 54 27 90 94 e8 fd 85 0c

• 0060 a0 7b 48 bc 8b 0e 0a 41 91 a4 0a e5 cf fc a0 0c

• 0070 74 0a 66 11 20 1c 04 ae 2b c5 8e 37 b5 00 d3 8c

• 0080 5e 2d 34 1f c4 80 a8 b0 a8 6d 0c 65 dd 3e b7 69

• 0090 da 7d 1a a3 44 d4 88 77 7d 43 61 e7 3f d8 59 f2

• 00a0 a1 db 04 a3 1a 20 0e 3e d0 14 a7 df 72 2a 38 94

• 00b0 3d e0 cc 38 e1 67 44 d8 9e 13 39 1e 0c 0c 2d 4e

• 00c0 bd 8a e2 2d 7e e0 9a d5 9e ce a8 4e c7 d4 da dc

• 00d0 1b 31 1e 61 b5 bf 11 56 27 44 d4 b5 00 4f 82 3e

• 00e0 7e 52 58 2c 50 2a ee ef d2 fb 6f 0d 5b c4 ed bd

• 00f0 19 3d f1 d1 be 6f 5d 16 05 49 b7 46 4f 77 d0 89

• Signature matches Public Key

• Root Certificate: Subject matches Issuer

• Key Id Hash(rfc-sha1): 24f429eb40321be8ba22d039de1e2b4ce40b5e5e

• Key Id Hash(sha1): 8371254448afc3f7d2d3f2d3583deadc64e6e211

• Key Id Hash(md5): 099b45ae1584fc0ceba05ad5c96fc575

• Key Id Hash(sha256): 0d25e14805cd33f5fbcccde813766c7a27d0b306917b2738387f81471bd7eb8b

• Cert Hash(md5): a98e2192c21f56ba724367a72f47e963

• Cert Hash(sha1): 7bb735c64800b43e8d30ae92046eb93f0f8f20ce

• Cert Hash(sha256): f0c78f833c6eda5879546d46207cabcf656007b21e3218b2ea242839584f19c4

• Signature Hash: 727f697330ae1fdcae0df4a43afea34303b2d34fde73ca796ef1dd756ed57062

12

SLE

• GRACE-FO is a partnership between NASA and the German Research Center for Geosciences (GFZ). NASA's Jet Propulsion Laboratory in Pasadena, California, manages the mission for NASA's Science Mission Directorate, with participation from the Earth Systematic Missions Program Office at Goddard Space Flight Center (GSFC).https://gracefo.jpl.nasa.gov/

• Arrived for launch on December 12th 2017.• NASA’s Near Earth Network has fully

implemented SLE.

13