ccsds security working group - fall 2007 meeting research activities on encryption and...
TRANSCRIPT
CCSDS Security Working Group - Fall 2007 MeetingCCSDS Security Working Group - Fall 2007 Meeting
Research Activities on Encryption and Authentication for Space Applications by
the Telecommunications Group of the Università Politecnica delle Marche
Ancona, ITALY
Susanna Spinsante – [email protected]
3-5 October 20073-5 October 2007ESA/ESOC, Darmstadt GermanyESA/ESOC, Darmstadt Germany
(Hotel am Bruchsee, Heppenheim)(Hotel am Bruchsee, Heppenheim)
2
2003/2004: A2003/2004: Analysis of the ESA Telecommand Authentication nalysis of the ESA Telecommand Authentication Procedure (Procedure (ESA PSS-04-151)ESA PSS-04-151)::
Numerical analysis
performance and security evaluation by means of suited tests for authentication systems (NIST test suite, technical literature)
detected flaws: weaknesses in hard knapsack and LFSR-based hashing
suggested modifications according with a conservative approach: improved hashing and selection of the hard knapsack factors
3
Performance and security evaluation of the modified TC Authentication scheme proposed:
by means of simple modifications, the randomness and security levels of the overall system have been increased, so obtaining better performance also in the case of short TCs processing the suggested new scheme showed a processing time reduction and a possible optimization on 32 bit data bus
Suggested modifications:
Theoretical analysis
cryptanalysis of the ESA authentication system: choice of the LFSR coefficients, attacks based on internal and external collisions, reconstruction of the erased bits of the key
the percentage of cases in which cryptanalysis permits the total break of the system is significant
4
Our analysis showed that:
The secrecy of the HK factors (2880 bits) is questionable when the opponent can apply a chosen text attack The Erasing Block (EB), that deletes the 8 least significant bits of the Knapsack output, makes more complex for an opponent to invert the transformation S = f(m) but an attack has been conceived for discovering the last part of the key The weakest part of the system is the Hard Knapsack The Hash Function (linear) is rather simple to violate Difficulties for an opponent are due the Erasing Block The very long length of the secret key does not provide any specific protection Most of the key can be discovered fast, while the disclosure of (most of) the remaining part is possible by ad hoc software
The probability of success for a total break attack is high
The results of our study strenghtened the idea of conceiving a new and more robust authentication solution
Our analysis showed that:
The secrecy of the HK factors (2880 bits) is questionable when the opponent can apply a chosen text attack The Erasing Block (EB), that deletes the 8 least significant bits of the Knapsack output, makes more complex for an opponent to invert the transformation S = f(m) but an attack has been conceived for discovering the last part of the key The weakest part of the system is the Hard Knapsack The Hash Function (linear) is rather simple to violate Difficulties for an opponent are due the Erasing Block The very long length of the secret key does not provide any specific protection Most of the key can be discovered fast, while the disclosure of (most of) the remaining part is possible by ad hoc software
The probability of success for a total break attack is high
The results of our study strenghtened the idea of conceiving a new and more robust authentication solution
5
Related Bibliography:Related Bibliography: F. Chiaraluce, G. Finaurini, E. Gambi, S. Spinsante“Analysis and Improvement of the ESA Telecommand Authentication Procedure”, in Proc. TTC 2004 Workshop on Tracking, Telemetry and Command Systems for Space Applications, 07-09 September 2004, ESA/ESOC, Darmstadt (Germany), pp. 691-698
F. Chiaraluce, E. Gambi, S. Spinsante“Efficiency Test Results and New Perspectives for Secure Telecommand Authentication in Space Missions: Case-study of the European Space Agency”, in ETRI Journal, Vol. 27, Number 4, August 2005, ISSN 1225-6463, pp.394-404
F. Chiaraluce, E. Gambi, S.Spinsante“Numerical verification of the historicity of the ESA telecommand authentication approach”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, 19-23 June 2006, Rome (Italy)
S. Spinsante, F. Chiaraluce, E. Gambi“Telecommand Authentication in Space Missions: Cryptanalysis of the ESA Approach and Evaluation of Alternative AES-Based Schemes”, submitted to IEEE Trans. On Aerospace & Electronic Systems
6
2005/2006: Evaluation of AES-based authentication and 2005/2006: Evaluation of AES-based authentication and encryption for space applications encryption for space applications
Following the results provided by the analysis of the old ESA authentication
scheme, and confirmed by preliminary proposals expressed within the CCSDS
Security WG, a research activity on the adoption of the Advanced Encryption
Standard (AES) for TC authentication and TM encryption has been developed
Telemetry Encryption
comparison among several AES operational modes
error propagation over AWGN and burst channels
data cancellations effects and recovery
computational requirements: evaluation and comparison
Telecommand Authentication
AES-based Message Authentication Code generation schemes for TC Authentication
CBC and CFB MAC generation
Telecommand authentication and Forward Error Control coding (Correct Authentication Rate)
7
Contribution of the study
Numerical results on:
AES based authentication schemes applied to TC data
AES based encryption schemes applied to TM data
Evaluation of the interactions between encryption/authentication services and FEC services:
TC authentication and BCH FEC coding
TM encryption and RS FEC coding
in the case of sparse errors and burst errors
Definition of a CAR (Correct Authentication Rate) figure to evaluate error propagation effects
No substantial differences between AES-based CFB and CBC MAC authentication of TC data, w.r.t. transmission errors: further constraints should be taken into account for selection
AES OFB mode should be chosen for TM encryption, under the error propagation point of view, even if weaker than CFB mode against message stream modification attacks
Contribution of the study
Numerical results on:
AES based authentication schemes applied to TC data
AES based encryption schemes applied to TM data
Evaluation of the interactions between encryption/authentication services and FEC services:
TC authentication and BCH FEC coding
TM encryption and RS FEC coding
in the case of sparse errors and burst errors
Definition of a CAR (Correct Authentication Rate) figure to evaluate error propagation effects
No substantial differences between AES-based CFB and CBC MAC authentication of TC data, w.r.t. transmission errors: further constraints should be taken into account for selection
AES OFB mode should be chosen for TM encryption, under the error propagation point of view, even if weaker than CFB mode against message stream modification attacks
8
Example: different behaviors of the
operational modes w.r.t. errors – no FEC
TM encryption required in high security missions for satellite telemetry
(navigation and communication)
Huge amount of TM data: symmetric stream ciphers needed
AES CFB mode: self synchronising stream cipher mode, error propagation
AES OFB mode: not synchronised stream cipher mode, no error propagation
AES based encryption schemes applied to TM data
9
AES OFB gives an error probability after decryption lower than AES CFB, at a parity of the error probability along the channel (AWGN) – no FEC
AES OFB gives an error probability after decryption lower than AES CFB, at a parity of the error probability along the channel (AWGN) – no FEC
10
CFB and OFB TM Encryption
RS FEC – frame correction rate – BURST channel
CFB and OFB TM Encryption
RS FEC – frame correction rate – BURST channel
RS FEC – byte correction rate – BURST channelRS FEC – byte correction rate – BURST channel
11
No FEC BCH FEC
CBC MAC generation
AES based authentication schemes applied to TC data
12
No FEC BCH FEC
CFB MAC generation
13
Related Bibliography:Related Bibliography:
S. Spinsante, M. Baldi, F. Chiaraluce, E. Gambi, G. Righi“Evaluation of Authentication and Encryption Algorithms for Telecommand and Telemetry in Space Missions”, in Proc. 23rd AIAA International Communications Satellite Systems Conference (ICSSC 2005), Joint Conference 2005, 25-28 September 2005, Aurelia Convention Centre, Rome (Italy)
S. Spinsante, F. Chiaraluce, E. Gambi“Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite Applications”, in Proc. of “SpaceOps 2006: Earth, Moon, Mars and Beyond” Conference, 19-23 June 2006, Rome (Italy)
S. Spinsante, F. Chiaraluce, E. Gambi“Evaluation of AES-based authentication and encryption schemes for Telecommand and Telemetry in satellite applications”In “Space Operations: Mission Management, Technologies, and Current Applications”, Chapter 22, Loredana Bruca, J. Paul Douglas, Trevor Sorensen, Editors, Progress in Astronautics and Aeronautics Series, AIAA Publication Books, to be published September 2007
14
2006/2007: Further insights into AES-based MAC generation, 2006/2007: Further insights into AES-based MAC generation, and Authenticated Encryption with Associated Data (AEAD) and Authenticated Encryption with Associated Data (AEAD) modes modes
Besides classical operational modes usually adopted for MAC generation purposes, new and more recent solutions have been evaluated and are currently under consideration, given the peculiarities of the space context, w.r.t. more “traditional” contexts, like IP networks
The main target of such analysis is to define functional figures suited for a “fair” comparison among the available schemes
MAC generation
MAC generation by classical techniques CBC MAC and its variants CFB MAC
MAC generation by alternative solutions (EAX) Definition of functional figures for comparison
EAX processing
15
MAC generation by classical techiques: definition of functional figures
16
CFB MAC generation
CFB8
CFB64
CFB128, OMAC
EAX
Efficiency comparison:
number of calls to the
underlying block cipher
17
Authentication overhead
comparison
Number of block cipher calls Data expansion
EAX and CBC processing comparison
18
Together with the analysis of innovative AEAD schemes, other solutions proposed by CCSDS SEC WG during its last meetings are under evaluation. More specifically, during the Winter 2006 meeting, the WG confirmed the choice of DSA
DSA with SHA-1 for TC Authentication
Standard techniques applied to TC authentication Sample hardware platform selected as a benchmark (COTS: Microchip dsPIC microcontroller based on Harvard architecture) Evaluation of complexity and computational requirements Implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison
19
Two TC structures tested:
Example: SHA-1 computational requirements
CCSDS Recommendation for Space Data System Standards, "TC Space Data Link Protocol," CCSDS 232.0 – B – 1, Blue Book, September 2003
ESA PSS-04-151
20
Errors in AWGN channel
Effects of residual errors, due to the communication channel, on the correct verification of the TC segments at the receiver
For each simulated communication session: - number of TCs corrupted in Data field only- number of TCs corrupted in Signature field only- number of TCs corrupted in both fields
Last case: verify if the corrupted Signature corresponds to the DSA/SHA-1 Signature computed over the corrupted Data. This potentially dangerous condition never occurs
• Robustness of the authentication scheme confirmed also in presence of residual errors on the channel
• Preliminary performance evaluations of the DSA with SHA-1 applied to the authentication of TC. Proposed implementation on a commercial dsPIC
• Further developments: implementation of alternative schemes (HMAC) on the same hardware platform and their thorough comparison
21
S. Spinsante, F. Chiaraluce, E. Gambi“New perspectives in Telecommand security: the application of EAX to TC segments”, in Proc. Data Systems In Aerospace DASIA 2007, 29th May – 1st June, Naples, ITALY
S. Spinsante, E. Gambi, F. Chiaraluce“Operational Modes Comparison of the Advanced Encryption Standard for Space Data Security Applications”, in Proc. TTC 2007 Workshop on Tracking, Telemetry and Command Systems for Space Applications, 11-14 September 2007, ESA/ESOC, Darmstadt (Germany)
S. Spinsante, E. Gambi, M. Leggieri“DSA with SHA-1 for Space Telecommands Authentication”, in Proc. 15th International Conference on Software Telecommunications & Computer Networks, September 27-29 2007, Split - Dubrovnik, Croatia
L. Zhang, S. Spinsante“Application and Performance Analysis of Various AEAD Techniques for Space Telecommand Authentication”, Accepted for presentation at IEEE 29th International Aerospace Conference, Big Sky (MT, USA), 1 - 8 March 2008
Related Bibliography:Related Bibliography:
22
Does this research approach meet CCSDS SEC WG needs?
Open IssuesOpen Issues
Should we focus on the exam of encryption solutions, authentication solutions, or both? Are there some “priority” items?
In regard to the errors impact on authentication/encryption performances, the suitability of this analysis depends on the reference model adopted, and on the collocation of the security layer
AEAD modes represent promising approach: does CCSDS SEC WG share this point of view? Should we focus on this topic, by extending the range of solutions under exam?
In order to provide more realistic results about security algorithms, “real” data should be available as a test bed. Is this approach feasible? Should we limit our analyses to a parametric approach?
Does CCSDS SEC WG have different priorities or expectations about the research activities to be carried on?