<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I agree, Jeremy, it’s terrific that you could do this so quickly. And I agree that the overheads are not bad, but to my mind they are still a little troubling.
I can imagine an SBSP Block Integrity Block ciphersuite that would use a one-time, randomly generated SHA256 key to generate a SHA256 digest over the payload (shipped in the BIB’s results field); would include that key in the BIB’s ciphersuite parameters;
and would also provide an elliptic-curve digital signature for that key (computed using the sender’s private key, to be verified using the sender’s pre-placed public key) as an additional ciphersuite parameter. I think that would come to 256 bits for the
SHA256 digest plus 256 bits for the SHA256 key, plus 320 bits for the ECDS, for a total of 832 bits = 104 bytes. Even allowing for a little additional BIB structural overhead, this is still less than a sixth of the overhead measured for the CMS signing option.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I am sure there easy ways to reduce these numbers, and I am by no means saying that CMS is the wrong way to go. I’m just saying that I would like to keep the
bar fairly high here, as we can’t necessarily count on bundles transmitted over the Solar System Internet being so large that 686 bytes of security overhead is insignificant.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Scott
<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> sis-dtn-bounces@mailman.ccsds.org [mailto:sis-dtn-bounces@mailman.ccsds.org]
<b>On Behalf Of </b>Weiss, Howard<br>
<b>Sent:</b> Tuesday, June 30, 2015 5:34 AM<br>
<b>To:</b> Jeremy Pierce-Mayer; sis-dtn@mailman.ccsds.org<br>
<b>Subject:</b> RE: [Sis-dtn] Bundle Signing And Encryption With CMS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Jeremy<br>
<br>
This is very cool! Thanks for spinning this up so quickly. Its very neat that you could use an off-the-shelf standard and open source software to provide bundle security services in such an expedited manner. And the fact that the overheads are not bad makes
it even nicer.<br>
<br>
Regards<br>
<br>
howie<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p> </o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Howard Weiss</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><br>
</span><span style="font-size:7.5pt;font-family:"Tahoma",sans-serif;color:black">Technical Director</span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><br>
<br>
<b>PARSONS</b></span><span style="font-size:7.5pt;font-family:"Tahoma",sans-serif;color:black"><br>
7110 Samuel Morse Drive<br>
Columbia, MD 21046<br>
443-430-8089 (office)<br>
410-262-1479 (cell)<br>
443-430-8238 (fax)<br>
<a href="mailto:howard.weiss@parsons.com">howard.weiss@parsons.com</a><br>
<a href="http://www.parsons.com">www.parsons.com</a><br>
<br>
</span><span style="font-size:7.5pt;font-family:"Tahoma",sans-serif;color:#339966">Please consider the environment before printing this message</span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="divRpF275448">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">
<a href="mailto:sis-dtn-bounces@mailman.ccsds.org">sis-dtn-bounces@mailman.ccsds.org</a> [sis-dtn-bounces@mailman.ccsds.org] on behalf of Jeremy Pierce-Mayer [jeremy.mayer@dlr.de]<br>
<b>Sent:</b> Tuesday, June 30, 2015 6:02 AM<br>
<b>To:</b> <a href="mailto:sis-dtn@mailman.ccsds.org">sis-dtn@mailman.ccsds.org</a><br>
<b>Subject:</b> [Sis-dtn] Bundle Signing And Encryption With CMS</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hey Everyone,</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">During the Bundle Security telecom last week, I took the action to wedge the Cryptographic Message Syntax (CMS) into BP, for use in signing and encryption. Here are
the results:</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Software Implementation:</span></strong><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">For this testing, I used a random payload, passed that through the CMS implementation (OpenSSL), using a pre-shared 1024b RSA key in an X509 certificate. The enveloped
data was outputted in DER encoding (Base64)<strong><span style="font-family:"Arial",sans-serif">.
</span></strong>It is important to note that this is not S-MIME. The DER-ified data was added as a bundle payload. For future testing, it should be possible</span><span style="color:black"> </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">to
update (or dynamically generate) the X509 stuff, where we can set the FROM/TO addressed to the src/dest EID's.
</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I ran two tests, signing and verification...</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Measurement Methodology:</span></strong><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">All of the numbers below were taken from the receiver side. In other words, the "pre-signing/encryption" sizes were based upon successfully decrypting or verifying
the data at the end of the pipe.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Results - Signing:</span></strong><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:black"><img border="0" width="977" height="600" id="_x0000_i1027" src="cid:image001.jpg@01D0B319.0C8D5E50"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">There are two subtests here, one where I carried the CMS signer cert within the data, and one where I didn't. As you can see, the overhead isn't terrible, especially
when you consider that (in some of the tests) I was carrying the cert down the wire. You can also stack signer certificates within a single CMS message, though I opted to not do that (for simplicity) until we have a further plan for CMS.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Results - Encryption:</span></strong><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I'm going to prefix this by saying that I really didn't need a graph for this one, but graphs are cool, and if I write enough here, it will look like a proper headline...
So, graphs:</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><img border="0" width="977" height="600" id="_x0000_i1028" src="cid:image002.jpg@01D0B319.0C8D5E50"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Once again, the overhead isn't awful, at
<strong><span style="font-family:"Arial",sans-serif">349</span></strong> bytes.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Where Do We Go From Here:</span></strong><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I have no idea, though I'm tempted to say that this is a discussion for Darmstadt.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>