<html dir="ltr">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style>

<!--

@font-face

        {font-family:Wingdings}

@font-face

        {font-family:Wingdings}

@font-face

        {font-family:Calibri}

@font-face

        {font-family:Tahoma}

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif"}

a:link, span.MsoHyperlink

        {color:blue;

        text-decoration:underline}

a:visited, span.MsoHyperlinkFollowed

        {color:purple;

        text-decoration:underline}

p

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif"}

p.MsoAcetate, li.MsoAcetate, div.MsoAcetate

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:8.0pt;

        font-family:"Tahoma","sans-serif"}

span.BalloonTextChar

        {font-family:"Tahoma","sans-serif"}

span.EmailStyle22

        {font-family:"Calibri","sans-serif";

        color:#1F497D}

.MsoChpDefault

        {font-size:10.0pt}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

ol

        {margin-bottom:0in}

ul

        {margin-bottom:0in}

-->

</style><style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>

</head>

<body ocsi="0" fpstyle="1" lang="EN-US" link="blue" vlink="purple">

<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">FYI - I just "discovered" the attached MIT Master's Thesis that explored the use of CMS in constrained networks and means by which overhead can be reduced using a combination of

 ZLIB and an invention of CMS-Lite.  Interesting reading.....<br>

<br>

Howie<br>

<div><br>

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px"><font style="font-family:Verdana" size="2"><span style="font-weight:bold"><br>

</span></font>

<hr style="width:100%; height:2px">

<font style="font-family:Verdana" size="2"><span style="font-weight:bold"></span></font><span style="font-weight:bold">Howard Weiss</span><br>

<font size="1">Technical Director</font><br>

<br>

<font size="1"><font size="2"><span style="font-weight:bold">PARSONS</span></font><br>

7110 Samuel Morse Drive<br>

Columbia, MD 21046<br>

443-430-8089 (office)<br>

410-262-1479 (cell)<br>

443-430-8238 (fax)<br>

howard.weiss@parsons.com<br>

www.parsons.com<br>

<br>

<span style="color:rgb(51,153,102)">Please consider the environment before printing this message</span></font><br>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<div style="font-family: Times New Roman; color: #000000; font-size: 16px">

<hr tabindex="-1">

<div style="direction: ltr;" id="divRpF865532"><font color="#000000" face="Tahoma" size="2"><b>From:</b> sis-dtn-bounces@mailman.ccsds.org [sis-dtn-bounces@mailman.ccsds.org] on behalf of Pitts, Robert L. (MSFC-EO50)[HOSC SERVICES CONTRACT] [robert.l.pitts@nasa.gov]<br>

<b>Sent:</b> Wednesday, July 01, 2015 2:31 PM<br>

<b>To:</b> sis-dtn-bounces@mailman.ccsds.org<br>

<b>Cc:</b> sis-dtn@mailman.ccsds.org<br>

<b>Subject:</b> RE: [Sis-dtn] Bundle Signing And Encryption With CMS<br>

</font><br>

</div>

<div></div>

<div>

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I have been engaged in this activity for a while and have been listening to the dialog.  I have not injected anything until this point because I am trying

 to keep an open mind based on my experiences.  This includes low overhead requirements and access requirements to infrastructure.  This includes not only space systems like the ISS but also mirco and nano systems whether spacebourne or seagoing systems and

 the like which may not routinely check in.   I also am trying to reconcile the need for systems that drop through different levels of protections and strips off layers of security to maintain access as it goes deeper into protective modes.</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">All of these items push for simplicity which may be irreconcilable when viewed with larger, more complex, and elaborate systems.</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Lee</span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>

<div>

<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> sis-dtn-bounces@mailman.ccsds.org [mailto:sis-dtn-bounces@mailman.ccsds.org]

<b>On Behalf Of </b>Scott, Keith L.<br>

<b>Sent:</b> Tuesday, June 30, 2015 12:48 PM<br>

<b>To:</b> Weiss, Howard; Mayer, Jeremy P. (JSC-OT/ESA)[EUROPEAN SPACE AGENCY]; sis-dtn@mailman.ccsds.org; Stephen Farrell; Edward Birrane<br>

<b>Subject:</b> Re: [Sis-dtn] Bundle Signing And Encryption With CMS</span></p>

</div>

</div>

<p class="MsoNormal"> </p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">Seconded, thanks Jeremy!</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">I think our big question is how to structure the security encapsulation(s), in particular where the CMS ‘wrapper’ bits show up w.r.t. the block header and block

 content.  As I understand it, your payload implementation is essentially the ‘CMS wraps block content’ approach and you just know at the receiver to undo that on receipt.  Ed had some concerns about the ‘XXX eats block’ approach and in particular what happens

 when I want to assign the integrity value HERE and implement confidentiality over THERE.  I’d like to fully understand those, especially in light of CMS’ explicit ability to allow nested operations.</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">Just to suggest an approach, what if we go with the ‘CMS Eats block content’ approach and (as I think Scott suggested) snag a bit in the block processing control

 flags (ok, thereby increasing it to two bytes, ugh!) to indicate that the block content is ‘security-enabled’ (i.e. A CMS-wrapped thing).  The CMS structure has an object identifier that identifies the content information type, and the intro to the RFC explicitly

 talks about nested operations, so we could impose integrity and security separately; we use Bundle-in-bundle-encapsulation (pronounced ‘tunneling’) to decouple routing and we’re done except for the primary bundle block (because it needs its own separate bit

 flag definition, and because we need to deal with mutability there).</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">Pros</span></p>

</div>

<ul type="disc">

<li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">overall bundle block structure left alone</span></li><li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">allows for per-block granularity</span></li><li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">Could implement ‘outer’ signatures of all blocks for BAB-like service?</span></li></ul>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">Cons</span></p>

</div>

<ul type="disc">

<li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">per-block overhead

</span></li></ul>

<ul type="disc">

<ul type="circle">

<li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">It seems like it would be worth investigating a CMS implementation / cipher suite so that multiple CMS-protected blocks referenced some sort of common

 block containing key material, but such a block type would be easy enough to define, I’d think.</span></li></ul>

</ul>

<ul type="disc">

<li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">‘BAB-like’ signature applied separately to all blocks would increase overhead (even with a ‘common key material’ block type) — argues for ‘secure CL’

 approach?</span></li><li class="MsoNormal" style="color:black"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"">Content types are OIDs in the 1.2.840.113549.1 space (overhead)</span></li></ul>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">If we were to like this (or, more specifically, whatever we DO end up liking) I think we then need to try real hard to sell that to the IETF, and preferably

 before they get too far down the path of security protocol definition.  Either we’re right and they’ll like it too or we’re missing something…</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">I found

<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.vocal.com_secure-2Dcommunication_cryptographic-2Dmessage-2Dsyntax-2Dcms_&d=BQMGaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=dT3K0y3n0RD9-56k-UVMPMP98PIQRd2Kzfa-AwqQOww&m=2UqU47bTvHvEWZLPWSqZ4NzMBUs4uSprRcOXFOD5eOc&s=eM-yjUU3v2FTAKVDYbIfDOLrwY0g8BelHq4uxYYLS5Q&e=" target="_blank">

this link[vocal.com]</a> (with the pictures below) sort of helpful.</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<blockquote style="margin-left:30.0pt; margin-right:0in">

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"><img id="_x0000_i1025" src="cid:image001.png@01D0B356.FAEF23C0" border="0" height="388" width="618"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black">—keith</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-family:"Calibri","sans-serif"; color:black">From:

</span></b><span style="font-family:"Calibri","sans-serif"; color:black">"<a href="mailto:sis-dtn-bounces@mailman.ccsds.org" target="_blank">sis-dtn-bounces@mailman.ccsds.org</a>" on behalf of Howie Weiss<br>

<b>Date: </b>Tuesday, June 30, 2015 at 8:34 AM<br>

<b>To: </b>Jeremy Pierce-Mayer, "<a href="mailto:sis-dtn@mailman.ccsds.org" target="_blank">sis-dtn@mailman.ccsds.org</a>"<br>

<b>Subject: </b>RE: [Sis-dtn] Bundle Signing And Encryption With CMS</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:13.5pt; font-family:"Calibri","sans-serif"; color:black"> </span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black">Jeremy<br>

<br>

This is very cool!  Thanks for spinning this up so quickly.  Its very neat that you could use an off-the-shelf standard and open source software to provide bundle security services in such an expedited manner.  And the fact that the overheads are not bad makes

 it even nicer.<br>

<br>

Regards<br>

<br>

howie</span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"> </span></p>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"> </span></p>

<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black">

<hr align="center" size="2" width="100%">

</span></div>

<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black">Howard Weiss</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"><br>

</span><span style="font-size:7.5pt; font-family:"Tahoma","sans-serif"; color:black">Technical Director</span><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"><br>

<br>

<b>PARSONS</b></span><span style="font-size:7.5pt; font-family:"Tahoma","sans-serif"; color:black"><br>

7110 Samuel Morse Drive<br>

Columbia, MD 21046<br>

443-430-8089 (office)<br>

410-262-1479 (cell)<br>

443-430-8238 (fax)<br>

<a href="mailto:howard.weiss@parsons.com" target="_blank">howard.weiss@parsons.com</a><br>

<a href="http://www.parsons.com" target="_blank">www.parsons.com</a><br>

<br>

</span><span style="font-size:7.5pt; font-family:"Tahoma","sans-serif"; color:#339966">Please consider the environment before printing this message</span><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<div>

<div class="MsoNormal" style="text-align:center" align="center"><span style="color:black">

<hr align="center" size="2" width="100%">

</span></div>

<div id="divRpF275448">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black">

<a href="mailto:sis-dtn-bounces@mailman.ccsds.org" target="_blank">sis-dtn-bounces@mailman.ccsds.org</a> [<a href="mailto:sis-dtn-bounces@mailman.ccsds.org" target="_blank">sis-dtn-bounces@mailman.ccsds.org</a>] on behalf of Jeremy Pierce-Mayer [<a href="mailto:jeremy.mayer@dlr.de" target="_blank">jeremy.mayer@dlr.de</a>]<br>

<b>Sent:</b> Tuesday, June 30, 2015 6:02 AM<br>

<b>To:</b> <a href="mailto:sis-dtn@mailman.ccsds.org" target="_blank">sis-dtn@mailman.ccsds.org</a><br>

<b>Subject:</b> [Sis-dtn] Bundle Signing And Encryption With CMS</span><span style="color:black"></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Hey Everyone,</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">During the Bundle Security telecom last week, I took the action to wedge the Cryptographic Message Syntax (CMS) into BP, for use in signing and encryption. Here

 are the results:</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><strong><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Software Implementation:</span></strong><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">For this testing, I used a random payload, passed that through the CMS implementation (OpenSSL), using a pre-shared 1024b RSA key in an X509 certificate. The

 enveloped data was outputted in DER encoding (Base64)<strong><span style="font-family:"Arial","sans-serif"">.

</span></strong>It is important to note that this is not S-MIME. The DER-ified data was added as a bundle payload. For future testing, it should be possible</span><span style="color:black"> </span><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">to

 update (or dynamically generate) the X509 stuff, where we can set the FROM/TO addressed to the src/dest EID's.

</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">I ran two tests, signing and verification...</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><strong><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Measurement Methodology:</span></strong><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">All of the numbers below were taken from the receiver side. In other words, the "pre-signing/encryption" sizes were based upon successfully decrypting or verifying

 the data at the end of the pipe.</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><strong><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Results - Signing:</span></strong><span style="color:black"></span></p>

</div>

<p class="MsoNormal"><span style="color:black"><img id="_x0000_i1028" src="cid:image002.jpg@01D0B356.FAEF23C0" border="0" height="600" width="977"></span></p>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">There are two subtests here, one where I carried the CMS signer cert within the data, and one where I didn't. As you can see, the overhead isn't terrible, especially

 when you consider that (in some of the tests) I was carrying the cert down the wire. You can also stack signer certificates within a single CMS message, though I opted to not do that (for simplicity) until we have a further plan for CMS.</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><strong><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Results - Encryption:</span></strong><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">I'm going to prefix this by saying that I really didn't need a graph for this one, but graphs are cool, and if I write enough here, it will look like a proper

 headline... So, graphs:</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"><img id="_x0000_i1029" src="cid:image003.jpg@01D0B356.FAEF23C0" border="0" height="600" width="977"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Once again, the overhead isn't awful, at

<strong><span style="font-family:"Arial","sans-serif"">349</span></strong> bytes.</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><strong><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">Where Do We Go From Here:</span></strong><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:black">I have no idea, though I'm tempted to say that this is a discussion for Darmstadt.</span><span style="color:black"></span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

<div>

<p class="MsoNormal"><span style="color:black"> </span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>