[Sea-sec] Comment re: key sizes in Algorithm document

Daniel.Fischer at esa.int Daniel.Fischer at esa.int
Fri Jul 6 06:19:19 UTC 2018

Dear all,

I think the approach proposed by Mehmet is sensible.

I am just wondering if CCSDS offers a way to allow for old systems to 
still be operated in a CCSDS compliant way but mandates the new key sizes 
for all new developments but I don't think that is possible.

If not, I would tend to go the way Chuck proposed. We have to consider 
that the standards of today are used to build space systems that will fly 
in 10 or more years, consider for example the Lunar Platform Gateway (or 
however it is called now).


Dr. Daniel Fischer
Head of the Engineering Support Section, OPS-GES
Ground Systems Engineering Department
Directorate of Operations
Robert-Bosch-Str. 5, D-64392 Darmstadt, Germany
Tel. +49 6151 90 2718 |  E-mail: Daniel.Fischer at esa.int

From:   Mehmet Adalier <madalier at antarateknik.com>
To:     "Sheehe, Charles J. (GRC-LCN0)" <charles.j.sheehe at nasa.gov>, 
"sea-sec at mailman.ccsds.org" <sea-sec at mailman.ccsds.org>
Date:   05/07/2018 21:52
Subject:        Re: [Sea-sec] Comment re: key sizes in Algorithm document
Sent by:        "SEA-SEC" <sea-sec-bounces at mailman.ccsds.org>

This is my first posting. appreciate any comments.
I am part of a US based small R&D company, Antara Teknik LLC. We became a 
CCSDS industry associate late last year.
We do a fair amount of network-security based R&D and as of late we have 
been drafting/implementing a Cipher Suite for BPsec.
Symmetric key sizes of 256-bit and asymmetric key sizes of 4096-bit are 
substantially more secure than 128-bit and 2048-bit. 
For new systems ‘shall’ for these larger key sizes definitely is the right 
direction, to ensure higher security strength going forward.
However, 128-bit symmetric and 2048-bit asymmetric keys are still 
considered safe –at least in US. (see below chart based on published NIST 
Thus, my suggestion would be that for ‘existing systems that cannot be 
updated’ the shorter key lengths are ‘supported’ (i.e., ensure backwards 
compatibility), but for new systems the larger keys ‘shall’ be used. (with 
the implication that for new systems shorter keys may not be used)

Mehmet Adalier
Antara Teknik LLC
From: SEA-SEC <sea-sec-bounces at mailman.ccsds.org> on behalf of "Sheehe, 
Charles J. (GRC-LCN0)" <charles.j.sheehe at nasa.gov>
Date: Thursday, July 5, 2018 at 11:43 AM
To: "sea-sec at mailman.ccsds.org" <sea-sec at mailman.ccsds.org>
Subject: Re: [Sea-sec] Comment re: key sizes in Algorithm document
larger key size a "shall" but allow the smaller key sizes as "may" with a 
note strongly discouraging the smaller key sizes. 
I do not agree with allowing a "may".
The system will be a non-compliant system.
The system will lose secure interoperability with the large key systems 
and the loss of any presumed security over time and with the advent of 
Quantum computers in ~5 years.
It is understandable that older systems will age out of compliance with 
current security requirements.
It would be bad practice, if I do not strongly object and allow 128 bit 
key systems to be built knowing that its security will become markedly 
insecure during the lifetime of this document.

From publically available document. 
These are my opinions and do not reflect the official position of NASA. 
Charles J. Sheehe III
Computer Engineer
Glenn Research Center
21000 Brookpark Rd
Cleveland, OH 44135
Charles.J.Sheehe at NASA.GOV
Office: 216-433-5179
“Omnia vero”
-----Original Message-----
From: SEA-SEC <sea-sec-bounces at mailman.ccsds.org> On Behalf Of Weiss, 
Sent: Thursday, July 5, 2018 1:37 PM
To: sea-sec at mailman.ccsds.org
Subject: [Sea-sec] Comment re: key sizes in Algorithm document
We currently have two documents in CESG polling for Agency Review.
On the Algorithms document, we have increased the minimum key sizes. 
However we have a comment from Mario Merri (ESA):
"The main change is the strenghen of the authenticaltion keys. These have 
been increased, thus making implementations that followed the previous 
CCSDS recommentation not-compliant. Why has the document update not been 
made in a backward-compatible manner, still strongly recommending the new 
key lengths?"
Peter Shames suggested that we make the. This would satisfy Mario's 
backward compatibility issue. 
Any comments?  Any disagreements?  Any other suggestions?
Howard Weiss, CISSP
7110 Samuel Morse Drive
Columbia, MD 21046
443-430-8089 (office)
443-494-9087 (cell)
443-430-8238 (fax)
howard.weiss at parsons.com
Please consider the environment before printing this message
NOTICE: This email message and all attachments transmitted with it may 
contain privileged and confidential information, and information that is 
protected by, and proprietary to, Parsons Corporation, and is intended 
solely for the use of the addressee for the specific purpose set forth in 
this communication. If the reader of this message is not the intended 
recipient, you are hereby notified that any reading, dissemination, 
distribution, copying, or other use of this message or its attachments is 
strictly prohibited, and you should delete this message and all copies and 
backups thereof. The recipient may not further distribute or use any of 
the information contained herein without the express written authorization 
of the sender. If you have received this message in error, or if you have 
any questions regarding the use of the proprietary information contained 
therein, please contact the sender of this message immediately, and the 
sender will provide you with further instructions.
_______________________________________________ SEA-SEC mailing list 
SEA-SEC at mailman.ccsds.org 
SEA-SEC mailing list
SEA-SEC at mailman.ccsds.org

This message is sent for information and/or discussion purposes only.
It shall neither be binding nor construed as constituting a commitment for ESA.
It is intended only for the recipient(s) named above.
It may contain proprietary information and/or protected content.
Any unauthorised disclosure, use, retention or dissemination is prohibited.
If you have received this e-mail in error, please notify the sender immediately.
ESA applies appropriate organisational measures to protect personal data.
In case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int).

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sea-sec/attachments/20180706/09ab95b5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 117152 bytes
Desc: not available
URL: <http://mailman.ccsds.org/pipermail/sea-sec/attachments/20180706/09ab95b5/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55130 bytes
Desc: not available
URL: <http://mailman.ccsds.org/pipermail/sea-sec/attachments/20180706/09ab95b5/attachment-0001.png>

More information about the SEA-SEC mailing list