[Sis-csi] CIS Green Book Draft 14

[Ed Criscuolo]

I sent Keith a revised doc with these changes:

Section 2.1, table 1
Added line item for earth-surface to lunar transfer orbit (LTO). It’s 
unique because its rtt varies by over an order of magnitude.

Section 2.2.4
Fixed formating.  Whole paragraph was at header level 3 instead of normal.

Added Section 4.7.1 on Emergency Commanding Security:

4.7.1 EMERGENCY COMMANDING SECURITY
The requirements for emergency commanding are somewhat at odds with the 
requirements for security.  On one hand, emergency commands want to be 
as short as possible, in order to maximize the chance of being received 
by a tumbling spacecraft. On the other hand, secure commands want to be 
as long as possible, in order to minimize the chance of a succumbing to 
a brute-force attack, or being accidentally generated within a normal 
data stream.  Emergency commands are usually implemented entirely in 
hardware, with no software or processor involvement, in order to be able 
to recover from a crashed processor, but this often results in fixed, 
repeatable bit sequences that are susceptible to a replay attack.

At a minimun, emergency commands should have some form of 
authentication. The most suitable authentication algorithms are ones 
that make use of a “rolling code” technique, similar to that used in 
remote keyless entry systems.  A hashed message authentication code 
(HMAC) is calculated from the command, a secret key, and an incrementing 
sequence counter, and is appended to the command.  The sequence counter 
is not transmitted with the command.  The short HMAC adds a minimal 
amount of overhead, and the sequence counter prevents replay attacks.

This algorithm has the added benefit that it can be made to 
automatically re-synchronize without requiring a 2-way link.

--
Ed Criscuolo
Computer Sciences Corp