[Sis-csi] CIS Green Book Draft 14
Ed Criscuolo
ed.criscuolo at gsfc.nasa.gov
Tue Mar 21 16:58:05 EST 2006
I sent Keith a revised doc with these changes:
Section 2.1, table 1
Added line item for earth-surface to lunar transfer orbit (LTO). It’s
unique because its rtt varies by over an order of magnitude.
Section 2.2.4
Fixed formating. Whole paragraph was at header level 3 instead of normal.
Added Section 4.7.1 on Emergency Commanding Security:
4.7.1 EMERGENCY COMMANDING SECURITY
The requirements for emergency commanding are somewhat at odds with the
requirements for security. On one hand, emergency commands want to be
as short as possible, in order to maximize the chance of being received
by a tumbling spacecraft. On the other hand, secure commands want to be
as long as possible, in order to minimize the chance of a succumbing to
a brute-force attack, or being accidentally generated within a normal
data stream. Emergency commands are usually implemented entirely in
hardware, with no software or processor involvement, in order to be able
to recover from a crashed processor, but this often results in fixed,
repeatable bit sequences that are susceptible to a replay attack.
At a minimun, emergency commands should have some form of
authentication. The most suitable authentication algorithms are ones
that make use of a “rolling code” technique, similar to that used in
remote keyless entry systems. A hashed message authentication code
(HMAC) is calculated from the command, a secret key, and an incrementing
sequence counter, and is appended to the command. The sequence counter
is not transmitted with the command. The short HMAC adds a minimal
amount of overhead, and the sequence counter prevents replay attacks.
This algorithm has the added benefit that it can be made to
automatically re-synchronize without requiring a 2-way link.
--
Ed Criscuolo
Computer Sciences Corp
More information about the Sis-CSI
mailing list