[Sis-dtn] Bundle Signing And Encryption With CMS

Jeremy Pierce-Mayer jeremy.mayer at dlr.de
Wed Jul 1 13:07:49 UTC 2015 

I've been playing with ECDSA for signing, using the NIST 256-bit curve.
 
With the certificate included in the CMS data: The overhead is 961 bytes.
Without it, the overhead is 487 bytes, a small improvement, but an
improvement nonetheless.
 
Thanks,
Jeremy

  _____  

From: sis-dtn-bounces at mailman.ccsds.org
[mailto:sis-dtn-bounces at mailman.ccsds.org] On Behalf Of Jeremy.Mayer at dlr.de
Sent: Dienstag, 30. Juni 2015 21:24
To: kscott at mitre.org; Howard.Weiss at parsons.com; sis-dtn at mailman.ccsds.org;
stephen.farrell at cs.tcd.ie; Edward.Birrane at jhuapl.edu
Subject: RE: [Sis-dtn] Bundle Signing And Encryption With CMS


Thanks everyone!

First off, sorry that I wasn't clear, yes, this implementation ingests the
block content and leaves the headers in the clear. I wanted to work with
something simple and standard (MD5/AES), but it should certainly be possible
to use ECDSA or some other ECC. Please give me suggestions for new digests,
encryptions, etc to try out, I would be happy to do so.

I also want to say right off of the get-go that there is an opportunity for
interoperability between CMS and SBSP, the exact interaction between these
things is an undefined topic. We certainly can dig into the block processing
trenches. Other possible implementations include:


*	the use of SBSP as a method to define CMS - This lends itself to the
idea of interoperability.


*	A protected range of EID's (ipn:x.443, anyone!) - This is
technically simple, but may be a political maelstrom.


*	BiB - To steal Keiths phrasing, at the liberty of punctuation:
"tunneling and we're done."


or some combination of these.Going back to the overhead concern for a
minute, I propose looking towards IP, in the sense that there are multiple
security-related protocols and encapsulations, each with unique strengths
and weaknesses. For example, CMS, while it has higher overhead, also allows
nested operations, is readily supported by CryptLib and OpenSSL, and may be
appropriate for non-bandwidth-constrained environments, and/or those with
heavy-duty PKI infrastructures, such as the smartcard users. Meanwhile SBSP
is extremely lean and well-suited to sensor networks, or deep-space. I am
110% of the opinion that it should be possible to bridge CMS and SBSP,
allowing bundles signed or encrypted in one to get verified or decrypted in
another, at least with a baseline level of functionality. Also, I don't want
to throw away everyones work on SBSP; we have more to bring to the table
this way. 





I can't think of anything else off of the top of my head, but keep 'em
coming and thanks again,

Jeremy








  _____  

From: Scott, Keith L. [kscott at mitre.org]
Sent: Tuesday, June 30, 2015 7:48 PM
To: Weiss, Howard; Mayer, Jeremy; sis-dtn at mailman.ccsds.org; Stephen
Farrell; Edward Birrane
Subject: Re: [Sis-dtn] Bundle Signing And Encryption With CMS


Seconded, thanks Jeremy!

I think our big question is how to structure the security encapsulation(s),
in particular where the CMS 'wrapper' bits show up w.r.t. the block header
and block content.  As I understand it, your payload implementation is
essentially the 'CMS wraps block content' approach and you just know at the
receiver to undo that on receipt.  Ed had some concerns about the 'XXX eats
block' approach and in particular what happens when I want to assign the
integrity value HERE and implement confidentiality over THERE.  I'd like to
fully understand those, especially in light of CMS' explicit ability to
allow nested operations.

Just to suggest an approach, what if we go with the 'CMS Eats block content'
approach and (as I think Scott suggested) snag a bit in the block processing
control flags (ok, thereby increasing it to two bytes, ugh!) to indicate
that the block content is 'security-enabled' (i.e. A CMS-wrapped thing).
The CMS structure has an object identifier that identifies the content
information type, and the intro to the RFC explicitly talks about nested
operations, so we could impose integrity and security separately; we use
Bundle-in-bundle-encapsulation (pronounced 'tunneling') to decouple routing
and we're done except for the primary bundle block (because it needs its own
separate bit flag definition, and because we need to deal with mutability
there).

Pros

*	overall bundle block structure left alone 

*	allows for per-block granularity 

*	Could implement 'outer' signatures of all blocks for BAB-like
service?

Cons

*	per-block overhead 


*	It seems like it would be worth investigating a CMS implementation /
cipher suite so that multiple CMS-protected blocks referenced some sort of
common block containing key material, but such a block type would be easy
enough to define, I'd think.

*	'BAB-like' signature applied separately to all blocks would increase
overhead (even with a 'common key material' block type) - argues for 'secure
CL' approach? 

*	Content types are OIDs in the 1.2.840.113549.1 space (overhead)


If we were to like this (or, more specifically, whatever we DO end up
liking) I think we then need to try real hard to sell that to the IETF, and
preferably before they get too far down the path of security protocol
definition.  Either we're right and they'll like it too or we're missing
something.


I found this link
<http://www.vocal.com/secure-communication/cryptographic-message-syntax-cms/
>  (with the pictures below) sort of helpful.





-keith


From: "sis-dtn-bounces at mailman.ccsds.org" on behalf of Howie Weiss
Date: Tuesday, June 30, 2015 at 8:34 AM
To: Jeremy Pierce-Mayer, "sis-dtn at mailman.ccsds.org"
Subject: RE: [Sis-dtn] Bundle Signing And Encryption With CMS


Jeremy

This is very cool!  Thanks for spinning this up so quickly.  Its very neat
that you could use an off-the-shelf standard and open source software to
provide bundle security services in such an expedited manner.  And the fact
that the overheads are not bad makes it even nicer.

Regards

howie




  _____  

Howard Weiss
Technical Director

PARSONS
7110 Samuel Morse Drive
Columbia, MD 21046
443-430-8089 (office)
410-262-1479 (cell)
443-430-8238 (fax)
howard.weiss at parsons.com
www.parsons.com

Please consider the environment before printing this message

  _____  

From: sis-dtn-bounces at mailman.ccsds.org [sis-dtn-bounces at mailman.ccsds.org]
on behalf of Jeremy Pierce-Mayer [jeremy.mayer at dlr.de]
Sent: Tuesday, June 30, 2015 6:02 AM
To: sis-dtn at mailman.ccsds.org
Subject: [Sis-dtn] Bundle Signing And Encryption With CMS


Hey Everyone,
 
During the Bundle Security telecom last week, I took the action to wedge the
Cryptographic Message Syntax (CMS) into BP, for use in signing and
encryption. Here are the results:
 
Software Implementation:
For this testing, I used a random payload, passed that through the CMS
implementation (OpenSSL), using a pre-shared 1024b RSA key in an X509
certificate. The enveloped data was outputted in DER encoding (Base64). It
is important to note that this is not S-MIME. The DER-ified data was added
as a bundle payload. For future testing, it should be possible to update (or
dynamically generate) the X509 stuff, where we can set the FROM/TO addressed
to the src/dest EID's. 
 
I ran two tests, signing and verification...
 
Measurement Methodology:
 
All of the numbers below were taken from the receiver side. In other words,
the "pre-signing/encryption" sizes were based upon successfully decrypting
or verifying the data at the end of the pipe.
 
Results - Signing:
 
 
There are two subtests here, one where I carried the CMS signer cert within
the data, and one where I didn't. As you can see, the overhead isn't
terrible, especially when you consider that (in some of the tests) I was
carrying the cert down the wire. You can also stack signer certificates
within a single CMS message, though I opted to not do that (for simplicity)
until we have a further plan for CMS.
 
Results - Encryption:
I'm going to prefix this by saying that I really didn't need a graph for
this one, but graphs are cool, and if I write enough here, it will look like
a proper headline... So, graphs:

 
Once again, the overhead isn't awful, at 349 bytes.
 
Where Do We Go From Here:
I have no idea, though I'm tempted to say that this is a discussion for
Darmstadt.
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20150701/e0cb5447/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AD041825-176D-4A51-A66D-AA86CB16F0BC.png
Type: image/png
Size: 96162 bytes
Desc: not available
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20150701/e0cb5447/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: image/jpeg
Size: 59257 bytes
Desc: not available
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20150701/e0cb5447/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: image/jpeg
Size: 49880 bytes
Desc: not available
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20150701/e0cb5447/attachment-0001.jpg>

More information about the SIS-DTN mailing list