FW: [Sis-dtn] SIS-DTN Security Discussion
Scott, Keith L.
kscott at mitre.org
Tue Jun 30 19:52:54 UTC 2015
I hope this actually went out… I did send it out before today (the one below is itself a resend).
—keith
From: "Scott, Keith L."
Date: Tuesday, June 30, 2015 at 8:09 AM
To: Stephen Farrell, "sis-dtn at mailman.ccsds.org<mailto:sis-dtn at mailman.ccsds.org>", "Sheehe, Charles J. (GRC-LCA0)"
Cc: Gian Calzolari, David Israel, Howie Weiss, Tomaso de Cola, Scott Burleigh, Jason Soloff, Leigh Torgerson, Edward Birrane, "dtn at ietf.org<mailto:dtn at ietf.org>"
Subject: Re: [Sis-dtn] SIS-DTN Security Discussion
Absolutely. They are, and that’s a pretty big concern. We’ve been using Ed as a point of contact into the IETF work but I’ll cc the list.
—keith
Next round of security discussion: Tuesday June 30, 1600 EDT.
Join Lync Meeting
https://meet.mitre.org/kscott/OLAP75H0[meet.mitre.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__meet.mitre.org_kscott_OLAP75H0&d=BQMGaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=dT3K0y3n0RD9-56k-UVMPMP98PIQRd2Kzfa-AwqQOww&m=rM1YSuQd-se9TeXwUPoXeI7pRNcxGEohsICXSRfqHs0&s=hL_T7qylOWKDKwIhGkpXbd1jCGAr1dciALGQzwsicE0&e=>
Join by phone
+1 (781) 271-2020
+1 (703) 983-2020
Find a local number[dialin.mitre.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__dialin.mitre.org_&d=BQMGaQ&c=Nwf-pp4xtYRe0sCRVM8_LWH54joYF7EKmrYIdfxIq10&r=dT3K0y3n0RD9-56k-UVMPMP98PIQRd2Kzfa-AwqQOww&m=rM1YSuQd-se9TeXwUPoXeI7pRNcxGEohsICXSRfqHs0&s=uvK6LVeLzl9sbz5oGgfTAx1vQBEO1xMzOLnwBhoZtHc&e=>
Conference ID:69969900
On 6/30/15, 5:40 AM, "Stephen Farrell" <stephen.farrell at cs.tcd.ie<mailto:stephen.farrell at cs.tcd.ie>> wrote:
Hi all,
Seems like a reasonable set of discussions to have. The only
thing I'd ask is that you sync up with the IETF DTNWG who may
also be working on this topic, but perhaps with slightly
different requirements (not entirely sure).
S.
On 29/06/15 18:16, Scott, Keith L. wrote:
Next round of security discussion: Tuesday June 30, 1600 EDT.
Join Lync Meeting
https://meet.mitre.org/kscott/OLAP75H0
Join by phone
+1 (781) 271-2020
+1 (703) 983-2020
Find a local number<https://dialin.mitre.org/>
Conference ID:69969900
Charles Sheehe of GRC sent some decent notes (below). Essentially we’re trying to figure out, following Howie’s suggestion, whether the actual implementation of bundle security might be accomplishable using the CMS<https://datatracker.ietf.org/doc/rfc5652/> mechanisms and, if so, what the implications would be in terms of overhead and complexity.
For CMS encapsulation, the exact ‘way’ of doing the encapsulation is an open question:
One CMS ‘context’ for the whole bundle — I think this was ruled out — we need per-block granularity
One CMS ‘context’ per block, CMS context wraps the block (block inside CMS) [the ‘CMS content eats blocks’ approach]
One CMS ‘context’ per block, CMS wraps block CONTENT (block header, CMS, block content) [could have a flag in the block processing control blocks to indicate ‘cms content’]?
One CMS ‘context’ per block, can separate the CMS bits from the block itself (more like current BSP)
In addition to what’s below, Ed asked a couple times if we couldn’t essentially define a ‘CMS cipher suite’ for SBSP. That might allow the use of the SBSP mechanisms and the CMS encryption machinery. I’m not sure that’s a real win in terms of complexity / interoperability, but we should figure that out.
Charles’ notes:
• Jeremy is implementing CMS system overlay on DTN BP to determine the overhead difference between CMS and SBSP for the same file.
• The working group will conduct a SBSP vs CMS comparison.
Overhead
Computational complexity
Availability of open source cryptographic software
• The working group is posting use cases to the CCSDS CWE or Wiki
Email comments; highly redundant and messy, but easier than CWE
• The working group will be developing security requirements form the use cases.
• Compatibility with IP will be done by a Gateway devices.
A few thought that it was a good idea to have CMS as an option. Exact method to implement left open. Flag or CMS block
CMS inside block
CMS outside the block
Eats or reference?
Certificate management: x.509 Size of certificates
No other actions or decision that I noted.
Thanks
Chuck
Charles J. Sheehe III
Electronics Engineer
System Architectures and Networks Branch
21000 Brookpark Rd
Cleveland, OH 44135
Charles.J.Sheehe at nasa.gov<mailto:Charles.J.Sheehe at nasa.gov>
Office: 216-433-5179
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20150630/6936e92d/attachment.html>
More information about the SIS-DTN
mailing list