[Sis-dtn] Information Request for BPSec RIDs

Jackson, Jonathan W. (MSFC-HP27)[MOSSI2] jonathan.w.jackson at nasa.gov
Thu Feb 20 21:41:00 UTC 2025 

Hello All,

As I was reviewing the most recent BPSec RIDs spreadsheet uploaded to CWE there are a few that I need more information/clarification on:



  *   RID 8: Requesting that someone please provide a draft clarification or explanation for this RID:

#
RID ID
Reviewer Name
Reviewer Email
Paragraph Number
RID Short Title
From




Discussion
8
JPL-1
Sky DeBaun
sdebaun at jpl.nasa.gov<mailto:sdebaun at jpl.nasa.gov>
p 2-8, para 5
Authentication explanation
"Alternatively, individual target blocks may include the Primary Block (or other blocks) as part of their Additional Authenticated Data (AAD) in either integrity or confidentiality operations. This effectively binds a given target block to a given bundle and prevents blocks from being taken out of one bundle and included in another. Finally, the security context mechanism defined by BPSec allows for the specification"
Approved.  Will clarify.



  *   RID 12: Was there a specific example that we were looking to add for digital signatures? Requesting someone please provide a draft write up:

#
RID ID
Reviewer Name
Reviewer Email
Paragraph Number
RID Short Title
From
To
Supporting Analysis


Discussion
12
JPL-3b
Michael Pajevski
michael.j.pajevski at jpl.nasa.gov<mailto:michael.j.pajevski at jpl.nasa.gov>
2-8, para 3
IB / BCB Authentication Types
Similar to the BIB, authentication is provided through data signatures.
Similar to the BIB, authentication can be accomplished by providing authentication data. Unlike BIB, BCB provides only cipher-based authentication using an AEAD dual-mode symmetric key algorithm, whereas a BIB can provide authenticaiton data by using a symmetric key-based hash algorith (e.g., HMAC), a symmetric cipher-based algorithm (e.g., CMAC), and/or an asymmetric key digital signature algorithm (e.g., RSA-2048/SHA-256).  ** Note: Say "and/or" only if it is possible to use more than one algorithm in a single BIB. Else, say "or".
The term "digital signature" typically refers to an asymmetric cryptography approach. Therefore, using the term "signature" in association with an AEAD algorithm (which is a symmetric key algorithm) is confusing. A better term is to say cipher-based authentication when using a symmetric key algorithm to provide authentication,   <paragraph break>  Using a dual-mode AEAD algorithm supports only cipher-based authentication (i.e., for BCB). For BIB, various authentication algorithms can be used.
X
"Similar to the BIB, authentication can be provided through either symmetric or asymmetric cryptographic mechanisms."  Add an example to chapter 2 of a use case that employs digital signatures.  (Asymmetric key to digitally sign information...)


  *   RID 16: Are we waiting for BPv7 to publish before making this change, or should we refer to the BPv7 Orange Book?

#
RID ID
Reviewer Name
Reviewer Email
Paragraph Number
RID Short Title
From
To
Supporting Analysis



Discussion
16
ESA-LB-03
Lars Baumgaertner / Felix Flentge
Lars.Baumgaertner at esa.int<mailto:Lars.Baumgaertner at esa.int> / felix.flentge at esa.int<mailto:felix.flentge at esa.int>
*
Applicability to non-singleton endpoints
Add a statement whether the specification to which naming schemes the specification is applicable.

Add a statement whether the specification is applicable to non-singleton endpoint IDs.
It is not clear whether the specification is only applicable to the IPN naming scheme (which is the only applicable naming scheme in the updated CCSDS BP Red Book) or whether it is also applicable to other naming schemes (eg, if CCSDS defines a IMC naming scheme).
IPN would mean that all endpoint ID are singletons while this may not be true for other naming schemes (and it would not be true for IMC).
Allowing non-singleton endpoints may introduce additional complexity and may have an impact on interoperability testing.
x
Approved with modification.  BPSec should refer to **CCSDS** (BPv7), which specifies the naming schemes supported by CCSDS.  Replace reference to 9171. 9171 becomes informative reference.


Thanks!


Very Respectfully,
Jonathan Jackson
MOSSI II Systems Engineering

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20250220/a49163e2/attachment-0001.htm>

More information about the SIS-DTN mailing list