[Sis-dtn] Information Request for BPSec RIDs

Tomaso.deCola at dlr.de Tomaso.deCola at dlr.de
Fri Feb 21 08:48:39 UTC 2025 

Hi all,

I don't think it's a problem to point to an orange book. According to the publication guidelines yellow book, we have the following rules (with respect to normative references):

Normative Track Documents and Experimental Specifications
1) The list shall include publications whose provisions are required for implementing the specifications contained in the document.
2) If normative references exist, the text used to introduce the list shall be as follows:
The following publications contain provisions which, through reference in this text, constitute provisions of this document. At the time of publication, the
editions indicated were valid. All publications are subject to revision, and users of this document are encouraged to investigate the possibility of applying the
most recent editions of the publications indicated below. The CCSDS Secretariat maintains a register of currently valid CCSDS publications.
3) The list shall not include the following:
- materials that are not publicly available;
- publications to which only informative reference is made;
- publications that provided only source material in the development of the Recommended Standard, Practice, or Experimental Specification.

Let me however say that I think it would be better to have a pointer to a blue rather than an orange book. Given the fact that here we are "just" dispositioning RIDs and the interoperability testing in not even started (I'm also not sure whether another agency review might be necessary before the interoperability), I expect that the publication of the BPsec won't happen before Q1 next year and maybe at that time the BPv7 blue will be there and could directly point to the blue. But as said formally speaking we can point to the orange.

Tomaso

From: SIS-DTN <sis-dtn-bounces at mailman.ccsds.org> On Behalf Of Felix Flentge via SIS-DTN
Sent: Freitag, 21. Februar 2025 08:57
To: Jackson, Jonathan W. (MSFC-HP27)[MOSSI2] <jonathan.w.jackson at nasa.gov>; sis-dtn at mailman.ccsds.org
Subject: Re: [Sis-dtn] Information Request for BPSec RIDs

Hi,

Regarding #16: for me it would be fine to refer to the Orange Book but I am not sure about the rules. Alternatively, there could be a statement that CCSDS BPSEC is applicable to the IPN naming scheme (old one, I suppose) and that for future naming scheme definitions in CCSDS BPSEC applicability needs to be explicitly stated. I think it is worth considering BPSEC in the multi-destination context (maybe already done and it is just fine but I don't really know).

Regards,
Felix

From: SIS-DTN <sis-dtn-bounces at mailman.ccsds.org<mailto:sis-dtn-bounces at mailman.ccsds.org>> On Behalf Of Jackson, Jonathan W. (MSFC-HP27)[MOSSI2] via SIS-DTN
Sent: 20 February 2025 22:41
To: sis-dtn at mailman.ccsds.org<mailto:sis-dtn at mailman.ccsds.org>
Subject: [Sis-dtn] Information Request for BPSec RIDs

Hello All,

As I was reviewing the most recent BPSec RIDs spreadsheet uploaded to CWE there are a few that I need more information/clarification on:



*         RID 8: Requesting that someone please provide a draft clarification or explanation for this RID:

#

RID ID

Reviewer Name

Reviewer Email

Paragraph Number

RID Short Title

From









Discussion

8

JPL-1

Sky DeBaun

sdebaun at jpl.nasa.gov<mailto:sdebaun at jpl.nasa.gov>

p 2-8, para 5

Authentication explanation

"Alternatively, individual target blocks may include the Primary Block (or other blocks) as part of their Additional Authenticated Data (AAD) in either integrity or confidentiality operations. This effectively binds a given target block to a given bundle and prevents blocks from being taken out of one bundle and included in another. Finally, the security context mechanism defined by BPSec allows for the specification"

Approved.  Will clarify.




*         RID 12: Was there a specific example that we were looking to add for digital signatures? Requesting someone please provide a draft write up:

#

RID ID

Reviewer Name

Reviewer Email

Paragraph Number

RID Short Title

From

To

Supporting Analysis





Discussion

12

JPL-3b

Michael Pajevski

michael.j.pajevski at jpl.nasa.gov<mailto:michael.j.pajevski at jpl.nasa.gov>

2-8, para 3

IB / BCB Authentication Types

Similar to the BIB, authentication is provided through data signatures.

Similar to the BIB, authentication can be accomplished by providing authentication data. Unlike BIB, BCB provides only cipher-based authentication using an AEAD dual-mode symmetric key algorithm, whereas a BIB can provide authenticaiton data by using a symmetric key-based hash algorith (e.g., HMAC), a symmetric cipher-based algorithm (e.g., CMAC), and/or an asymmetric key digital signature algorithm (e.g., RSA-2048/SHA-256).  ** Note: Say "and/or" only if it is possible to use more than one algorithm in a single BIB. Else, say "or".

The term "digital signature" typically refers to an asymmetric cryptography approach. Therefore, using the term "signature" in association with an AEAD algorithm (which is a symmetric key algorithm) is confusing. A better term is to say cipher-based authentication when using a symmetric key algorithm to provide authentication,   <paragraph break>  Using a dual-mode AEAD algorithm supports only cipher-based authentication (i.e., for BCB). For BIB, various authentication algorithms can be used.

X

"Similar to the BIB, authentication can be provided through either symmetric or asymmetric cryptographic mechanisms."  Add an example to chapter 2 of a use case that employs digital signatures.  (Asymmetric key to digitally sign information...)



*         RID 16: Are we waiting for BPv7 to publish before making this change, or should we refer to the BPv7 Orange Book?

#

RID ID

Reviewer Name

Reviewer Email

Paragraph Number

RID Short Title

From

To

Supporting Analysis







Discussion

16

ESA-LB-03

Lars Baumgaertner / Felix Flentge

Lars.Baumgaertner at esa.int<mailto:Lars.Baumgaertner at esa.int> / felix.flentge at esa.int<mailto:felix.flentge at esa.int>

*

Applicability to non-singleton endpoints

Add a statement whether the specification to which naming schemes the specification is applicable.

Add a statement whether the specification is applicable to non-singleton endpoint IDs.

It is not clear whether the specification is only applicable to the IPN naming scheme (which is the only applicable naming scheme in the updated CCSDS BP Red Book) or whether it is also applicable to other naming schemes (eg, if CCSDS defines a IMC naming scheme).
IPN would mean that all endpoint ID are singletons while this may not be true for other naming schemes (and it would not be true for IMC).
Allowing non-singleton endpoints may introduce additional complexity and may have an impact on interoperability testing.

x

Approved with modification.  BPSec should refer to **CCSDS** (BPv7), which specifies the naming schemes supported by CCSDS.  Replace reference to 9171. 9171 becomes informative reference.



Thanks!


Very Respectfully,
Jonathan Jackson
MOSSI II Systems Engineering

This message is intended only for the recipient(s) named above. It may contain proprietary information and/or protected content. Any unauthorised disclosure, use, retention or dissemination is prohibited. If you have received this e-mail in error, please notify the sender immediately. ESA applies appropriate organisational measures to protect personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int<mailto:dpo at esa.int>).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20250221/d1751c79/attachment-0001.htm>

More information about the SIS-DTN mailing list