[Sls-sea-dls] Exclusive CMAC use in SDLS

Fri Dec 12 13:14:31 EST 2025

Brian

I'm forwarding to the Security WG and the principals from SDLS for their comments.

In the Security WG Algorithms book we specify multiple authentication algorithms: HMAC, CMAC, DSS, and RSA.

Are you talking about the use of CMAC in Annex E (Baseline Mode)? Annex E is 'informative' and defines a baseline implementation that could be used for a large number of missions.   But its not mandatory. Table 6.1 in the SDLS Core Protocol BB (CCSDS 355.0-B-2) specifies the managed parameters which include HMAC, CMAC, GMAC, GCM, and 'agency-specific' for authentication.

[cid:image001.png at 01DC6B69.3FA04B40]

Regards

howie

From: SIS-DTN <sis-dtn-bounces at mailman.ccsds.org> On Behalf Of Sipos, Brian J. via SIS-DTN
Sent: Friday, December 12, 2025 12:39 PM
To: sis-dtn at mailman.ccsds.org
Subject: [EXTERNAL] [Sis-dtn] FW: Exclusive CMAC use in SDLS

WG,
I'm forwarding this to the SIS-DTN mailing list because it is still in the SLS-SEA-DLS holding queue and I am hoping there is enough overlap in membership that I might get some historical insight from SIS-DTN folks. This also relates somewhat to Lars' questions on the call this week about CCSDS security needs.

From: Sipos, Brian J.
Sent: Monday, November 3, 2025 12:09 PM
To: 'sls-sea-dls at mailman.ccsds.org' <sls-sea-dls at mailman.ccsds.org<mailto:sls-sea-dls at mailman.ccsds.org>>
Subject: Exclusive CMAC use in SDLS

SDLS WG,
I'm posting a question to the mailing list because I'm not able to search the mail archive and haven't come across any discussion on this topic in recent years looking through the archives manually.

The current SDLS blue books and green book prescribe a single variation of AES-GCM for AEAD and AES-CMAC for authentication. Was there any earlier discussion about other authentication methods (e.g. HMAC with SHA2...) that led to the current books? Or was it deemed more consistent to use CMAC because of the shared AES primitive with the AEAD cipher suite?

I'm asking from the perspective of the full list of approved algorithms from FIPS 140-3 [1] under Section 6.2.6, which includes some block cipher based (including CMAC) and some hash based, and which primitives in that list would be more or less acceptable to CCSDS community because of technical limitations, required conformances, historical reasons, etc.

Thanks for any feedback or pointers to earlier mailing list discussion about this.
Brian S.

[1] https://csrc.nist.gov/Projects/cryptographic-module-validation-program/sp-800-140-series-supplemental-information/sp800-140c

"NOTICE: This email message and all attachments transmitted with it may contain confidential information, including information that is privileged or protected by, and proprietary to, Parsons Corporation, and is intended solely for the use of the addressee for the specific purpose set forth in this communication. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited, and you should delete this message and all copies and backups thereof. The recipient may not further distribute or use any of the information contained herein without the express written authorization of the sender. If you have received this message in error, or if you have any questions regarding the use of the proprietary information contained therein, please contact the sender of this message immediately, and the sender will provide you with further instructions."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sls-sea-dls/attachments/20251212/fa9b8d1c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 99348 bytes
Desc: image001.png
URL: <http://mailman.ccsds.org/pipermail/sls-sea-dls/attachments/20251212/fa9b8d1c/attachment-0001.png>