1
CCSDS Security CCSDS Security Working GroupWorking Group
Spring MeetingSpring Meeting
Colorado SpringsColorado Springs
Security ArchitectureSecurity Architecture
January 19January 19thth 2007 2007
2
Agenda
• Changes since Rome
• A recap on the use of the Views
• The Security Architecture
• CCSDS Security Core Suite
• Some examples
• Emergency Commanding
• Next Steps
• Q&A
3
Changes since Rome
• Removal of in-depth discussions on – Authentication
– Algorithm types
– Key Management
• These are now discussed in greater detail in other books, to which the Security Architecture refers.
• Extended discussions to encompass more than scientific missions
• The architecture was always designed to be flexible and extensible, this has been brought out more in the document.
• Removal of File based encryption as a mandated part of the architecture, it is still available as an optional plugin for large delay and non-continuous communications.
• Emergency Commanding has been updated to allow for a range of options which can be selected by mission planners, there is no mandated solution for this as there is little need to interoperability in this area.
• Ground systems, from discussions in Rome it was felt that the Security Architecture should concentrate on Space Solutions, ground systems will use best-of-breed terrestrial technology and can be changed as the need arises.
4
The Views – A Summary
• Enterprise View – Tells us what inter-agency policies need to be developed
• Connectivity View – Tells us to consider Threats due to HOW elements communicate
– RF in Space, non-continuous, QoS
– Ground systems, use of the Internet, need for VPNs
• Functional View – Tells us the high level shape of the System Security Architecture
– What functions does the mission need that the Security Architecture should support?
• Information View – Tell us the detail of the System Security Architecture
– Where is the data, how is it stored, how is it transmitted, how should it be protected.
5
Proposed Architecture
• Based on a layered and expandable model
• Use of security formats, which can be used together or individually.
–Transport Layer Encryption
–Network Layer Encryption
• The use of Link Layer or Payload specific encryption is also accommodated by the architecture
Transport Layer Security TLS/SSL
Network Layer Security IPSec/SCSP-SP
Link Layer Security (non-Mandated)
Transport Layer SecurityTLS/SSL
6
CCSDS Security Core Suite
• Use of a Core suite of algorithms to allow reuse where missions do not need the complexity of bespoke solutions
• Mandated to ensure all CCSDS missions are interoperable
• Two layers, Network and Transport, can either be used together or separately
• Choice of recommended algorithms and configurations to be decided in other security books
Transport Layer SecurityTLS/SSL
Network Layer Security IPSec/SCSP-SP
Link Layer Security (Non-Mandated)
CCSDS Core Suite
CCSDS Core SuiteTransport Layer
CCSDS Core SuiteNetwork Layer
7
Core Suite Configurations
Network Transport Comment
0 0
No encryption from Core Suite, suitable if a mission specific encryption suite is being used instead or there is no need for encryption such as in deep space.
1 0Network only encryption, suitable for point to point
encryption, very efficient.
0 1Transport only encryption, suitable for when
intermediate nodes are being used in the communications link.
1 1
Both Transport and Network encryption are being used, this would occur when a payload control centre is talking securely to it’s payload, over the secure communications the mission control centre has set up using network layer encryption.
8
Extending the Security Architecture
• The Core suite is not intended to solve all mission problems
• Missions are free to develop their own solutions as plug-ins to the architecture
• Note use of Link and Payload Security
• Agencies are free to develop their own security suites as plug-ins of the Security Architecture
• Core Suite supplies interoperability
Transport Layer SecurityTLS/SSL
Network Layer Security IPSec/
SCSP-SP
Link Layer Security
CCSDS Core Security SuiteNetwork Layer
CCSDS Core Security Suite
Transport Layer
CCSDS Core Security Suite
Missio
n 1
Sp
ecific Su
ite
Netw
ork L
ayer
Missio
n 1
Sp
ecific Su
ite
Tran
spo
rt Layer
Missio
n 1
Paylo
ad im
plem
ented
Secu
rity
Ag
ency
Sp
ecif
icS
ecu
rity
Su
ite
Ag
ency
Sp
ecif
icT
ran
spo
rt L
ayer
Ag
ency
Sp
ecif
icN
etw
ork
Lay
er
Missio
n 1
Lin
k LayerM
ission
1
Secu
rity Su
ite
9
Simple solutions
Transport Layer SecurityTLS/SSL
CCSDS Core Suite
Mis
sio
n S
pe
cifi
cT
ran
spo
rt L
aye
r
Link Layer Security (Non-Mandated)
Network Layer Security (Deactivated)
CCSDS Core Suite(Deactivated)
CCSDS Core Suite(Deactivated)
Transport Layer SecurityTLS/SSL
CCSDS Core Suite
Network Layer Security IPSec/SCSP-SP
Link Layer Security (Non-Mandated)
CCSDS Core SuiteNetwork Layer
CCSDS Core Suite(Deactivated)
10
Emergency Commanding
• Agreement from Rome that this could not be a binary YES/NO for Security
• Therefore proposed a range of solutions
– In Safe Mode but CPU online - use normal authentication
– In Safe Mode, CPU offline - Watchdog drops need for authentication
– Not in Safe Mode, CPU offline - Watchdog drops need for authentication
– Tumbling - Watchdog drops need for authentication
• In the above cases the Watchdog is looking for certain events to reliably happen, if they do not it can drop the need for authentication
• Main aim is to keep the Watchdog very simple and robust
• Up to Missions Planners to decide which combination to choose, or whether to take the risk and not have authentication on emergency commands
• Little need for interoperability so recommend it is not a mandated part of the security architecture.
11
Next Steps
• We need to develop a set of missions profiles to be used as examples for each of the 5 missions types.
– Manned Space
– Weather
– Communications
– Scientific
– Navigation
• It would be good to have input from the agencies with specific experiences of these mission types to ensure a good quality result.
• However we need to be clear that these are examples only, the main message must be to use the different views to examine each mission on its own merits and ensure that all the correct Polices, infrastructure and architecture are in place, for that mission.
12
AoB
Questions?
Top Related