WGN6 IP 5

AERONAUTICAL COMMUNICATIONS PANEL (ACP)

WorkinG group N (NETWORKING) – 6th meeting

ATN Security Prototype Implementation
by Thales Avionics

Prepared by Nicolas Rossi
on behalf of Thales Avionics

Presented by DTI

Summary

This information paper summarizes the outcomes of the validation exercises performed by Thales Avionics on the ATN Security Solution of Doc ICAO 9705 ed.3, and expresses the level of confidence on the quality and correctness of the ATN Security Services
as specified in Sub-Volumes IV and VIII.

The meeting is invited to note the content of this paper.

- 1 -

1Introduction

1.1Overview

Thales Avionics has been involved for more than ten years in supplying ATN and other aeronautical communications products and services to its clients. With other partners, Thales Avionics has developed ATN routers (BIS) and end-systems (ES) that can be readily ported into both airborne and ground-based products, across a wide range of target platform environments. Products have been rigorously developed following the recommendations in RTCA DO-178B for Level C (Flight Essential) software and MIL-498B standards.

Since 2004 Thales Avionics is involved in studies related to the validation of the standards and recommended practices (SARPs) for ATN security specified in ICAO Doc 9705-AN/956 Edition 3. A prototype implementation of the airborne ATN security solution has been developed and tested in a stand-alone environment. All cryptographic functions were integrated by implementing an Elliptic curve based Cryptographic Package already existing within the Thales group (adapted from military products).

The aim of this study was to investigate and gain confidence in the relevance (in particular for airborne implementations) of the Security schemes defined in the third edition of ATN SARPs. Even if its standardization is still evolving, it is thought that the future ATN Security solution can take advantage to a large extent of the existing Security framework.

This document summarizes the outcomes of the validation exercises. No major deficiency was identified in Doc 9705, the value of verification against the examples provided in the Guidance Material (Doc 9739, CAMAL) was confirmed.

1.2Contact Point

State/Organisation / Contact Details
Thales Avionics
Avionics and Mission Systems
Head of Maintenance and Data Management / Mr. Matthieu Borel
Thales Avionics
Tel. +33.(0)5.61.19.65.41
Email:
Thales Avionics
Avionics and Mission Systems
Resp. Datalink Studies / Mr. Nicolas Rossi
Thales Avionics
Tel. +33.(0)5.61.19.65.57
Email:

1.3Referenced Documents

The following documents are referenced in this report.

[1]ICAO Doc 9705-AN/956 Manual of Technical Provisions for the Aeronautical Telecommunication Network, Edition 3, 2001.

[2]ICAO Doc 9739-AN/961 Comprehensive Aeronautical Telecommunication Network Manual, Edition 2.

2Validation Tests

The purpose of the validation tests was to look at three main aspects for ATN security specified in ICAO Doc 9705 Ed3: nominal behavior, exception handling and backward compatibility with implementation in mode “no security”. Performance was beyond the scope of the testing. The test activities focused on the airborne implementation, which is the core business for Thales Avionics.

2.1Test Objectives

The general objectives of the validation activities mainly aimed at demonstrating that ATN Security Services specified in the third edition of ICAO Doc 9705 are complete and consistent, and can be integrated in the ATN End Systems (ULCS). It comprises both the ATN cryptographic algorithms and the communication protocols supporting the Security Services.

On the other hand it was also important to verify that the ATN Security Services are backward compatible with the ATN ES communication protocols not supporting such services.

2.2Test Configuration

Two IBM RS6000 workstations were configured to run airborne and ground instances of the ATN Security End Systems. The IDRP protocol did not operate ATN security. The validation configuration has also been successfully re-hosted on PC platforms with Linux OS.

Each Secure End System was based on the ATN stack product currently available in Thales Avionics. The ATN Upper Layer Communication Services (ULCS) were updated to include a prototype of the security mechanisms defined in Doc 9705 ed.3.

In parallel, a test tool acting as an air or ground user application was developed to activate the security services over the secure ATN End System.

2.2.1Software baseline:

The software used is based on document Doc 9705 Ed 3, plus additional Proposed Defect Reports (PDRs) covering Sub Volumes IV and VIII.

1)PDRs taken into account on Sub Volume VIII
  • M4050007, SV8 - Key lifetime clarification 2004/07/19
  • M4030001, SV8 - Missing requirement on User Data padding
  • M2090003, SV8 - ASN.1 padding issues 2004/06/18
  • M2080001, SV8 - Unnecessary random challenge field 2004/05/28
  • M2030004, All SV - Editorials (version of PDR current on 2004/05/28)
  • M4020001, Security - Error in AKDF function
  • M2090004, SV8 - SSO-SessionKey Certificate Knowledge
  • M2080006, Security - Add warning concerning the use of invalid keys by the secret value derivation primitive
  • M2080004, Security - Additional extensions in CA certificates 2003/01/06
  • M2100005, SV8 - Tagging in SV8 ASN.1 module 2002/11/04
  • M2080009, Security - Sub-Volume VIII ASN.1
  • M2080008, Security - Remove duplicate certificate retrieval requirements
  • M2080007, Security - Remove CheckResult references from 8.6.3
  • M2080005, Security - Clarify ATN CRL processing
  • M2080003, Security - Clarify representation of AMHS identities in ATN certificates
  • M1030007, Security - Editorial errors found during development of Guidance Material
  • M1030008, Security - Defects found during development of Guidance Material
2)PDRs taken into account on Sub Volume IV
  • M2080002 - SE-Transfer End Flag
  • M2100005 - Tagging in SV8 ASN.1 module
  • M2090006 - SV4 Security ASO Clarification
  • M3020002 - ULCS/SV9 - Security Abstract Syntax
  • M2020001 - CF Transition - atomic ASE
  • M2020002 - CF Predicates
  • M2110001 - D-ABORT Handling
  • M2110002 - Release Collision with Security

2.3Test Methodology

2.3.1Nominal Behaviour with ATN Security

Since the tests focused on the airborne implementation, no functionality for retrieval of certificates has been implemented. Aircraft signature public key and key agreement public key were previously defined and stored. These tests looked at the nominal behaviour of ATN dialogue services (dialogue establishment maintained/not maintained, data exchange, termination and abort).

2.3.2Exceptions Handling with ATN Security

The Exception Handling tests looked at the behavior (abort of the dialogue) when receiving inconsistent HMAC tag or signature value between airborne and ground.

2.3.3Backward Compatibility with mode “No Security”

Tests were also carried out without use of security. High-level tests (formerly developed for the legacy “non-secure” product) have been carried out on the prototype. It validates that the addition of security services did not impair the nominal behaviour of the “non-secure” product.

2.4Validation Results and discussion

This validation exercise was successful. It allowed verifying that the security related information can be handled and exchanged by ATN End Systems security services in the secure mode. In addition it allowed verifying backward compatibility and that the ATN End System are able to force abort of the communications when a voluntary or involuntary alteration of exchanges has been detected.

However, no interoperability testing between separate implementations have been conducted (and is not foreseen in the short term). It is essential to be able to definitively conclude the complete and successful validation of the implementation.

The majority of the problems encountered with the prototype during testing were related to discrepancies with PER encoding and validation of cryptographic algorithms. Construction and validation of security items (HMAC tag and signature) uses complex ASN.1 structures. Checking security items against the samples provided in the CAMAL (Doc 9739) has been a very effective means of validation for the ATN security implementation. It allows a preliminary validation of both outputs generated by cryptographic algorithms and the global PER encoding of security appendices.

As a result of the successful validation exercises conducted in the frame of this study, Thales Avionics has gained confidence regarding the quality of its implementation of a secure ATN End System, and its conformance to the technical provision contained in the third edition of ICAO Doc 9705 (sub-volumes IV and VIII).

Standardization of an ATN security solution is still evolving at ACP level. It appears that the solution defined in Doc 9705 Ed 3 will probably not be implemented as-is. Nevertheless most of these activities will be re-usable for future developments. In particular, Thales Avionics can take advantage of a robust and rigorously-developed Elliptic Curve Cryptographic package (extracted from for military applications).

3Conclusions

1.No major problems were discovered with ICAO Doc 9705 Edition 3 relating to the ATN security for the airborne end-system (nominal cases, exception handling and backward compatibility). However, no inter-operability tests with independent implementations were performed to complete the validation of the implementation.

2.Even if its standardization is still evolving, it is thought that the future ATN Security solution can take advantage to a large extent of the existing Security framework.

3.The value of verification of ATN security implementations against the samples provided in the Guidance Material (Doc 9739, CAMAL) was confirmed when developing and testing security implementations. Updates for this document should be maintained for the future ATN Security standardization.

The meeting is invited to note the content of this paper.