Draft Report Concerning
Space Data System Standards
KEY MANAGEMENT CONCEPT
Draft Informational Report
CCSDS xxx.x-G-x
Draft Green Book
CCSDS REPORT SPACE MISSIONS KEY MANAGEMENT CONCEPT
April 2009 AUTHORITY
Issue: / Draft Green Book, Draft 5Date: / April 2009
Location: / Darmstadt, Germany
(WHEN THIS INFORMATIONAL REPORT IS FINALIZED, IT WILL CONTAIN THE FOLLOWING STATEMENT OF AUTHORITY:)
This document has been approved for publication by the Management Council of the Consultative Committee for Space Data Systems (CCSDS) and reflects the consensus of technical working group experts from CCSDS Member Agencies. The procedure for review and authorization of CCSDS Reports is detailed in the Procedures Manual for the Consultative Committee for Space Data Systems.
This document is published and maintained by:
CCSDS Secretariat
Office of Space Communication (Code M-3)
National Aeronautics and Space Administration
Washington, DC 20546, USA
FOREWORD
Through the process of normal evolution, it is expected that expansion, deletion, or modification of this document may occur. This Report is therefore subject to CCSDS document management and change control procedures, which are defined in the Procedures Manual for the Consultative Committee for Space Data Systems. Current versions of CCSDS documents are maintained at the CCSDS Web site:
http://www.ccsds.org/
Questions relating to the contents or status of this document should be addressed to the CCSDS Secretariat at the address indicated on page i.
At time of publication, the active Member and Observer Agencies of the CCSDS were:
Member Agencies
– Agenzia Spaziale Italiana (ASI)/Italy.
– British National Space Centre (BNSC)/United Kingdom.
– Canadian Space Agency (CSA)/Canada.
– Centre National d’Etudes Spatiales (CNES)/France.
– Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)/Germany.
– European Space Agency (ESA)/Europe.
– Federal Space Agency (Roskosmos)/Russian Federation.
– Instituto Nacional de Pesquisas Espaciais (INPE)/Brazil.
– Japan Aerospace Exploration Agency (JAXA)/Japan.
– National Aeronautics and Space Administration (NASA)/USA.
Observer Agencies
– Austrian Space Agency (ASA)/Austria.
– Belgian Federal Science Policy Office (BFSPO)/Belgium.
– Central Research Institute of Machine Building (TsNIIMash)/Russian Federation.
– Centro Tecnico Aeroespacial (CTA)/Brazil.
– Chinese Academy of Space Technology (CAST)/China.
– Commonwealth Scientific and Industrial Research Organization (CSIRO)/Australia.
– Danish Space Research Institute (DSRI)/Denmark.
– European Organization for the Exploitation of Meteorological Satellites (EUMETSAT)/Europe.
– European Telecommunications Satellite Organization (EUTELSAT)/Europe.
– Hellenic National Space Committee (HNSC)/Greece.
– Indian Space Research Organization (ISRO)/India.
– Institute of Space Research (IKI)/Russian Federation.
– KFKI Research Institute for Particle & Nuclear Physics (KFKI)/Hungary.
– Korea Aerospace Research Institute (KARI)/Korea.
– MIKOMTEK: CSIR (CSIR)/Republic of South Africa.
– Ministry of Communications (MOC)/Israel.
– National Institute of Information and Communications Technology (NICT)/Japan.
– National Oceanic & Atmospheric Administration (NOAA)/USA.
– National Space Organization (NSPO)/Taipei.
– Space and Upper Atmosphere Research Commission (SUPARCO)/Pakistan.
– Swedish Space Corporation (SSC)/Sweden.
– United States Geological Survey (USGS)/USA.
DOCUMENT CONTROL
Document / Title / Date / StatusCCSDS xxx.x-G-x / Space Missions Key Management Concept, Draft Informational Report, Draft 2 / October 2007 / Draft
CCSDS xxx.x-G-x / Space Missions Key Management Concept, Draft Informational Report, Draft 3 / October 2008 / Draft
CCSDS xxx.x-G-x / Space Missions Key Management Concept, Draft Informational Report, Draft 4 / December 2008 / Draft
CCSDS xxx.x-G-x / Space Missions Key Management Concept, Draft Informational Report, Draft 5 / October 2009 / Draft
CCSDS xxx.x-G-x / Space Missions Key Management Concept, Draft Informational Report, Draft 6 / April 2010 / Draft
CONTENTS
Section Page
CCSDS xxx.x-G-x Page v October 2007
1 Introduction 8
1.1 Purpose and Scope 8
1.2 Definitions 8
1.3 Rationale 11
1.4 Document structure 11
1.5 REFERENCES 11
2 Motivation & Scenarios 1
2.1 The Concept of Key Management 1
2.1.1 Security Protocols 1
2.1.2 Security Policies 2
2.1.3 Key Infrastructures 2
2.2 Key Management Lifecycle Overview 2
2.3 Operational Examples 3
2.3.1 Standard science mission with basic security requirements 4
2.3.1.1 ESA PSS Telecommand Authentication Standard 4
2.3.2 missions with ground key dissemination requirements 5
2.3.2.1 A Crisis Management Example 6
2.3.3 Spacecraft Constellations 7
3 Key Infrastructures 9
3.1 Secret or SYMMETRIC KEY Infrastructures 9
3.1.1 Key Generation and Distribution 9
3.1.2 SKI Analysis 10
3.1.3 Operational Example 10
3.2 Public Key Infrastructures 11
3.2.1 PKI Overview 11
3.2.2 PKI Architectures 13
3.2.3 CerTIFICATION PRATCISE STATEMENTS 14
3.2.4 Interoperability 15
3.3 Key Types and Management 15
3.2.1 Key Management Policy 15
3.3.1 Key Usage 16
3.3.2 Key Types 16
3.3.3 Cryptoperiods 16
3.3.4 Key Establishment 17
3.3.4.1 Public/Private Key pairs 18
3.3.4.2 Secret (symmetric) Keys 18
3.3.4.3 Secret Key Agreement 19
3.4 Random Number Generation 19
4 SPace/Ground Key Sharing 21
4.1 General 21
4.2 Properties of the Space Environment 21
4.3 Space-link Key Management Entities 22
4.4 Space-Ground Key Distribution Models 23
4.4.1 Key Generation 23
4.4.2 Secret Key Distribution Models 23
4.4.2.1 Initial Secret Storage 24
4.4.2.2 Usage of Master Keys as TPKs 24
4.4.2.3 Usage of Master Keys to derive TPKs 25
4.4.2.4 Usage of Master Keys as Key Encryption Keys 25
4.4.3 Asymmetric key exchange 26
4.4.4 Key Revocation 27
4.4.5 Key Management Data Structures 27
4.4.5.1 Key Management Related Security Commands 28
4.4.5.2 Freshness of Key Management Commands and Telemetry 28
4.5 Extension to Payload Data Dissemination Models 29
4.5.1 OCC Key Management Gateway with central telemetry storage 29
4.5.2 OCC Key Management with direct key associations 30
4.5.3 Individual End-To-End Key Management 31
4.5.4 User-Owned Payload Modules with own Crypto Systems 32
4.5.5 Payload Data Dissemination Key Management Models Summary 33
4.6 Spacecraft Constellations 33
4.6.1 Individual Key Management 33
4.6.2 Real Constellation Key Management 34
4.7 Contingency Operations and Clear Mode 35
5 Ground Segment Key Management 36
6 Future Space Missions 37
7 Summation and Relation to other documents 39
7.1 Mission Profiles Mapping 39
8 Appendix 1 – Key Types and Cryptoperiods 41
8.1 Key Types 41
8.2 Key Type Cryptoperiods 44
Figures
Figure 21 – Key Management Concept 1
Figure 22 – Basic science mission security infrastructure 4
Figure 23 – Space-link and Ground Segment Security combined 6
Figure 24 – Exemplary crisis key management scenario 7
Figure 25 –Spacecraft Constellation Example 8
Figure 36 – Exemplary secret (or symmetric) key hierarchy 11
Figure 47 – PKI Certificate Generation Process 13
Figure 48 – A hierarchical PKI 14
Figure 49 – A mesh based PKI 14
Figure 410 – Point-to-Point Space-Link Key Management Entities 23
Figure 411 – Illustrated Pre-Launch Key Sharing 24
Table 412 – Space link key management overview 25
Figure 413 – Diffie Hellman Key Exchange 27
Figure 514 – Centralized GS Telemetry Dissemination 30
Figure 515 – Key Management with direct key associations 31
Figure 516 – Individual End-to-End Key Management 32
Figure 517 – User-Owned Payload Modules with Own Crypto Systems 33
Figure 518 – Constellation with Individual Key Management 34
Figure 519 – Ground Segment Division 36
Figure 620 – NASA Next Generation Space Network Vision 37
1Introduction
1.1Purpose and Scope
This report document has been has been prepared by the Consultative Committee for Space Data Systems (CCSDS) to provide the core concepts of cryptographic key management in the context of space missions. The concepts described herein are the baseline concepts for the CCSDS standardization activities in with respect of to security services and, more concretespecifically, key management schemes for space missions.
During the last decade, the importance of information security within the network and Internet community has been growing constantly. Every day, articles about new kinds of cyber crimes, from disclosure of confidential data to fraud, are published. As the world became more and more connected, the topic has grown from a governmental or military concern to a day-to-day issue that affects everybody from governmental bodies down to private Internet users. Critical infrastructures have become attractive targets for cyber terrorism.
The same situation now applies to space communication systems. Many space agencies are realizing the growing importance of information security not only for military, governmental, and commercial missions, some of them considered part of above mentioned critical infrastructure, but also for peaceful scientific projects such as earth observation or planetary exploration. This development, together with the increasing usage of standardization for all kinds of protocols, interfaces and data structures, has led the agencies to formulate security requirements for many of their mission’s telecommand & telemetry systems.
All the security measures introduced as a consequence of the above trends require the secure distribution of cryptographic material among authorized personnel and entities with varying access control levels. This process is called key management and is not a trivial task since it has to work smoothly with all the parts of the system, supplying different security implementations with cryptographic material. Aside from the technical implementation, key management incorporates also other aspects such as security policies, handling of keying material, or and key transportation.
This Report provides background information on existing terrestrial key management systems, key management infrastructures and their possible adaptations to space missions in both ground and space segment networks. It discusses example scenarios for key management deployment.
1.2Definitions
Access Control: The process of granting access to the resources of a system only to authorized users, programs, processes, or other systems.
Access Control Mechanism: Hardware or software features, operating procedures, management procedures, policies, and various combinations of these designed to detect and prevent unauthorized access and to permit authorized access in an automated system.
Authentication: (1) To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system (entity authentication). (2) To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification (message authentication).
Authorization: Conveyance, to another entity, of official sanction to do or be something.
Controlled Network: A network that enforces a security policy.
Confidentiality: Assurance that information is not disclosed to unauthorized entities or processes.
Configuration Management: Process of controlling modifications to the system’s hardware, firmware, software, and documentation which provides sufficient assurance the system is protected against the introduction of improper modification before, during, and after system implementation.
Data Integrity: Condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed.
Denial of Service: Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service.
End-to-End Security: Provision of a secure channel between two entities possibly across multiple intermediate entities. These intermediate entities do not have access to the protected information. End-to-end security usually is used in the context of secure channels between applications. In space scenarios however, end-to-end security on the data-link layer is also relevant.
Identification: The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.
Key Encryption Keys (KEKs): Key Encryption keys are cryptographic keys with the sole purpose of protecting the confidentiality of other keys.
Masquerading: Attempts to gain access to a system by posing as an authorized user or as a process. This is a form of spoofing.
Non-Repudiation (also Accountability): Attempts to prevent the denial of previous commitments or actions.
Nonce: A nonce is a Number only used ONCE. Nonces are widely used in security protocols to ensure freshness and recentess of the agreed security primitives as well agreement between the communication partners that the protocol has been executed in a specific way.
Pre-share Master Key: A master key that is stored on-board the spacecraft before launch. In space-link security, such a master key represents an initial shared secret.
Residual Risk: The portion of risk that remains after security measures have been applied.
Risk: A combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting adverse impact.
NOTE: Risk is the loss potential that exists as the result of threat and vulnerability pairs. Reducing either the threat or the vulnerability reduces the risk.
Risk Analysis: An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level.
Security Policy: The set of laws, rules, and practices that regulate how information is managed, protected, and distributed.
NOTE: A security policy may be written at many different levels of abstraction. For example, a corporate security policy is the set of laws, rules, and practices within a user organization; system security policy defines the rules and practices within a specific system; and technical security policy regulates the use of hardware, software, and firmware of a system or product.
Threat: Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.
Threat Agent: A method used to exploit a vulnerability in a system, operation, or facility.
Threat Analysis: The examination of all actions and events that might adversely affect a system or operation.
Threat Assessment: Formal description and evaluation of threat to a system.
Traffic Protection Keys (TPKs): Cryptographic keys that are used to protect user traffic such as telecommands or telemetry. TPKs can be distinguished into Traffic Authentication Keys (TAKs) and Traffic Encryption Keys (TEKs).
Trap Door: A hidden software or hardware mechanism that can be triggered to permit system protection mechanisms to be circumvented. It is activated in some innocent-appearing manner; e.g., a special ‘random’ key sequence at a terminal. Software developers often introduce trap doors in their code to enable them to reenter the system and perform certain functions. Synonymous with back door.
Trojan Horse: A computer program with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security or integrity.