TMTC-SEC-OHB-RP-002-03 Risk Assessment 20060508emits.sso.esa.int/emits-doc/ESTEC/AO-1-5419-R09-Risk... · 2010-01-13 · EO Earth Observation ESA European Space Agency ... TMTC-SEC-OHB-RP-002-03_Risk_Assessment_20060508.doc

Telecommand and Telemetry System Security Design Study

ESA contract 19300/05/NL/JA

Risk Assessment Report

Doc.-No.:TMTC-SEC-OHB-RP-002

ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 1 of 145

TMTC-SEC-OHB-RP-002-03_Risk_Assessment_20060508.doc Page 1

Risk Assessment

Title: Risk Assessment Report

Document No.: TMTC-SEC-OHB-RP-002

Issue: 3.0 Date: 2006-05-05

ESA Doc. No.: D1.2

Prepared by: A. Weigl, M. von der Wall Date: 2006-05-05

Checked by: Dr. R. Rathje, Dr. C. Gorecki Date: 2006-05-05

Product Assurance: J. Mathes Date: 2006-05-05

Project Management: Dr. R. Rathje Date: 2006-05-05

Distribution: ESA

Schutzvermerk DIN 34 Copying of this document, and giving it to others and the use or communication of the contents, thereof, are forbidden without express authority. Offenders are liable to the payment of damages. All rights are reserved in the event of the grant of a patent or the registration of utility model or design.

OHB-System AG

D-28359 Bremen

Universitätsallee 27-29

Tel: 0421-2020-8

Weitergabe sowie Vervielfältigung dieser Unterlage, Verwertung und Mitteilung ihres Inhalts ist nicht gestattet, soweit nicht ausdrücklich zugestanden. Zuwiderhandlungen verpflichten zu Schadenersatz. Alle Rechte für den Fall der Patenterteilung oder Gebrauchsmuster-Eintragung vorbehalten.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 2 of 145


DOCUMENT CHANGE RECORD

Issue Date Page and/or Paragraph affected

Draft 2006-01-23 Initial issue

1.0 2006-03-01 Inclusion of RIDs and completion from Phase 1 Review Meeting presentations and discussions.

2.0 2006-03-29 Inclusion of RIDs from Issue 1.0 comments.

3.0 2006-05-05 - Chapter moved: Chap 2.4.1 Threat Analysis is moved to chap. 2.4.2

- Chap 2.4.1 is renamed from Protocol Attacks to Protocol Threat Analysis and updated to reflect threat analysis

- Chapter renamed. Chap. 2.4.2: Threat Analysis to Vulnerability Analysis

- Chap. 2.4.2 is updated to reflected vulnerability analysis

- Chap 2.4.8: Tables added showing the security services for the different OSI and CCSDS protocol layers.

- Chap 2.4.8: Figure added giving a graphical view of the available security for CCSDS protocol layers.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 3 of 145


TABLE OF CONTENTS

1 INTRODUCTION.....................................................................................................................5

1.1 Purpose of Document .....................................................................................................5

1.2 Definitions and Abbreviations........................................................................................7

1.3 Documents ......................................................................................................................9

1.3.1 Reference Documents ...................................................................................................9

2 RISK ASSESSMENT............................................................................................................15

2.1 Aspects and Impact on the System .............................................................................15

2.1.1 System Characterization..............................................................................................16

2.1.2 Threat Source Identification .........................................................................................17

2.1.3 Reference System Threat Analysis ..............................................................................18

2.1.4 Vulnerability Analysis ...................................................................................................28

2.2 Risk Level Analysis / Risk Register .............................................................................31

2.2.1 Rating System .............................................................................................................32

2.2.2 Risk Level Analysis of the System Vulnerabilities for the Reference System ...............34

2.2.3 Risk Level Analysis of the Data Vulnerabilities for the Reference System....................36

2.3 Aspects of Methods and Algorithms ...........................................................................41

2.3.1 Threat Analysis ............................................................................................................41

2.3.2 Attacks.........................................................................................................................43

2.3.3 Algorithm Description and Specific Attacks..................................................................49

2.3.4 Impact Analysis and Conclusion ..................................................................................61

2.4 Aspects of Protocols ....................................................................................................62

2.4.1 Protocol Attacks...........................................................................................................62

2.4.2 TC Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats.............................................................................................63

2.4.3 TM Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats.............................................................................................64

2.4.4 Ground Protocol Threats..............................................................................................65

2.4.5 Spacecraft Protocol Threats ........................................................................................66

2.4.6 Vulnerability Analysis ...................................................................................................67

2.4.7 Connectivity .................................................................................................................67

2.4.8 Security Services on OSI and CCSDS Protocol Layers ...............................................69

2.4.9 Implementation Aspects...............................................................................................71





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 4 of 145


2.4.10 Impact Analysis ........................................................................................................73

2.4.11 Conclusion ...............................................................................................................73

3 OUTLINE OF STANDARDIZATION .....................................................................................74

4 ANNEX .................................................................................................................................79

4.1 TM/TC-System Applicable Standards ..........................................................................79

4.1.1 System Design ............................................................................................................79

4.1.2 Algorithms and Implementation....................................................................................81

4.1.3 Evaluation....................................................................................................................85

4.2 Mathematical Background............................................................................................86

4.2.1 Mathematical Symbols.................................................................................................86

4.2.2 Integer Numbers..........................................................................................................88

4.2.3 Congruence.................................................................................................................89

4.2.4 Groups.........................................................................................................................92

4.2.5 Rings and Fields..........................................................................................................93

4.2.6 Euler- Fermat Theorem...............................................................................................95

4.2.7 Elliptic Curves..............................................................................................................97

4.2.8 Group Constructed Using Points on an Elliptic Curve ................................................102

4.2.9 Concluding Remarks .................................................................................................107

4.3 Detailed Description of Attacks to RSA Algorithm ...................................................108

4.4 Overview Cryptographic Methods and Algorithms...................................................117

4.4.1 Key Agreement..........................................................................................................119

4.4.2 Symmetric Encryption................................................................................................121

4.4.3 Asymmetric Methods .................................................................................................125

4.4.4 Cryptographic Keys ...................................................................................................125

4.4.5 Cryptographic Parameters .........................................................................................131

4.5 Overview of Security Protocols..................................................................................132

4.5.1 IPv6 ...........................................................................................................................133

4.5.2 Delay Tolerant Network (DTN)...................................................................................140

4.5.3 Space Communications Protocol Standard (SCPS)...................................................142

4.5.4 SSL/TLS ....................................................................................................................144

4.5.5 Next Generation Space Internet (NGSI).....................................................................145





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 5 of 145


1 INTRODUCTION

1.1 Purpose of Document The risk assessment is a multi-layer study of the threats to the reference TM/TC system. The term multi-layer is used to indicate that the threats are not only present at the system level but also at the algorithmic and protocol level. This leads to a logical division of the risk assessment into separate sections, the system level risk assessment and the algorithm, protocol, and methods risk assessment. The results published in this document will be used to generate a general requirements list for the reference TM/TC system.

Using the guidelines from the [NIST30] document, the risk analysis at the system level is subdivided into the following sections:

• System characterization

• Threat source identification

• Vulnerability analysis

• Threat listing

• Impact analysis

The second half of the document presents the risk assessment of the algorithms, protocols and methods used to secure the TM/TC data. It begins with the identification of the available algorithms that provide:

• Confidentiality

• Authentication

• Non-repudiation

• Access control

• Data integrity

• Availability

Also under study are the protocols and methods these protocols use to secure the TM/TC. As with the system level analysis, this section provides an impact analysis of the various algorithms and protocols.

An overview of the logical flow and the coherence of the phase 1 documents is given in Figure 1-1. Parts which are covered within this report are accented by the red circles.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 6 of 145


RequirementsJustification File

(D1.3.b)

System SecurityRequirements

(D1.3.a)

Risk AssessmentReport(D1.2)

Tailored RSA withidentified Linksand services

Reference SystemArchitecture

(D1.1)

Identify linkcharacteristics

Pre-Tailoring(Step 0)

Tailoring of RSAIdentified end-to-end

links and services

Tailoring

Process

User / StakeholderRequirements

Mission



� Protocols� Algorithms

� Standards

Tailored

Requirements

Phase1_Overview.vsd Figure 1-1 Phase 1 Overview





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 7 of 145


1.2 Definitions and Abbreviations

3DES Triple DES

AES Advanced Encryption Standard

AES Advanced Encryption Standard

AH Authentication Header

ANSI American National Standards Institute

AOS Advanced Orbiting Systems

BCH Bose-Chaudhuri-Hocquenghem

CBC Cipher Block Chaining

CC Common Criteria

CCSDS Consultative Committee for Space Data Systems

CFB Cipher Feedback

CLCW Command Link Control Word

CLTU Command Link Transmission Unit

COP-1 Command Operation Procedure - 1

CTR Counter

DES Data Encryption Standard

DH Diffe-Hellman

DSA Digital Signature Algorithm

DTN Delay Tolerant Network

EC Elliptic Curve

ECB Electronic Codebook

ECC Elliptic Curve Cryptography

ECSS European Cooperation for Space Standardization

EO Earth Observation

ESA European Space Agency

ESP Encapsulated Security Payload

FEC Forward Error Correction

FIPS Federal Information Processing Standard

GCM Galois Counter Mode

Gnd Ground

IETF Internet Engineering Task Force's





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 8 of 145


IKE Internet Key Exchange

I-NLSP Integrated Network Layer Security Protocol

IP Internet Protocol

IPSEC Internet Protocol Security

IV Initialization Vector

L2F Layer 2 Forwarding

L2TP Layer 2 Tunneling Protocol

LAN Local Area Network

Lnk Links

MAC Message Authentication Code(s)

MQV Menezes-Qu-Vanstone

NLSP Network Layer Security Protocol

OFB Output Feedback

PKI Public Key Infrastructure

PLOP Physical Layer Operation Procedures

PPTP Point to Point Tunneling Protocol

RF Radio Frequency

SCPS Space Communication Protocol Standard

SHA Secure Hash Algorithm

SLE Space Link Extension

Sp Space

SPI Security Parameters Index

SP-Network Substitution-Permutation Network

SSL Secure Sockets Layer

TC Telecommand

TLS Transport Layer Security

TM Telemetry





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 9 of 145


1.3 Documents

1.3.1 Reference Documents

During the test performance only this procedure and the applicable documents and drawings shall be on hand. The following documents are reference documents to this test procedure:

[713.0-B-1] CCSDS: Space Communications Protocol Specification (SCPS) -Network Protocol (SCPS-NP). Blue Book. Issue 1. May 1999. http://public.ccsds.org/publications/archive/713x0b1.pdf.

Last Verification: Jan. 2006.

[713.5-B-1] CCSDS: Space Communications Protocol Specification (SCPS) -Security Protocol (SCPS-SP). Blue Book. Issue 1. May 1999. http://public.ccsds.org/publications/archive/713x5b1.pdf.


[714.0-B-1] CCSDS: Space Communications Protocol Specification (SCPS) -Transport Protocol (SCPS-TP). Blue Book. Issue 1. May 1999. http://public.ccsds.org/publications/archive/714x0b1c1.pdf.


[717.0-B-1] CCSDS: Space Communications Protocol Specification (SCPS) - File Protocol (SCPS-FP). Blue Book. Issue 1. May 1999. http://public.ccsds.org/publications/archive/717x0b1.pdf.


[730.0-G-1] CCSDS: Next Generation Space Internet. Green Book. Issue 1. April 2003.

http://public.ccsds.org/publications/archive/730x0g1.pdf.


[Akir2004] Akir, Ziad: Space Security Possible Issues & Potential Solutions. http://satjournal.tcom.ohiou.edu/pdf/issue6/ziad.pdf

[ANST00] American National Standard for Telecommunications: Telecom Glossary 2000. http://www.atis.org/tg2k/ .

Last Verification: Dec. 2005.

[BC2005] Biham, Eli; Chen,Rafi: Near-Collision of SHA-0. Computer Science Department, Technion - Israel Institute of Technology, Haifa. http://eprint.iacr.org/2004/146


[Ber2005] Bernstein, J.: Cache-timing attacks on AES. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf.


[BKR2000] Bellare, Mihir; Kiliany, Joe; Rogaway, Phillip: The Security of the Cipher Block Chaining Message Authentication Code. Journal of Computer and System Sciences, Vol. 61, No. 3, Dec 2000, pp. 362-399.

[BL1993] Bernstein, D.J.; A.K. Lenstra, A.K.: A general number field sieve implementation; Springer Lecture Notes in Mathematics 1554, 1993

[BLP1993] Buhler, J.P.; H.W. Lenstra, H.W.; Pomerance, C: Factoring integers with the number field sieve; Springer Lecture Notes in Mathematics 1554, 1993





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 10 of 145


[BS1997] Bach, Eric; Shallit, Jeffrey: Algorithmic Number Theory. MIT Press 1997. ISBN 0-262-02405-5.

[BSI2005] Federal Office for Information Security (BSI): IT-Grundschutz (GS) Manual.

http://www.bsi.bund.de/english/gshb/index.htm


[BSS1999] Blake, Ian; Seroussi, Gadiel; Smart, Nigel: Elliptic Curves in Cryptography. Cambridge University Press, 1999. ISBN: 0-521-65374-6

[BSS2002] Blake, Ian; Serossi, Gadiel; Smart, Nigel: Elliptic Curves in Cryptography. London Mathematical Society Lecture Note Series No. 265 Cambridge University press 2002. ISBN 0-521-65374-6.

[CCD2004] Carlier, Vincent; Chabanne Herve; Dottax Emmanuelle: Electromagnetic Side Channels of an FPGA Implementation of AES. http://eprint.iacr.org/2004/145.pdf.


[CP2002] Courtois, Nicolas T.; Pieprzyk, Josef: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. http://www.nicolascourtois.net.


[DBP1996] Dobbertin, Hans; Bosselaers, Antoon; Preneel, Bart: RIPEMD-160: A Strengthened Version of RIPEMD, April 1996. http://homes.esat.kuleuven.be/~cosicart/pdf/AB-9601/AB-9601.pdf.


[DDL1993] Denny, T.; Dodson, B.; Lenstra, A.K.; Manasse, M.S.: On the Factorization of RSA-120; Proc. Crypto 1993

[Dix1981] Dixon, John.D.; Asymptotically Fast Factorization of Integers. Mathematics of Computation, Vol. 36, No. 153 (Jan., 1981), pp. 255-260.

[DSIDA1] DSI GmbH, Bremen / IDA, TU Braunschweig: Selection of Cryptographic Elements and Technical Feasibility. TN-CRY-DSI-002. October 2003.

[DSIDA2] DSI GmbH, Bremen / IDA, TU Braunschweig: Survey of Crypto Systems. TN-ENS-DSI-001. July 2003.

[FIPS197] National Institute of Standards and Technology (NIST): FIPS PUB 197, Advanced Encryption Standard (AES), U.S. Department of Commerce, November 2001.

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.


[GAO2002] GAO: Critical Infrastructure Protection: Commercial Satellite Security Should Be More Fully Addressed. GA0-02-781. United States General Accounting Office. August 2002. http://www.gao.gov/cgi-bin/getrpt?GAO-02-781.

Last verification: Feb. 2006.

[IEEE1363] IEEE: IEEE Standard P1363: Standard Specifications for Public Key Cryptography, 2000.

[ISO10116] International Organization for Standardization:

ISO/IEC 10116:2003 Modes of Operation for an n-bit block cipher algorithm.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 11 of 145



ISO/IEC CD10118-3:2001 Information technology -- Security techniques – Hash-functions -- Part 3: Dedicated hash-functions


ISO/IEC 9797-2:1999 Information technology -- Security techniques – Message Authentication Codes (MACs) -- Part 3: Dedicated hash-functions

[Kra2005] Krawczyk, Hugo: HMQV: A High-Performance Secure Diffie-Hellman Protocol. 5 Jul 2005. http://eprint.iacr.org/2005/176


[KSW00] Kelsey, John; Schneier, Bruce; Wagner, David; Hall, Chris: Side Channel Cryptoanalysis of Product Ciphers. http://www.schneier.com/paper-side-channel.html.


[LMQS1998] Law, Laurie; Menezes, Alfred; Qu, Minghua; Solinas, Jerry: An Efficient Protocol for Authenticated Key Agreement. http://citeseer.ist.psu.edu/law98efficient.html


[Mao2004] Mao, Wenbo: Modern Cryptography. Theory and Practice. Prentice Hall 2004 ISBN 0-13-066943-1.

[McC00] McCullagh, A.; Caelli, W.: Non-repudiation in the Digital Environment. First Monday. July 2000. http://outreach.lib.uic.edu/www/issues/issue5_8/mccullagh/index.html

Last Verification: March 2006.

[Med04] Mediacrypt: IDEA Side Channel Attack. Hardening the IDEA Cipher. http://www.mediacrypt.com/_pdf/Side_Channel_Attack_0304.pdf .


[Men2005] Menezes, Alfred: Another look at HMQV. 2 Nov 2005. http://eprint.iacr.org/2005/205


[MOV1996] Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A.: Handbook of Applied Cryptography. CRC Press, 1996. ISBN: 0-8493-8523-7

[NIST12] National Institute of Standards and Technology (NIST): An Introduction to Computer Security: The NIST Handbook. NIST Special Publication 800-12.

[NIST180-2] National Institute of Standards and Technology (NIST): Specifications for the secured HASH Standard. FIPS 180-2, 1. August 2002. http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf


[NIST30] National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30

[NIST38B] National Institute of Standards and Technology (NIST): Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B

[NIST800] National Institute of Standards and Technology (NIST): Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. SP 800-67. May 2004. http://csrc.nist.gov/publications/nistpubs/






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 12 of 145


[NSW2003] Department of Commerce NSW: Information Security Guideline for NSW Government – Part 2: Example of Threats and Vulnerabilities. June 2003. http://www.oit.nsw.gov.au/pdf/4.4.17.IS2.pdf .

Last Verification: Feb. 2006

[ODI01] OHB System AG; DSI GmbH; IDA, TU Braunschweig: System Security Requirements. TMTC-SEC-OHB-RP-003

[ÖOP03] Örs, Siddika B.; Oswald, Elisabeth; Preneel, Bart: Power-Analysis Attacks on FPGAs – First Experimental Results. In Cryptographic Hardware and Embedded Systems – CHES 2003, 2003

[RFC2246] IETF: RFC 2246 - The TLS Protocol Version 1.0. http://www.ietf.org/rfc.html.


[RFC2401] IETF: RFC 2401 – Security Architecture for IPsec. http://www.ietf.org/rfc.html.


[RFC2402] IETF: RFC 2402 – AH: Authentication Header (Tunnel and Transport modes). http://www.ietf.org/rfc.html.


[RFC2403] IETF: RFC 2403 – Use of HMAC-MD5-96 within ESP and AH. http://www.ietf.org/rfc.html.


[RFC2404] IETF: RFC 2404 – Use of HMAC-SHA-1-96 within ESP and AH (Authentication algorithms used in AH and ESP: MD5 and SHA-1) . http://www.ietf.org/rfc.html.


[RFC2405] IETF: RFC 2405 – The ESP DES-CBC Cipher Algorithm With Explicit IV. http://www.ietf.org/rfc.html.


[RFC2406] IETF: RFC 2406 – IP Encapsulating Security Payload (ESP) (The encrypting companion to AH, and it affords confidentiality to the contents of its payload). http://www.ietf.org/rfc.html.


[RFC2407] IETF: RFC 2407 – The Internet IP Security Domain of Interpretation for ISAKMP (Internet Security Association and Key Management Protocol. It’s a framework for key exchange at the start of a conversation, and its use obviates the poor practice of using manual keys). http://www.ietf.org/rfc.html.


[RFC2408] IETF: RFC 2408 – Internet Security Association and Key Management Protocol (ISAKMP) (With RFC 2407, this RFC dives into much more detail on the ISAKMP protocol used to support key exchange). http://www.ietf.org/rfc.html.


[RFC2409] IETF: RFC 2409 – The Internet Key Exchange (IKE) (Though ISAKMP provides a framework for key-exchange. IKE includes initial authentication, as well as Oakley key exchange). http://www.ietf.org/rfc.html.






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 13 of 145


[RFC2712] IETF: RFC 2712 – Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). http://www.ietf.org/rfc.html.


[RFC3268] IETF: RFC 3268 – AES Cipher suites for TLS. Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers. http://www.ietf.org/rfc.html.


[RFC3546] IETF: RFC 3546 – Transport Layer Security (TLS) Extensions, adds a mechanism for negotiating protocol extensions during session initialization and defines some extensions. http://www.ietf.org/rfc.html.


[RFC3775] IETF: RFC 3775 – Mobility Support in Ipv6

[SANS2005] SANS: The Twenty Most Critical Security Vulnerabilities (Updated) ~ The Expert Consensus. http://www.sans.org/top20/

[Sch2005] Schneier, Bruce: Weblog. 17. August 2005 http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html


[Sch96] Schneier, Bruce: Applied Cryptography, Second Edition. John Wiley & Sons, 1996,ISBN 0-471-11709-9

[Sch99] Schneier, Bruce; Ferguson, Niels: A Cryptographic Evaluation of Ipsec. http://www.schneier.com/paper-ipsec.pdf.


[SCPS05] http://www.scps.org/

[Stad2005] Stadlober, Stefan: An Evaluation of Security Threats and Countermeasures in Distributed RFID Infrastructures. http://www.iicm.edu/thesis/sstadlober.pdf.

Last Verification: Feb. 2006.

[Wan1976] Wang, P.S. : Factoring multivariate polynomials over algebraic number fields; Math. Comp. 30 (1976) pp. 324–336

[War2003] Warthmann, Forrest: Delay-Tolerant Networks (DTNs), A Tutorial. Version 1.1 3/5/03. http://www.ipnsig.org/reports/DTN_Tutorial11.pdf.


[Web2004] Weber, M.: Encryption for Space: WP3000- Final Report. Issue 1. Issue date: 15 July 2004. ESA Contract Report. EFS.REP.003.

[Wer2002] Werner, Anette: Elliptische Kurven in der Kryptographie. Springer-Verlag, 2002. ISBN: 3-540-42518-7

[WR1976] Weinberger, P.J., Rothschild, L.P. : Factoring polynomials over algebraic number fields; ACM Trans. Math. Software 2 (1976) pp. 335–350

[WYY2005] Wang, Xiaoyun; Yin, Lisa Y.; Yu, Hongbo: Finding Collisions in the Full SHA-1. http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 14 of 145


[YMK05] Yang, Bo; Mishra, Sambit; Karri, Ramesh: High Speed Architecture for Galois/Counter Mode of Operation (GCM). Polytechnic University, Brooklyn, NY, ECE Department. http://eprint.iacr.org/2005/ .


[Zay2005] Zayer, Jörg: Faktorisieren mit dem Number Field Sieve; Dissertation, Saarbrücken 2005





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 15 of 145


2 RISK ASSESSMENT

The risk assessment report comprises of the relevant system and sub-system modules, their security requirements and the identified threats and vulnerabilities. The risk assessment is based on the reference system architecture, which describes the generic mission independent core modules as well as mission specific add-ons.

2.1 Aspects and Impact on the System The aim of this section is a system level risk assessment of the reference system. The sections follow the risk assessment plan laid out by [NIST30]. Part of the system characterization is provided in the reference system architecture document, this document expands on the system characterization by studying the system from a user perspective. The document then identifies the threats and vulnerabilities found in the reference architecture. A variety of information sources have been used to compile the threat and vulnerability tables for this risk assessment. They include:

• Internal company documents from past and current TM/TC systems;

• Experience from the study team;

• Information gather from current satellite operators;

• Literature search:

o [SANS2005], [STAD2005], [NSW2003], [NIST12], [GAO2002], [Web2004]

Using the compiled information from the vulnerability and threat analyses an risk level analysis is performed. The analysis concentrates on four possible ESA user types:

• Research

• Commercial

• Government

• Peacekeeping

Figure 2-1 is a graphical representation of the taken steps in the risk assessment. The final requirements derived from the risk level analysis are presented in document TMTC-SEC-OHB-RP-003.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 16 of 145


SystemCharacterization

Threat SourceIdentification

Threat Analysis

Vulnerability Analysis

Risk Level Analysis

Requirements

Figure 2-1 Risk assessment steps.

2.1.1 System Characterization

The first step in any risk assessment is to perform a system characterization; however, for this risk assessment we only have a general system. This does not lend itself well to a detailed system characterization of the hardware and software. The combination of custom and over the counter hardware and software is unique to each system. A characterization of the system based on the mission type can be found in [ODI01]. This section expands on the reference architecture by examining the proprieties of the users:

Research:

• Security rating: Open, Restricted, Confidential

• Mission types: Deep space, S&T, E.O.

• E.g. University, Science institutes, ESA Commercial:

• Security rating: Open, Restricted, Confidential

• Mission types: Navigation, Communication, E.O.

• E.g. Astra, Eurotel

Government:

• Security rating: Open, Restricted, Confidential, Secret

• Mission types: Navigation, E.O., Communication, Manned space flight

• E.g. Galileo improved navigation accuracy

Peacekeeping:

• Security rating: Open, Restricted, Confidential, Secret

• Mission types: Navigation, E.O., Communication

• E.g. SAR-Lupe (Germany), Helios 2 (France)





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 17 of 145


2.1.2 Threat Source Identification

All space systems operate in a hostile environment. The system has to be able to handle attacks and assaults from a variety of threat sources. Using a risk assessment, the threats to a system can be identified and design steps taken to reduce the likelihood of a successful attack. Before the reference system vulnerabilities are analyzed, the sources of the threats are listed.

Threat sources themselves can be subdivided into three categories: human, natural, and environmental. For environmental and natural threats, there are no ulterior motives. Both these threats are random events that can effect the operation of the system, however, human threats are different, their reason vary as widely as the types human threats. Table 2-1 is a listing of the threat sources to an IT system.

Threat Type Threat Source

Floods

Tornadoes

Earth quakes

Thunder storm (Lightning)

Avalanches

Hurricanes

Natural

Tidal wave

Chemical

Pollution

Infrastructure failure:

• Power supply failure

Environmental

• Plumbing failure

Hacker, cracker

Computer criminals

Terrorists

Industrial espionage

Companies

Foreign governments

Insider:

• Untrained

• Disgruntled

• Terminated

Human

• Negligent

Table 2-1 Threat source list.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 18 of 145


2.1.3 Reference System Threat Analysis

Figure 2-2 provides a visual view of where threats interact with the system. Spacecraft threats attack all the space network modules, while the ground threats are against the ground modules. As can be seen in Figure 2-2 link threats are against the links between the modules and the networks. The example only points out some of the links but the threats listed in this section are against all the links in the picture. In the following tables, the threats are also subdivided into the categories of confidentiality, access control & authentication, integrity, and availability. Non-repudiation has not been included due to the question of its legality. The legal definition of non-repudiation does not conform to the technical definition in some jurisdictions [McC00]; therefore, this service has not been included in the threat list, and care should be taken when using this definition in future reports .

Spacecraft n

ISLLink

GatewayGateway GatewayGateway

G/S AntennaNetwork

G/S AntennaNetwork

G/S 1

FOS(Flight Operations Segment)

MissionControl

Payload Operations

G/S n

NetworkLink

NetworkLink

PDGSPayload Data

Ground Segment (Service Provider)

NetworkLink

PayloadManagement

POS(Payload Operations

Service)

User n

UserTask n

UserTask 3User

Task 2User

Task 1

Ground

Space Link

Space Network

L1a L1b L2a L2b

L4bL6a

L6bL7aL7b

L8a L8b L9a L9b L10a L10b

L12a L12bL11a L11b L14a L14b

L15

aL1

5b

L16

aL1

6b

L13a

L13b

M1b

M1c

M2

M3 M3a

M4

M4a M4b

M4c

M5

M5a

M5b

M6

L17a

L17b

M2c

M6a PayloadManagement

(optional)

M7

M7aNetwork

Link

M7b

L18a L18b

L19a L19b

L20a

L20b

...

L21a

L21b

Spacecraft ...

ISLLink

Payload:P/L Data Link

Avionics:On-Board Data

Handling,Telemetry &

Telecommand

L3a L3b L4a

L5

aL

5b

M1

M1aSpacecraft 2

ISLLink




Telecommand

L3a L3b L4a

L5

aL

5b

M1

M1aSpacecraft 1

ISLLink




Telecommand

L3a L3b L4a

L5

aL

5b

M1

M1a

......

M1b

M1c

EGSE

File: Reference_Architecture_Generic_withthreats_v1.vsd

L4b

Spacecraft

Test-IF Test-IF

Ground Network

M1bn M1an

L3an L3bnL4an L4bn

L5a

nL

5bn

- Comprosing emissions- Weak cryptographicalgorithms- Unauthorized access- Denial-of-Service

- Data storage errors- Compromisingemissions- Network traffic analysis- Unauthorized access

Examples of Threats to TM/TC Data

Spacecraft Threats

Link Threats

Ground Threats

- Data viewing- Traffic analysis- Data manipulation- Replay

Figure 2-2 Example threats to the reference system.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 19 of 145


2.1.3.1 TC Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats

# Threat Description Threat to

Vul.

Confidentiality

1. Data viewing / Forward interception

The communication links are over open channels, which means without added security measures anyone can intercept and view the data. Spacecraft, subsystem, or instrument control can be obtained.

Lnk 1, Lnk 4

2. Traffic analysis

End-to-end encrypted data packets require that the header and tail of the data packet remain unencrypted even if the data portion is encrypted. This header and tail information can be used to deduce the activities of the hosts or users (volume, source, and destination).

Lnk 1, Lnk 4

3. Satellite communication tracking

Knowing the location and position of a satellite and ground station allows an attacker to easily intercept the uplink data. Telecommands and payload data can be intercepted with this information.

Lnk 1

Data Integrity

4. Data manipulation

Open communication channels also provide the opportunity for attackers to intercept and manipulate the data. This is an attack on integrity and can lead to either loss of spacecraft control or receiving false data at the receiving end.

Lnk 2, Lnk 4

Authentication

5. Replay Secured data sent over an open channel can be captured and replayed again at a later time causing a disruption to the receiving system.

Lnk 3

Availability

6. Jamming / Intentional interference

Spacecraft communication can be disrupted through directed interference. This interference can lead to the loss of TM/TC communication with the spacecraft. Sources for jamming are:

• Radio frequency interference from powerful signals set on the communication frequency. These signals can be a variety of types, for example, noise- or sweep frequency signals.

• Air or land based interference transmitter.

• Artificial atmospheric effects, for example, metal particle clouds, ionization from EMP or NEMP.

The location of the interference transmitter can be on the ground, in the air, or in space.

Lnk 5

7. Unintentional interference

Interference may also arise from natural sources. Weather and solar interference are two examples. Cloudy days may dampen the signal; thereby, resulting in a weaker arriving signal.

Our solar system is a noisy environment and may result in signal interference. Mismanagement of the radio bands may also lead to interference, when other transmitters attempt to transmit within the same frequency range.

Lnk 2, Lnk 4, Lnk 5





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 20 of 145


2.1.3.2 TM Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats


Vul.

Confidentiality

8. Data viewing / Reverse interception

The communication links are over open channels, which means without added security measures anyone can intercept and view the data; therefore, any information transmitted using telemetry would be available to the attacker (e.g. satellite, subsystem or instrument information)

Lnk 1, Lnk 4

9. Traffic analysis

End-to-end encrypted data packets require that the header and tail of the data packet remain unencrypted even if the data portion is encrypted. This header and tail information can be used to deduce the activities of the hosts or users (volume, source, and destination).

Lnk 1, Lnk 4

10. Satellite communication tracking

Knowing the location and position of a satellite and ground station allows an attacker to easily intercept the downlink data. Telemetry and payload data can be intercepted with this information.

Lnk 1

Data Integrity

11. Data manipulation

Open communication channels also provide the opportunity for attackers to intercept and manipulate the data. This is an attack on integrity and can lead to either loss of spacecraft control or receiving false data at the receiving end.

Lnk 2, Lnk 4

Authentication

12. Replay Secured data sent over an open channel can be captured and replayed again at a later time causing a disruption to the receiving system.

Lnk 3

Availability

13. Jamming / Intentional interference

Spacecraft communication can be disrupted through directed interference. This interference can lead to the loss of TM/TC communication with the spacecraft. Sources for jamming are:

• Radio frequency interference from powerful signals set on the communication frequency. These signals can be a variety of types, for example, noise- or sweep frequency signals.

• Air or land based interference transmitter.

• Artificial atmospheric effects, for example, metal particle clouds, ionization from EMP or NEMP.

The location of the interference transmitter can be on the ground, in the air, or in space.

Lnk 5




Lnk 2, Lnk 4, Lnk 5





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 21 of 145


2.1.3.3 Ground - System Level Threats


Vul.

Confidentiality

15. Data storage errors Age of the storage medium plays an important role in its the reliability. Old storage devices are prone to errors that can make the data unreadable or inaccessible.

Gnd 30

16. Compromising emissions

It is possible to acquire data through electromagnetic radiation (e.g. from the monitor or data lines). This data is unencrypted and may lead to a loss of confidentiality.

Gnd 36

17. Network rerouting

Errors or the result of manipulations can result in false routing where data is sent to the wrong computers. If the data does not reach the correct component, the data may be discarded and lead to communication errors and data availability problems. Attackers could also use this to gain access to classified data.

Gnd 2, Gnd 3

18. System access through software and network holes

Unreported network or system vulnerabilities can be used by insiders to access the system without proper authorization. This leads to a loss of confidentiality, integrity, and availability.

Gnd 1, Gnd 3, Gnd 4, Gnd 32

19. Network traffic analysis

Analyzing the traffic on communication networks may provide information of when each system component is being used and by whom. Satellite traffic analysis may provide the attacker with information about which geographical area or situation is being examined. This is a loss in confidentiality.

Gnd 5, Gnd 7

20.

Retrieval of deleted data from decommissioned storage devices

Old or decommissioned data storage devices may still contain classified data as a magnetic or residual virtual image. This data can be read by special equipment, leading to a loss in confidentiality.

Gnd 42, Gnd 45

21. Theft of hardware components

Light, transportable devices can be easily removed from secure areas. If these devices contain classified information, this information can become compromised. Theft of a network component may disrupt the system if no replacement is available and it is a critical component.

Gnd 8, Gnd 6

22. Theft of software components

Data storage devices (diskette, USB memory sticks, mobile hard drives) can be used to steal software and data. This is untraceable if no audit system is used.

Gnd 8, Gnd 18, Gnd 22, Gnd 24, Gnd 25, Gnd 27

23. Key management and storage

If the key is compromised during transfer, through insecure storage, or used past recommended lifetime, all the encrypted data is as open as clear text, and the data can be read by any third party.

Gnd 29

24.

Old or weak cryptographic algorithms and protocols

Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Encrypted data may be decrypted faster than brute force methods. TM/TC data can be viewed or changed.

Gnd 44





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 22 of 145



Vul.

Functional Integrity

25.

Programming errors in commercial software

Commercial software (e.g. operating system or database software) is not always free of software errors. These errors can lead to faulty data being sent.

Gnd 3, Gnd 4

26. Programming and design errors in custom software

Custom designed and implemented software may have errors that have not been found during debugging and testing phases. The effect of these errors depends on the function of the software and its importance to the system. Mission critical software errors may result in faulty data being sent.

Gnd 3, Gnd 4

Data Integrity


If the key is compromised during transfer, through insecure storage, or used past recommended lifetime, all the encrypted data is as open as clear text, and can be changed by a malicious third party.

Gnd 29

28.


Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Signed data may be altered and the signature forged to falsely give the impression the TM/TC data is from the proper source.

Gnd 47, Gnd 44

Access Control & Authentication

29. IP Spoofing Data headers in IP packets are set to appear to come from a legitimate user but in reality come from another source.

Gnd 1, Gnd 20

30. Administration error

Administration errors can have an effect on the full system. If the system or network resources are inadequately laid out, stability issues may arise during peak performance periods.

Account settings set the access privileges of users, and incorrect settings may allow unauthorized users to access classified information.

Gnd 3, Gnd 25

31. Identity theft / Unauthorized access

If authorization data of a particular user is compromised and an attacker is able to get this information, the attacker can use the account to gain access to parts of the system. The access is limited to the access level of the compromised user. Data integrity is endangered.

Gnd 1, Gnd 2, Gnd 3, Gnd 4, Gnd 5, Gnd 6, Gnd 7, Gnd 8,

Gnd 9, Gnd 18, Gnd 19, Gnd 21, Gnd 22, Gnd 23, Gnd 25, Gnd 26,

Gnd 40

32. Hidden communication channels

Hidden communication channels are connections between different networks that are undocumented, but can be used to transfer data from different network areas. This can lead to a loss of confidentiality and integrity.

Gnd 37, Gnd 39, Gnd 40

33. Access through connected systems

Connected networks may allow unauthorized access if all access points are not properly secured.






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 23 of 145



Vul.

34. System access through outdate roll access

Employee turnover is a common occurrence and leads to personnel having network and system access without the proper administrative clearance. This leads to unauthorized personnel having access to the system.

Gnd 3, Gnd 19

35. Access to the system through test equipment

Test equipment may allow access to the system by:

• Providing an attacker with the knowledge of the system through the test equipment design.

• Test access ports that are open with only the test equipment may by-pass security measures.

Gnd 41

36.


Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Password data is stored in an encrypted form, and tools may become available to decrypt these passwords.

Gnd 44

Availability

37. Malicious Code Introduction of viruses and worms can damage the system.

Gnd 13, Gnd 14, Gnd 15, Gnd 16,

Gnd 17





39. Denial-of-Service

Communication systems have limited bandwidth and processing each received command takes a finite amount of time. Services can be disrupted or stalled by sending a high volume of traffic at a target system. This may cause the system to be unable to process legitimate commands.

Gnd 1, Gnd 47

40. Packet Fragmentation

Data fragmentation over ground networks may lead to hackers adding packet fragments to crash the packet reassembly network component.

Gnd 1, Gnd 47

41. Failure of the electrical system in the ground station

Loss of electrical power can cause the computer and network systems to shutdown. This is not a clean shutdown of the system, and may cause data loss or program malfunction. The loss of power will also lead to the environmental system not functioning.

Gnd 12

42.

Failure of the environmental system in the ground station

IT components generate a lot of heat. If the environmental system fails, the components can overheat and become damaged.

Gnd 12





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 24 of 145



Vul.

43. Electrical surge

Electrical surges can be caused by lightning strikes, supply faults from the power supply net, or a failure in the electrical wiring in the ground station infrastructure. The surges do not necessarily need to travel through the power supply net, they can also reach the IT components through the:

• Telephone connections

• LAN connections

• Metal pipes in the building.

Gnd 12

44. Fire / Water / Moisture damage

Water, fire and moisture can seriously damage computer and network systems to the point where the hardware fails and/or data is totally lost without a chance for recovery.


45. Vibrations / Earth quakes

Vibrations can influence the IT-hardware and cause system errors.

Earth quakes have the potential to damage or even destroy the computer and network system. They can also destroy the surrounding infrastructure.

Gnd 12

46. Weather related threats

Extreme wind or storm conditions may damage the building or antenna. Whereas heavy rain- or snowfall may disrupt the satellite-to-ground connection.

Gnd 12

47. Explosions due to accidents

Accidental explosions around the IT equipment, building, antenna, or documents can damage or destroy each of these items.

Gnd 3, Gnd 6

48. Operating temperature

IT components generate a lot heat during normal operation. This heat can damage the components, cause data loss or system glitches.

Gnd 34, Gnd 35

49. Dust Dust can damage IT components by either acting as an insulator that reduces the heat dissipation of the components or by clogging mechanical parts, i.e. fans.

Gnd 32

50. Access by external personnel

Access by external personnel ( i.e. repair technicians, construction workers, craftsmen, or cleaning staff) increases the chance that classified information can be viewed or overheard. There is also a risk that incorrect handling of the IT components (mishandling of the cables or spilling of fluids) can cause service disruptions.


51. Incorrect operation or repair

Incorrect operation or repair of the system can have the consequence that the system stability is reduced. This may lead to loss of data or even total system failure.

Gnd 3

52. User input error User input errors (e.g. typos) can lead to an unintended system response.

Gnd 3

53. IT- or network component failure

Failure of IT components ( e.g. servers or RAID-systems) or network components (e.g. routers, hubs, or switches) influences the availability of the system.

Failure of any of these components can lead to loss of data, loss of contact with the satellite or ground station, or access granted to unauthorized parties.

Gnd 28, Gnd 34





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 25 of 145



Vul.

54.


Commercial software (e.g. operating system or database software) is not always free of software errors. These errors can lead to system or network crashes.

Gnd 4, Gnd 44


Custom designed and implemented software may have errors that have not been found during debugging and testing phases. The effect of these errors depends on the function of the software and its importance to the system. Mission critical software errors may result in the satellite communication being disrupted.

Gnd 4, Gnd 44

56. Software integration errors

Modern systems are designed in modules. Later integration of these modules can lead to errors if the interfaces are not correctly or fully defined or implemented, even if the modules work properly individually.

Gnd 34, Gnd 38

57. System / Network overload

System or network overload can be cause by inadequate processor power, incorrect network layout, or under capacity network components. System or network overload is a reduction in the availability.

Gnd 2

58. Physical damage of hardware components

Through vandalism, arson, or terrorism hardware can be damage to the point where the system is destroyed or severely damaged. The system is then unavailable.

Gnd 8

59. Abuse of system resources

System resource availability can be reduced by unplanned use of the system; for example, the use of the computers in the network for game play.


60. Loss of time synchronization

If the ground station loses time synchronization with the spacecraft, missions may be missed due to wrong spacecraft position or incorrect time.

The transmission window between spacecraft and ground is usually only for a short time period. Incorrect time synchronization may have the spacecraft or ground station start transmission later than originally scheduled; thereby, reducing the transfer window.

Gnd 43

61. Air attack System and network components can be damaged through air attacks on the infrastructure. After an attack the system can become unavailable. Only relevant during wartime.

Gnd 8

62. Nuclear attack

System and network components can be damaged through a nuclear attack on the infrastructure. After an attack the system can become unavailable. Only relevant during wartime.

Gnd 8

63. Biological and chemical attack

Biological or chemical attacks threaten the operators of the system. They leave the network and system components alone. Only relevant during wartime.

Gnd 8

64. Loss of antennae alignment

If the antennae on the spacecraft and the ground station become misaligned, data loss or loss of control may occur.

Gnd 3





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 26 of 145


2.1.3.4 Spacecraft - System Level Threats


Vul.

Confidentiality

65. Compromising emissions

It is possible to acquire data through the electromagnetic radiation (e.g. from the monitor or data lines). This data is unencrypted and may lead to a loss of confidentiality.

Sp 10, Sp 12, Sp 13

66.


Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Encrypted data may be decrypted faster than with brute force methods. TM/TC data can be viewed or changed.

Sp 18

Functional Integrity

67.


Commercial software (e.g. operating system or database software) is not always free of software errors. These errors can lead to faulty data being sent..

Sp 1, Sp2


Custom designed and implemented software may have errors, that have not been found during debugging and testing phases. The effect of these errors depends on the function of the software and its importance to the system. Mission critical software errors may lead to faulty data being sent.

Sp 1, Sp2

Data Integrity


If the key is compromised during transfer, through insecure storage, or used past recommended lifetime, all the encrypted data is as open as clear text, and can be changed by a malicious third party.

Sp 8

70.


Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Signed data may be altered and the signature forged to falsely give the impression the TM/TC data is from the proper source.

Sp 18

Access Control & Authentication

71. Identity theft / Unauthorized access

If the attacker is able to pose as a legitimate user, the system is then open to the attacker to control up to the access level of the user. If the stolen user account has full satellite control privileges, the damage done can be everything from loss of confidentiality to total loss of the satellite itself.

Sp 5

72. Access to the system through test equipment

Test equipment may allow access to the system by:

• Providing an attacker with the knowledge of the system through the test equipment design.

• Test access ports that are open with only the test equipment may by-pass security measures.

Sp 16





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 27 of 145



Vul.

73.


Cryptographic algorithms and protocols are constantly studied for weaknesses. These weaknesses are published in journals and are accessible to everyone. Password data is stored in an encrypted form, and tools may become available to decrypt these passwords.

Sp 18

Availability

74. Operating temperature

IT components generate a lot heat during normal operation. This heat can damage the components, cause data loss or system glitches.

Sp 19

75. IT- component failure

Failure of IT components influences the availability of the system. If the system is not setup with redundant components, the failure of any of these components can lead to data loss, loss of contact with the ground station, or access granted to unauthorized parties.

Sp 10, Sp 11, Sp 12

76. Denial-of-Service

Communication systems have limited bandwidth and processing each received command takes a finite amount of time. Services can be disrupted or stalled by sending a high volume of traffic at a target system. This may cause the system to be unable to process legitimate commands.

Sp 20

77.


Commercial software (e.g. operating system or database software) is not always free of software errors. These errors can lead to system or network crashes.

Sp 18


Custom designed and implemented software may have errors, that have not been found during debugging and testing phases. The effect of these errors depends on the function of the software and its importance to the system. Mission critical software errors may see the satellite communication disrupted.

Sp 18

79. Software integration errors

Modern systems are designed in modules. The later integration of these modules can lead to errors if the interfaces are not correctly or fully defined or implemented, even if the modules work properly individually.

Sp14




Sp 10, Sp 11, Sp 12

81. Electromagnetic or particle radiation

High levels of constant electromagnetic or particle radiation can damage the components aboard a satellite.

Sp 10, Sp 11

82. Electrical outage If the power supply, fuel supply or solar panels are damaged or become inactive then the satellite can stop functioning.

Sp 7, Sp 9, Sp 15

83. Temperature control outage

Temperature control on the satellite protects the circuitry and components on the satellite from heat damage. Without this function components can overheat.

Sp 19

84. Nuclear attack in space

Nuclear attacks in space are both physical and electromagnetic threats to the satellite system. The effect of each threat is dependent on the distance of the explosion from the satellite.

Sp 6





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 28 of 145



Vul.

85. Physical attack on the satellite

Physical attacks on the satellite originate either from other space-based weapons (space mines, killer satellites, projectiles) or ground-based weapons (high energy weapons like lasers, electromagnetic pulses emitters, or high energy radio wave devices).

Sp 6

86. Space debris

The space where satellites travel is not a clean environment. There is a lot of space debris flying around, sometimes at great velocities. If this debris impacts with the satellite, it may destroy the satellite or damage some of the systems.

Sp 6

87. Positioning signal (Galileo/GPS) failure

Spacecrafts use positioning signals from other spacecrafts for their attitude and orbit control. The positioning signal is also used for the antenna alignment. Positioning signal failure may lead to the antenna being falsely aligned, which can cause communication disruptions.

Sp 7, Sp 15

88. Loss of time synchronization

If the spacecraft loses time synchronization with the ground station, missions may be missed due to wrong spacecraft position or incorrect time.

The transmission window between spacecraft and ground is usually only for a short time period. Incorrect time synchronization may have the spacecraft or ground station start transmission later than originally scheduled; thereby, reducing the transfer window.

Sp 17

2.1.4 Vulnerability Analysis

Before the vulnerabilities to the TM/TC data can be analyzed, a study of the threats in the TM/TC data path and system must be performed. This section lists the threats present and organizes them to the appropriate system partitions. These system partitions are based on the sections found in the reference system [ODI01]. Sp: Space

Gnd: Ground Lnk: Links

2.1.4.1 Vulnerabilities in the TM/TC Communication Links

Vul.

Num.

Vulnerability Vulnerability

of

Relevant to

Study

Lnk 1 Unencrypted data transmission Data Yes

Lnk 2 Unauthenticated data transmission Data Yes

Lnk 3 Lack of counters or time stamps Data Yes

Lnk 4 Use of weak protocols and cryptographic algorithms

Data Yes

Lnk 5 Loss of signal or blocking of transmission Data Yes





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 29 of 145


2.1.4.2 Vulnerabilities in the Ground Systems

Vul.

Num.


of

Relevant to

Study

Gnd 1 Lack of a DMZ/firewall System / Data Yes

Gnd 2 Deficient IT infrastructure planning System No

Gnd 3 Untrained operators and personnel System No

Gnd 4 Network and system component software not up to date

System / Data No

Gnd 5 Unencrypted data transmission Data Yes

Gnd 6 Critical data is stored in an unencrypted form Data Yes

Gnd 7 Unauthenticated data transmission Data Yes

Gnd 8 Lack of physical security of network and system components

System / Data No

Gnd 9 Use of shared network resources Data Yes

Gnd 10 Lack of fire protection System No

Gnd 11 Lack of fire suppression system System No

Gnd 12 Lack of environment protection System No

Gnd 13 No anti-virus software System Yes

Gnd 14 Lack of regular virus definition update System Yes

Gnd 15 Uncontrolled downloading from internet System No

Gnd 16 Email attachments are allowed to be opened System No

Gnd 17 No policy on virus scanning removable media System No

Gnd 18 Lack of logical access security (password and ID)

System Yes

Gnd 19 User list is not kept up to date with current employee list

System No

Gnd 20 Lack of authentication and signature mechanisms

Data Yes

Gnd 21 Unprotected password tables System / Data Yes

Gnd 22 Incorrect access rights System / Data Yes

Gnd 23 Lack of password security policy System / Data Yes

Gnd 24 Uncontrolled copying of data and software Data No

Gnd 25 Lack of system and network logging or poor audit log maintenance

System Yes

Gnd 26 Lack user roles for of network and system access

System / Data Yes

Gnd 27 Inadequate control of software licenses and media

System No





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 30 of 145


Vul.

Num.


of

Relevant to

Study

Gnd 28 System and network components are not redundant

System No

Gnd 29 Lack of cryptographic key management. Data Yes

Gnd 30 Lack of backup policy System No

Gnd 31 Running of wrong software version System No

Gnd 32 Aging / Deterioration of hardware components System No

Gnd 33 Lack of security for physical access to network and system components and software

System No

Gnd 34 Incorrect components used System No

Gnd 35 Components set to close to other components that emit electromagnetic emissions

System / Data Yes

Gnd 36 Lack of shielding for sensitive components (TEMPEST)

System / Data Yes

Gnd 37 Unsecured external ports to outside networks System / Data Yes

Gnd 38 Lack of interoperability System Yes

Gnd 39 LAN interfacing with different classification ratings

Data Yes

Gnd 40 Using the default system and network configurations

Data Yes

Gnd 41 Lack of physical security for test devices System No

Gnd 42 Lack of physical security for data storage devices and media

Data No

Gnd 43 Lack of time synchronization System No

Gnd 44 Lack of system software update mechanisms. Data Yes

Gnd 45 No policy for decommissioning of data storage devices

Data No

Gnd 46 Lack of environmental control system System No

Gnd 47 Use of weak protocols and cryptographic algorithms

Data Yes





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 31 of 145


2.1.4.3 Vulnerabilities in the Space Systems

Vul.

Num.


of

Relevant to

Study

Sp 1 Untrained operators and personnel System / Data No

Sp 2 Network and system component software not up to date

System No

Sp 3 Unencrypted data transmission inside spacecraft

Data Yes

Sp 4 Critical data is stored in an unencrypted form Data Yes

Sp 5 Unauthenticated data transmission inside spacecraft

Data Yes

Sp 6 Lack of physical protection of components System No

Sp 7 System and network components are not redundant

System No

Sp 8 Lack of cryptographic key management. Data Yes

Sp 9 Aging / Deterioration of hardware components System No

Sp 10 Incorrect components used System No

Sp 11 Components inadequate for space environments

System No

Sp 12 Components set to close to other components that emit electromagnetic emissions

System / Data Yes

Sp 13 Lack of shielding for sensitive components System / Data Yes

Sp 14 Lack of interoperability System Yes

Sp 15 Critical components (Single-point-of-failure) System No

Sp 16 Lack of physical security for test devices Data No

Sp 17 Lack of time synchronization System No

Sp 18 Lack of system software update mechanisms. System / Data Yes

Sp 19 Lack of environmental control system System No

Sp 20 Use of weak protocols and cryptographic algorithms

Data Yes

2.2 Risk Level Analysis / Risk Register The previous two sections identified the threats and vulnerabilities to the TM/TC reference system. The next step in the risk assessment is to study the impact of each vulnerability. There are many aspects that effect the risk to a system, i.e. user or mission type. As an example, a governmental user using a communication satellite to interact with external personnel has a higher potential for damage should the information become compromised than a researcher communicating with experimental probes.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 32 of 145


The next risk level analysis is subdivided into the four different user types and only the threats dealing directly with the TM/TC path are analyzed, infrastructure threats have been removed. The risk level of infrastructure threats can not be measured without knowing the intended location and design of the ground stations. The tables in Sections 2.2.2 and 2.2.3 are the risk register.

2.2.1 Rating System

The risk level is a determination of the likelihood of a threat exercising a vulnerability and the resulting impact the exploited vulnerability will have on the users. For this risk level analysis the likelihood rating has been divided into a range from 0-3 or from negligible to high. For each vulnerability the likelihood of a successful attack depends on the threat source. Table 2-2 provides the points used to determine the likelihood of an attack.

Threat Source Properties

Unintentional • Past experience with similar systems

• Statistics

Intentional • Motivation of the attacker

o Highly motivated or just for fun

• Does the threat source have the required equipment to perform the attack?

• Is an attack possible in a reasonable time frame?

Table 2-2 Likelihood determination factors.

For both cases information from past risk assessments, reports and input from satellite operators was used to determine the likelihood of a threat exploiting a vulnerability in a three year period. Table 2-3 is a listing of the likelihood and provides an explanation for each level. In the case where no records exist for previous attacks, estimates were used from professionals who work with TM/TC systems.

Class Description Time Frame

(3 year period)

3 High The threat source is extremely motivated and the information the system or data holds is worth the cost and effort to extract. The attacker has the required facilities and the controls to prevent the vulnerability are inadequate.

> 100 times

2 Medium This risk is an occasional event. The threat source is motivated but may not have all the equipment required to take advantage of the vulnerabilities. Some controls may also be in place to prevent the threat source from accessing the vulnerability.

10 times

1 Low This risk is seldom seen, but cannot be excluded. The threat source is not highly motivated (e.g. prankster) and/or may not have the required equipment to access the system. Controls in place may significantly hinder the threat source.

1 time

0 Negligible The chance of this risk happening is so negligible that the threat can be ignored.

< 0.1 times

Table 2-3 Assessment rating for the risk likelihood of a threat source using a threat to successfully attack a vulnerability in a three year time period.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 33 of 145


The second table (see Table 2-4) is a impact level rating. The impact can be to the physical system or it can be the result of valuable information (e.g. restricted, confidential, etc.) becoming freely available to the general public. Therefore, in the vulnerability analysis, the vulnerability type (system or data) has also been determined. This information allows the risk level determination to separate the impact to the system from the impact resulting in the release of information or data. Table 2-4 categorizes the impact between negligible (0) and very high (4). For each of these ratings a brief example of the type of impact is provided. The impact to the system is the same for any type of user; however, the impact from the data depends on the type of user. In the risk level determination, two separate tables are used for system and data impact to provide easier differentiation.

Table 2-4 Impact level table to assess the potential impact from if a threat successfully exercises a vulnerability.

Combining the results from the previous two tables a risk level measurement can be obtain between low and very high risks. Table 2-5 provides the Risk Level rating while Table 2-6 describes each risk level and presents the require action that each level requires.

Impact

Likelihood

0

Negligible

1

Low

2

Medium

3

High

4

Very High

0

Negligible Low Low Low Low Medium

1

Low Low Low Medium High High

2

Medium Low Low Medium High Very High

3

High Low Medium High Very High Very High

Table 2-5 Risk level matrix to determine the risk level of a given vulnerability.

Impacted

Resource

Impact Level

/ Impact Aspect

0

Negligible

1

Low

2

Medium

3

High

4

Very High

System System Impact

None Partial operation

failure with full recovery

Full operation failure with full recovery

or

Partial operation failure with partial recovery

Full operation failure with partial recovery

or

Partial operation failure without recovery

Full operation failure without

recovery

Security Level

Breach

None Restricted Confidential Secret Top Secret

Data

Political Fallout

None A single group or

groups inside the system

System group Political department Country or EU





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 34 of 145


Risk Level Risk Level Description and Resulting Actions

Very High A risk level of very high means the operation of the system should be stopped until protective measures are implemented to reduce the risk level to low.

High An observation of a high risk level indicates that corrective measures need to be implemented as soon as possible, but the system can still operate.

Medium For a medium risk level, corrective actions must be undertaken in a reasonable time frame. The system can continue to operate.

Low For a risk level of low, the decision of implementing further protective measures are up to the stakeholders and users or they can accept the risk.

Table 2-6 Descriptions and resulting actions for each risk level.

2.2.2 Risk Level Analysis of the System Vulnerabilities for the Reference System

Vulnerability Number

Vulnerability

Impact

Level

(0-4)

Likelihood

(0-3) Risk Level

Ground Station - System Level Threats

Gnd 1 Lack of a DMZ/firewall 2 3 High

Gnd 13 No anti-virus software 2 2 Medium

Gnd 14 Lack of regular virus definition update

2 1 Medium

Gnd 18 Lack of logical access security (password and ID)

2 3 High

Gnd 20 Lack of authentication and signature mechanisms

2 2 Medium

Gnd 21 Unprotected password tables 2 1 Medium

Gnd 22 Incorrect access rights 2 1 Medium

Gnd 23 Lack of password security policy 2 1 Medium

Gnd 25 Lack of system and network logging or poor audit log maintenance

1 1 Low


1 1 Low

Gnd 35 Components set too close to other components that emit electromagnetic emissions

1 1 Low

Gnd 36 Lack of shielding for sensitive components

1 1 Low

Gnd 37 Unsecured external ports to outside networks

2 3 High

Gnd 38 Lack of interoperability 1 3 Medium





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 35 of 145


Vulnerability Number

Vulnerability

Impact

Level

(0-4)

Likelihood

(0-3) Risk Level

Spacecraft - System Level Threats

Sp 12 Components set too close to other components that emit electromagnetic emissions

3 2 High

Sp 13 Lack of shielding for sensitive components

3 2 High

Sp 14 Lack of interoperability 4 3 Very High

Sp 18 Lack of system software update mechanisms.

3 1 High





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 36 of 145


2.2.3 Risk Level Analysis of the Data Vulnerabilities for the Reference System

Impact Level (0-4) Risk Level Vulnerability

Number Vulnerability

Research Commercial Government Peacekeeping

Likelihood

(0-3) Research Commercial Government Peacekeeping

TC Data over Ground-to-Space Link – Link Level Threats

Lnk (G-S)1 TC Unencrypted data transmission 1 2 3 3 2 Low Medium High High

Lnk (G-S)2 TC Unauthenticated data transmission

1 2 3 3 2 Low Medium High High

Lnk (G-S)3 TC Lack of counters or time stamps 1 2 3 3 2 Low Medium High High

Lnk (G-S)4 TC Use of weak protocols and cryptographic algorithms


Lnk (G-S)5 TC Loss of signal or blocking of transmission


TC Data over Space-to-Space Link – Link Level Threats

Lnk (S-S)1 TC Unencrypted data transmission 1 2 3 3 1 Low Medium High High

Lnk (S-S)2 TC Unauthenticated data transmission


Lnk (S-S)3 TC Lack of counters or time stamps 1 2 3 3 1 Low Medium High High

Lnk (S-S)4 TC Use of weak protocols and cryptographic algorithms


Lnk (S-S)5 TC Loss of signal or blocking of transmission


TC Data over Ground-to-Ground Link – Link Level Threats

Lnk (G-G)1 TC Unencrypted data transmission 1 2 3 3 3 Medium High Very High Very High





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 37 of 145





Likelihood


Lnk (G-G)2 TC Unauthenticated data transmission

1 2 3 3 3 Medium High Very High Very High

Lnk (G-G)3 TC Lack of counters or time stamps 1 2 3 3 3 Medium High Very High Very High

Lnk (G-G)4 TC Use of weak protocols and cryptographic algorithms


Lnk (G-G)5 TC Loss of signal or blocking of transmission


TM Data over Ground-to-Space Link – Link Level Threats

Lnk (G-S)1 TM Unencrypted data transmission 1 2 3 3 2 Low Medium High High

Lnk (G-S)2 TM Unauthenticated data transmission


Lnk (G-S)3 TM Lack of counters or time stamps 1 1 1 1 2 Low Low Low Low

Lnk (G-S)4 TM Use of weak protocols and cryptographic algorithms


Lnk (G-S)5 TM Loss of signal or blocking of transmission


TM Data over Space-to-Space Link – Link Level Threats

Lnk (S-S)1 TM Unencrypted data transmission 1 2 3 3 1 Low Medium High High

Lnk (S-S)2 TM Unauthenticated data transmission


Lnk (S-S)3 TM Lack of counters or time stamps 1 1 1 1 1 Low Low Low Low

Lnk (S-S)4 TM Use of weak protocols and cryptographic algorithms






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 38 of 145





Likelihood


Lnk (S-S)5 TM Loss of signal or blocking of transmission


TM Data over Ground-to-Ground Link – Link Level Threats

Lnk (G-G)1 TM Unencrypted data transmission 1 2 3 3 3 Medium High Very High Very High

Lnk (G-G)2 TM Unauthenticated data transmission


Lnk (G-G)3 TM Lack of counters or time stamps 1 1 1 1 3 Medium Medium Medium Medium

Lnk (G-G)4 TM Use of weak protocols and cryptographic algorithms


Lnk (G-G)5 TM Loss of signal or blocking of transmission


Ground - System Level Threats

Gnd 1 Lack of a DMZ/firewall 1 2 3 3 3 Medium High Very High Very High

Gnd 5 Unencrypted data transmission 1 2 3 3 2 Low Medium High High

Gnd 6 Critical data is stored in an unencrypted form


Gnd 7 Unauthenticated data transmission


Gnd 9 Use of shared network resources 1 2 3 3 1 Low Medium High High

Gnd 21 Unprotected password tables 1 2 3 3 1 Low Medium High High

Gnd 22 Incorrect access rights 1 2 3 3 1 Low Medium High High

Gnd 23 Lack of password security policy 1 2 3 3 1 Low Medium High High





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 39 of 145





Likelihood




Gnd 29 Lack of cryptographic key management.


Gnd 36 Lack of shielding for sensitive components (TEMPEST)


Gnd 37 Unsecured external ports to outside networks


Gnd 39 Using the default system and network configurations


Gnd 40 Lack of physical security for test devices

1 1 2 2 1 Low Low Medium Medium

Gnd 44 No policy for decommissioning of data storage devices


Gnd 47 Use of weak protocols and cryptographic algorithms


Spacecraft - System Level Threats

Sp 3 Unencrypted data transmission inside spacecraft


Sp 4 Critical data is stored in an unencrypted form

1 2 3 3 0 Low Low Low Low

Sp 5 Unauthenticated data transmission inside spacecraft


Sp 8 Lack of cryptographic key management.






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 40 of 145





Likelihood


Sp 12 Components set to close to other components that emit electromagnetic emissions


Sp 13 Lack of shielding for sensitive components


Sp 18 Lack of system software update mechanisms.


Sp 20 Use of weak protocols and cryptographic algorithms






ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 41 of 145


2.3 Aspects of Methods and Algorithms The objective of this section is a risk assessment of methods and algorithms. Therefore a threat analysis is done and a linkage to the system vulnerabilities is made. A risk analysis depending on possible attacks on algorithms is done in chapter 2.3.2. A risk analysis depending on specific algorithms is done in chapter 2.3.3. The area of security related issues on algorithms will growing with the complexity of systems, algorithms and protocols. A short introduction in algorithms and their mathematical background is given in chapter 4.4 and 4.2 in order to build a flair for upcoming risks, too.

The table below relates the threats concerning algorithms / methods to the threats listed in section 2.1.3. The actual resulting risk depends on the system element where an algorithm / method is used.

2.3.1 Threat Analysis

Threat Description Related to Threat

Keys

Compromising Disclosure of keys to unauthorized persons (refer to chapter 4.4.4.1).

Forgery Forgery of keys for malicious purposes (refer to chapter 4.4.4.1).

Incorrect Usage

Use of improper keys for an application (refer to chapter 4.4.4.1).

Use of Short Keys

Use of keys with lengths not sufficient for correct cryptographic function (refer to chapter 2.3.2.2).

Simple Key Patterns

Use of keys that are easy to guess (e.g. names, birthdates).

Predictability An attacker can predict the next used key (e.g. short term data encryption keys).

Weak Key For some algorithms (e.g. DES and IDEA (see [Sch96])) there are "weak" keys which cause an undesirable cryptographic behavior.

Change Interval

Keys are not changed in regular or reasonable short intervals.

23, 31, 69, 71, 73

Hash and MAC Algorithms

Collision The possibility to produce a second message with the same hash value as a given message (refer to 4.4.4).

4, 5, 11, 12, 28, 70

Encryption Algorithms

Implementation Attacks

Attacks against possible errors of the implementation (refer to chapter 2.3.2.2).

24, 28, 36, 56, 66, 70, 73, 79

Transmission Attacks

Attacks based on analysis of ciphertext (refer to chapter 2.3.2.1), e.g differential cryptanalysis.

2, 3, 4, 5, 9, 10, 11, 12, 19

Mode of Operation

Mickey Mouse Attack

Recognition of plaintext structures in ciphertext (refer to [DSIDA2]). 24, 66





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 42 of 145


Threat Description Related to Threat

Birthday Attack Cryptographic attack based on the birthday paradox [Sch96]. 28, 70

Asymmetric Encryption Algorithms

Weak Elliptic Curve Parameters

Use of "weak" parameters in the elliptic equation for Elliptic Curve Cryptography.

24, 28, 36, 66, 70, 73

Factorization Attack

Attack based on factorization of public key (refer to chapter 4.3). 24, 28, 36, 66, 70, 73

Table 2-7 Table of threats concerning algorithms / methods





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 43 of 145


2.3.2 Attacks

2.3.2.1 Transmission Attacks

The following list is a short overview of attacks that are possible on transmission paths, like ground-to-ground, ground-to-space and space-to-space transmissions, independent from the used physical channel or transmission method.

• Man-In-The-Middle Attack

To perform a Man-In-The-Middle attack, the message is observed and intercepted between the sender and recipient by the attacker. The attacker is able to read, insert and modify at will, messages between the two parties. Both parties, do not know that the link between them has been compromised. The Man-In-The-Middle attack is particularly applicable to the original Diffie-Hellman key exchange protocol, when used without authentication. Although it is possible, it is very difficult to implement such an attack on the space-to-space or ground-to-space segments, because RF links or laser links are mostly used in this segments. A countermeasure to detect a Man-in-the-Middle attack is to use a digital signature or encryption mode that supports authentication (e.g. GCM) or a message authentication code with an encryption algorithm, to ensure that the message integrity is safe. Therefore, the recipient knows the signature of the sender and can check the integrity of the message.

• Replay/ Rewrite Attack

To perform a block replay attack the attacker only needs to copy the encrypted message during transmission. After transmission they send the same message or a modified message to the recipient. If this attack is not detected by the recipient, the attacker has the potential to control a satellite. The plain text does not need to be known by the attacker, it is only necessary that an attacker knows the reaction of the message, e.g. if the attacker can see or guess which message, e.g. a telecommand, leads to a specific satellite operation, they can use this information to control a satellite through a replay attack. Therefore, many messages and their reactions are collected by the attacker and send to the satellite in the order required by the attacker.

To detect and block a replay attack, the encrypted message should contain a checksum calculated over the message and a timestamp or a unique serial number assigned at each transmission. With the timeout for valid messages as short as possible, a block replay can be detected.

• Differential Cryptanalysis Differential cryptanalysis is the study of how differences in an input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key (refer to [Sch96]).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 44 of 145


• Linear Cryptanalysis The linear cryptanalysis is used to find affine approximations for functions of the encryption algorithm. If the attacker can collect many samples of plain and cipher texts, the probability to guess bits of the key increases (refer to [Sch96]).

A variety of refinements to the attack have been suggested, including using multiple linear approximations or incorporating non-linear expressions.

• Chosen Plain Text Attack A chosen plain text attack is an attack model for cryptanalysis which presumes that the attacker has the capability to choose plain texts to be encrypted and obtain the corresponding cipher texts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen plain text attack could reveal the scheme's secret key. This appears, at first glance, to be an unrealistic model. It would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the attacker's choosing. Modern cryptography, on the other hand, is implemented in software or hardware and is used for a diverse range of applications. For many cases, a chosen plain text attack is often very feasible. Chosen plain text attacks become extremely important in the context of public key cryptography, where the encryption key is public and the attacker can encrypt any cipher text they choose.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 45 of 145


2.3.2.2 Implementation Attacks

The following list is a short overview of possible attacks on physical implementations of encryption algorithms, independent of the implementation technology.

• Brute Force Attack

All possible keys are tried by a brute force attack, meaning an encryption algorithm uses keys with 128 bit length, an attacker tries all keys (more than 3.4E38 keys) until the right one is found. For most encryption algorithms this seemed to be impossible for the next years. All other attacks are compared with the brute force attack to depict the efficiency of the explored attack (refer to [Sch96]).

• Side Channel Attack

Side Channel Attacks are not based on exploiting the mathematical properties of the algorithm, but rather, they use a so-called side channel. Side channels typically give information about the internal state or about the operations used in the encryption algorithms. The security of the physically implementations is attacked by side channel attacks. Therefore, it is possible that a cryptographically secure algorithm is insecure due to its implementation. Although different side channel attacks exist, the principle sequence of an side channel attack is always the same.

1. Initialization of measurement equipment 2. Transaction of encryption process

3. Measurement of side channel information 4. Analysis of measured data

Depending on the attack, the sequence is repeated several times. Each measurement is called a "sample".

The following three side channel attacks are studied in detail: o Timing-Analysis attacks o Power-Analysis attacks

o EM-Analysis attacks Timing-Analysis Attack

The circumstance that encryption algorithms use operations with variable length of time depending on the key or data value is exploited by timing-analysis attacks. The time an operation requires to complete is measured several times by an attacker. Differences in the measurements are dependent on the data that an operation uses. This can allow the attacker to draw conclusions on the distribution of zeros and ones. For example, in IDEA a modulo multiplication of two integers is performed. If one of the factors is zero, the time to complete the multiplication differs than if both factors are greater than zero (refer to [Med04]). This case is applicable to both software- and hardware-implementations.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 46 of 145


Power-Analysis Attack

The current consumption is measured by an attacker. The attack is a passive type because the current consumption is measured outside of an module or IC by an attacker and no active manipulation is done. A typical scenario is that the current consumption of an selected operation is measured over a time range by an attacker and the secret key is calculated with statistically methods. Depending on how related the current consumption measurement and the secret information is, the simple power attack or the differential power attack is used. The simple power attack is used if the current consumption is directly related to the secret information, otherwise the differential power analysis is used. EM-Analysis Attack

The electromagnetic (EM) emanations are measured by an attacker in the way that a probe is placed as near as possible to the integrated circuit where the encryption algorithm is used, e.g. an ASSIC or FPGA. This type of attack is separated into the simple electromagnetic analysis (SEMA) and the differential electromagnetic analysis (DEMA). For a specific probe position only a specific bits leakage is measure, so the measurement is not disturbed by parallel computations on the chip. This is most advantage of the EM-Analysis against the power-analysis. This leakage results in retrieving the secret information of an encryption algorithm. This type of attack is described by [CCD2004] for Implementations of AES in FPGAs.

Countermeasures

Side channel attacks can be pretended or weakened in different ways.

• Device Selection Level: A device is selected in the way that the current consumption is nearly the same level for all operations, independent of the processed data.

• Algorithm Modification Level: The executed algorithm is modified in a way that information depending from the current consumption or EM emanations is randomized and cannot be extracted easily.

• Protocol Modification Level: A protocol is used that is insensible to side channel attacks, because no timing information about the used operations, algorithms and their internal states is released by the protocol.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 47 of 145


2.3.2.3 Risk Analysis of Attacks

The effort for an specific attack depending on the operational type algorithms are used is listed in Table 2-8. The estimated effort is detached from the defended communication link. Difficulties, coming up through the link type, e.g. man-in-the-middle attacks on ground-to-space or space-to-space segments are implausible because an attacker is not able to intercept such a link; therefore, they are not considered. The following operation types are defined:

1. Weak symmetric encryption algorithm

Definition: A symmetric encryption algorithm with known weak design criterias, like a Feistel network with only a few rounds (e.g.1..3) or an SP-Network with weak S-boxes is used without any authentication method.

2. Strong symmetric encryption algorithm Definition: A strong symmetric encryption algorithm with no known design errors, like AES is used without any message authentication code.

3. Strong symmetric encryption algorithm with weak hash algorithm Definition: A strong symmetric encryption algorithm as mentioned in 2 and a weak hash code is used.

4. Strong symmetric encryption algorithm with strong hash algorithm Definition: A strong symmetric encryption algorithm as mentioned in 2 and a strong hash code, like RIPEMD160 is used.

5. Strong symmetric encryption algorithm with weak message authentication algorithm Definition: A strong symmetric encryption algorithm and a weak message authentication code is used.

6. Strong symmetric encryption algorithm with strong message authentication algorithm Definition: A strong symmetric encryption algorithm and a strong message authentication code, like HMAC is used.

The effort for an successfully attack is defined as

• very high (++): The technical and/or financial effort for the attack is very high, even it is possible.

• high (+): The technical and/or financial effort for the attack is high.

• medium (○): The technical and/or financial effort of the attack is medium, also the price-performance ratio is moderate.

• low (-): The technical and/or financial effort is low and the attack is easy to perform for skilled personnel.

• very low (--): The technical and/or financial effort of the attack is very low, because the security leakages of the used algorithms are serious.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 48 of 145


Type Attack

1 2 3 4 5 6 Comments

Transmission Attacks

Man-in-the-Middle -- -- -- ○ + ++

Replay --/-- --/++ --/++ --/++ --/++ --/++

Rewrite --/-- ++/++ ++/++ ++/++ ++/++ ++/++

if no timestamp or a unique serial number is used / if a timestamp is used

Differential Cryptanalysis

-- ○ ○ ○ ○ ○

Linear Cryptanalysis -- ○ ○ ○ ○ ○

only applicable, if plain text can be infiltrated or plain text (snippets) can be

obtained

Chosen Plain Text - ○ ○ ○ ○ ○ only applicable, if plain text can be infiltrated

Implementation Attacks

Brute Force -- ++ ++ ++ ++ ++ attack depends from the key length: assumed that strong encryption

algorithms do not have short key lengths.

Side Channel Analysis -- ++ ++ ++ ++ ++ assumed that strong encryption algorithms implemented correctly, in that way that they do not emit any information

suitable for timing-, power- or EM-Analysis

Table 2-8 Risk analysis of attacks

From the table above it can be seen that the security is increased by concatenating message encryption and authentication algorithms. Although key agreement methods and algorithms are very important to the security of cryptographic systems, the security of cryptographic algorithms are not affected and so not considered in the table above.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 49 of 145


2.3.3 Algorithm Description and Specific Attacks

Popular algorithms and where useful the popular corresponding attacks of the following categories are described in this chapter:

• Hash algorithms;

• Symmetrical algorithms; and

• Asymmetrical algorithms.

2.3.3.1 Hash Algorithms

RIPEMD-160

RIPEMD-160 is a 160-bit cryptographic European hash algorithm, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. RIPEMD-160 is a strengthened version of RIPEMD. It has been developed in order to replace vulnerable hash algorithms like MD4 or not trustable hash algorithms like SHA-1, and for design criteria that requires security levels up to secret.

The design criteria and a detailed description of RIPEMD-160 can be found at [DBP1996]. A one-way collision resistant hash algorithm must satisfy the following criteria (refer to [DBP1996]):

• preimage resistance: it is computationally infeasible to find any input which hashes to any pre-specified output.

• second preimage resistance: it is computationally infeasible to find any second input which has the same output as any specified input.

• collision resistance: it is computationally infeasible to find a collision, i.e. two distinct inputs that hash to the same result.

RIPEMD-160 complies to all three criteria.

SHA-1/256

The Secure Hash Algorithm (SHA-1) is an successor of MD4 and based on its techniques but produces a 160 bit hash value. It was proposed by NIST in year 1995. It is one of several SHA variants, that are different in supported output ranges and slightly different in design:

• SHA-0 : published in 1993

• SHA-1 : published in 1995

• SHA-2 : consists of SHA-256, SHA-384 and SHA-512, published in 2002

For a detailed description of all SHA variants see NIST Standard FIPS 180-2 [NIST180-2]. Attacks:

Collisions are found for SHA-0 and SHA-1 (see [BC2005] and [WYY2005], [Sch2005]). The SHA-2 algorithm is denoted as secure for the next few years.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 50 of 145


2.3.3.2 Symmetrical Algorithms

AES

The advanced crypto standard (AES) was searched by the National Institute of Standards and Technology (NIST) in the year 1997 in order to substitute the old data encryption standard (DES). In year 2001 the block algorithm Rijndael of the two Belgian authors Joan Daemen and Vincent Rijmen was taken for the new advanced crypto standard (AES) algorithm. The algorithm can work with three different key lengths: 128, 192 and 256 bit. The algorithm is implemented in software as efficient as in hardware. Also it is not subjected to patents. Depending on the key length of the algorithm, different number of rounds are needed for a complete encryption.

Key Length Block Length 128 bit

128 bit 10

192 bit 12

256 bit 14

Table 2-9 Number of rounds as a function of key length

Each round consist of 4 transformations:

• SubBytes, non-linear byte substitution, usage of an substitution table (S-Box),

• ShiftRows, data is shifted cyclically over different offsets,

• MixColumns, the data is considered as polynomials over GF(28) and multiplied modulo x4+1 with a fixed polynomial,

• AddRoundKey, the round key is bitwise xored with data.

For the final round of the cipher, the MixColumn transformation is not used. For more detailed information about AES refer to [FIPS197].

Attacks:

Although AES can be described as a system of overdefined and sparse quadratic equations over GF(2) [CP2002], the higher risk is caused by applicable attacks of AES based on implementation errors described in Chapter 2.3.2.2, up to now. For example, a cache-timing attack on software implementations [Ber2005] is possible as is an electromagnetic side channel attack on FPGA implementations [CCD2004].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 51 of 145


Triple-DES (3DES, TDES, TDEA)

The Data Encryption Standard (DES) was released 1976 to official encryption standard in USA.

Because the development of DES was controlled by the NSA (National Security Agency) and changes and publication of DES has a mystique touch many people believe that a backdoor is implemented in DES. Although no rational argument exists to avoid the usage of DES algorithm as Triple-DES (TDEA), it leaves a negative impression. Even though no backdoor might be implemented the usage of normal DES is not recommended because of its small key length of 56 bit (for further details see [Sch96]). For further details on TDEA refer to [NIST800]. Triple-DES also called 3DES, TDES or TDEA (Triple Data Encryption Algorithm) uses a three times longer key as DES, resulting in 168 bit. A variant, also called Triple-DES (2DES), uses only two times longer keys as DES, resulting in 112 bit and is vulnerable to certain chosen-plaintext and known-plaintext attacks. Both variants uses three DES engines in a slightly different sequence manner:

• TDEA: DES(k3;DES(k2;DES(k1;M))), k1,k2,k2 are the three different, 56 bit long, keys

• 2DES: DES(k3;DES(k2;DES(k1;M))), k1 = k3

and M is the plaintext to encrypt.

Attacks: A brute force attack to DES has cracked an encrypted massage in ca. 39 days with ca. 50000 CPUs in year 1997. The attack was called "RSA challenge". If DES had to be used, the variant with 3 times large key (TDEA) should be used. "This is considered sufficiently secure at the moment." (BSI, [BSI2005]).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 52 of 145


2.3.3.3 Asymmetrical Algorithms

RSA

RSA is the first complete public-key algorithm, that can be used for encryption as well as for digital signatures. It is developed by the mathematicians Ron Rivest, Adi Shamir and Leonard Adleman at the MIT in 1977. RSA is used in many cryptographic systems and it is a famous algorithm, but it is not recommended to use RSA in new developed cryptographic systems. Because, its mathematical basis is easy to understand, RSA is well suited to show the principle of public key cryptography (and its possible risks). A detailed description of RSA attack is given in section 4.3 (refer to [Sch96]). The definition is the following: Step 1 : choose two positive random prime numbers p and q such that p ≈ q Step 2: compute n = pq Step 3: compute φ(n) = (p - 1) (q - 1) Step 4: choose a random integer e < φ(n), such that gcd (e, φ(n)) = 1

Step 5: compute ed ≡ 1 mod φ(n) Step 6: publicize (n,e) as the public key, safely destroy p, q and φ(n) , and keep d as the private key. Step 7. Encryption:

To send a message m < n the sender creates the cipher text: c ← me mod n Step 8. Decryption:

After receiving the cipher text c compute: m ← cd mod n. The correctness of the RSA based on the Euler-Fermat theorem (see 4.2.6). Because

ed ≡ 1 mod φ(n) Eq. 2-1

ed - 1 = k φ(n) Eq. 2-2

ed = k φ(n) + 1 Eq. 2-3

With

c ≡ me mod n Eq. 2-4

cd ≡ (me)d mod n Eq. 2-5

cd ≡ med mod n Eq. 2-6

cd ≡ mk φ(n) + 1 mod n Eq. 2-7





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 53 of 145


To demonstrate, that cd is really the original message m, we assume first, that gcd(m,n) = 1. In this case from the Euler-Fermat theorem:

m φ(n) ≡ 1 mod n Eq. 2-8

m ≡ mk φ(n) + 1 mod n Eq. 2-9

m1 mod φ(n) ≡ m mod n Eq. 2-10

med ≡ m mod n Eq. 2-11

If gcd(m,n) = p, that gcd(m,q) = 1 and because p is prime from the Fermats little theorem:

m q -1 ≡ 1 mod q Eq. 2-12

m(p –1) (q –1) ≡ 1(p –1) mod q Eq. 2-13

mk (p –1) (q –1) ≡ 1(p –1) k mod q Eq. 2-14

mk φ(n) ≡ 1 mod q Eq. 2-15

mk φ(n) + 1 ≡ m mod q Eq. 2-16

From the gcd(m,n) = p follow

m ≡ 0 mod p Eq. 2-17

From Eq. 2-16 and Eq. 2-17 follow

mk φ(n) + 1 ≡ 0 mod p Eq. 2-18

mk φ(n) + 1 ≡ m mod n Eq. 2-19





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 54 of 145


From the Eq. 2-19 and Eq. 2-16 follow

m1 mod φ(n) ≡ m mod pq Eq. 2-20

m1 mod φ(n) ≡ m mod n Eq. 2-21

med ≡ m mod n Eq. 2-22

If gcd(m,n) = q, is the situation the same, that gcd(m,p) = 1. Attacks: The main attacks of the RSA algorithm are:

• Factorisation attack (compute p and q ← n)

• Estimation attack of φ(n) from n (compute φ(n) ← n)

• Discrete logarithm attack (compute m ← c) For further details on factorisation attacks, see the detailed description in the annex (chapter 4.3).

For the secure use of the RSA it is necessary to control the quality of all parameters and to use relatively long numbers. For the next few years a RSA key of 2048 bit is necessary. However, there are special cases which are not secure.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 55 of 145


Diffie-Hellman

Diffie-Hellman is a agreement-only key agreement protocol1 and requires as such an explicit authentication. The two most used variants use either multiplicative group of integers modulo n (original DH) or an elliptic curve group over a finite field (EC-DH). The security of the DH-protocol is based on the difficulty of calculation of discrete logarithms.

Original DH (refer to [Sch96]):

Prerequisites:

Communication parties A and B agree upon a large (e.g. 1024-bit and more) prime number n and a generator g in front of communication (those numbers do not need to be secret, may be shared among a group, used multiple times; however n needs to satisfy some conditions to prevent known attacks).

Protocol:

1. A chooses a large random number x, calculates X = gx mod n and sends this value to B

2. B chooses a large random number y, calculates Y = gy mod n and sends this value to A

3. A calculates KAB = Yx mod n

4. B calculates KBA = Xy mod n

A and B share now the same key since KAB = gyx mod n = gxy mod = KBA

EC-DH:

Prerequisites:

Communication parties A and B agree upon2 a suitable elliptic curve E (defined by parameters p, a, b) and a base point P0 (as generator of the group) of order n with h ·n = #E(GF(p)) in front of communication (those parameters do not need to be secret, may be shared among a group, used multiple times; however they need to satisfy some conditions to prevent known attacks).

Protocol:

1. A chooses a large random number x, calculates X = [x] P0 and sends this value to B

2. B chooses a large random number y, calculates Y = [y] P0 and sends this value to A

3. A calculates KAB = [h] ([x] Y)

4. B calculates KBA = [h] ([y] X)

A and B share now the same key KAB = [h] ([x] ([y] P0)) = [h] ([y] ([x] P0)) = KBA (elliptic curve point multiplication is commutative)

1 Strictly speaking Diffie-Hellman is a basis for whole family of protocols which use the core concepts of DH supplemented by attributes like implicit authentication etc. 2 Or use some publicly available parameters, e.g. NIST curves





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 56 of 145


MQV

MQV is a key agreement protocol with implicit authentication belonging to the Diffie-Hellman family of protocols. The MQV protocol is most often used with an elliptic curve group over a finite field (EC-MQV), however it is easily adaptable to any finite group with hard discrete logarithm problem. The security of the MQV-protocol is based on the difficulty of calculation of discrete logarithms as stated above. For a more detailed description see [LMQS1998]. There are three versions of the protocol:

Protocol 1 (two-pass) is used for authenticated key agreement Protocol 2 (one-pass) is used for authenticated key transport when a party is off-line Protocol 1 (three-pass) is used for authenticated key agreement with key confirmation

EC-MQV Protocol 1:

Prerequisites:

Communication parties A and B agree upon a suitable elliptic curve E (defined by parameters p, a, b) and a base point P0 (as generator of the group) of order n with h ·n = #E(GF(p)) in front of communication (those parameters do not need to be secret, may be shared among a group, used multiple times; however they need to satisfy some conditions to prevent known attacks). A owns a pair of private and public long-term keys for authentication [wA, WA], respective B owns [wB, WB]. Both also have the authenticated (e.g. by certificates) public key of the other.

Protocol:

1. A chooses a large random number rA, calculates RA = [rA] P0 and sends this value to B

2. B chooses a large random number rB, calculates RB = [rB] P0 and sends this value to A

3. A performs plausibility test on the value of RB and calculates the shared value KAB as KAB = [h] ([sA] SB) with sA = rA + µ(RA)·wA (mod n) and SB = RB + [µ(RB)] WB (where µ(T) is a mapping from point T to an integer value)

4. B performs plausibility test on the value of RA and calculates the shared value KBA as KBA = [h] ([sB] SA) with sB = rB + µ(RB)·wB (mod n) and SA = RA + [µ(RA)] WA

A and B share now the same authenticated key value KAB = [h] ([sA] SB) = [h] ([sB] SA) = KBA since SA = [rA + µ(RA)·wA ] P0 = [sA] P0 and SB = [rB + µ(RB)·wB ] P0 = [sA] P0 (elliptic curve point multiplication is commutative)

EC-MQV Protocol 2:

Protocol 2 is the reduced version of protocol 1 to meet the requirement of unidirectional communication e.g. within store-and-forward networks like E-mail.

Prerequisites:

See EC-MQV Protocol 1





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 57 of 145


Protocol:


2. A calculates the shared value KAB as KAB = [h] ([sA] SB) with sA = rA + µ(RA)·wA (mod n) and SB = WB + [µ(WB)] WB

3. B receives RA and performs plausibility test on it, calculates the shared value KBA as KBA = [h] ([sB] SA) with sB = wB + µ(WB)·wB (mod n) and SA = RA + [µ(RA)] WA

A and B share now the same authenticated key value KAB = KBA, however since B does not contribute randomness to the value of the shared key, this protocol does not possess know-key security and forward secrecy attributes (as with all one-pass protocols).

EC-MQV Protocol 3:

Protocol 3 adds key confirmation step to the protocol 1 to mitigate unknown key-share attacks

Prerequisites:

See EC-MQV Protocol 1, additional A and B agree upon a MAC-function, and two hash functions H1(m) and H2(m), where H1(m) is used for session key derivation and H2(m) is used for key confirmation (e.g. HMAC-RIPEMD-160 as MAC and RIPEMD-160 (const1, m) and RIPEMD-160(const2, m) as H1(m) resp. H2(m) )

Protocol:


2. B receives RA and performs plausibility test on it

a. B chooses a large random number rB and calculates RB = [rB] P0

b. B calculates the shared value KBA as KBA = [h] ([sB] SA) with sB = rB + µ(RB)·wB (mod n) and SA = RA + [µ(RA)] WA

c. B generates the encryption session key kEB as H1(KBA.x) and authentication session kAB as H2(KBA.x)

d. B sends RB together with MAC(kAB; 2, IDB, IDA, RB, RA) to A

3. A receives those and performs plausibility test on RB

a. A calculates the shared value KAB as KAB = [h] ([sA] SB) with sA = rA + µ(RA)·wA (mod n) and SB = RB + [µ(RB)] WB

b. A generates the encryption session key kEA as H1(KAB.x) and authentication session kAA as H2(KAB.x)

c. A sends MAC(kAA; 3, IDA, IDB, RA, RB) to B

4. B receives this, calculates MAC(kAB; 3, IDA, IDB, RA, RB) and compares it with the received value

A and B share now the same authenticated encryption and authentication session keys kEA = kEB respective kAA = kAB.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 58 of 145


EC-ElGamal

EC-ElGamal is an encryption/decryption algorithm3 based on elliptic curve arithmetic allowing a communication party to send an encrypted message to other communication without the need to share the session keys. The security of the EC-ElGamal - algorithm is based on the difficulty of calculation of discrete logarithms over elliptic curves (refer to [BSS1999], [Wer2002]).

Prerequisites:

Communication parties A and B agree upon a suitable elliptic curve E (defined by parameters p, a, b) and a base point P0 (as generator of the group) of order n with h ·n = #E(GF(p)) in front of communication (those parameters do not need to be secret, may be shared among a group, used multiple times; however they need to satisfy some conditions to prevent known attacks).

B (the receiver) owns a pair of private and public long-term keys for en-/decryption [wA, WA] (WA = [wA]P0), A (the sender) have the authenticated (e.g. by certificates) public key of B.

Encryption algorithm:

1. A chooses a large random number k,

2. A calculates Q = [k] P0 and R = [k]WB + M, M is the message (a point on the elliptic curve) to send

3. The pair (Q, R) is the encrypted message

Decryption algorithm:

1. B calculates R* = [wB]Q

2. B calculates M = R – R* = [k]([wB]P0) + M – [wB]([k]P0)

3 The EC-ElGamal algorithm allows for the encrypted transmission of an elliptic curve point (which may be used for derivation of the session keys), but is not suitable for encryption of arbitrary messages.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 59 of 145


EC-DSA

EC-DSA is an explicit digital signature algorithm based on elliptic curve arithmetic allowing a communication party to sign a message resp. to verify the signature of the message in order to establish resp. to verify the authenticity and integrity of the message. The security of the EC-DSA- algorithm is based on the difficulty of calculation of discrete logarithms over elliptic curves (refer to [IEEE1363], [Wer2002]).

Prerequisites:

Communication parties A and B agree upon a hash function and suitable elliptic curve E (defined by parameters p, a, b) and a base point P0 (as generator of the group) of order n with h ·n = #E(GF(p)) in front of communication (those parameters do not need to be secret, may be shared among a group, used multiple times; however they need to satisfy some conditions to prevent known attacks).

A (the signee) owns a pair of private and public long-term keys for authentication [wA, WA] (WA = [wA]P0), B (the receiver) has the authenticated (e.g. by certificate) public key of A.

Signing algorithm:

1. A calculates the hash value of the message hM =HASH(Message), e.g. RIPEMD-160

2. A chooses a large random number k,

3. A calculates R = [k] P0 and r = X(R) mod n, with X(R) being the x-coordinate of R

4. A calculates k' = k-1 mod n

5. A calculates s = k'(hM + r ·wA) mod n

6. The pair (r, s) is the signature of the message

Signature verification algorithm:

7. B verifies the values of r and s (0 < r,s < n)

8. B calculates the hash value of the message hM =HASH(Message)

9. B calculates s' = s-1 mod n

10. B calculates R = [s'] ([hM]P0 + [r]WA)

11. B calculates t = X(R) mod n, with X(R) being the x-coordinate of R

12. The signature is considered valid if the calculated value t is equal to received value r

The private key of the participant A is saved with the multiplication with r in the step 5. The number r is saved with the one way property of the point multiplication in the step 3. The public key WA can published, because it is generated from the private key wA with an one way operation, too.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 60 of 145


2.3.3.4 Risk Analysis of Algorithms

A comparison of efforts of successfully cryptographic attacks on the algorithms described above is made in this section. The effort for an successfully attack is defined as

• very high (++): The technical and/or financial effort for the successfully attack is very high, even it is possible.

• high (+): The technical and/or financial effort for the successfully attack is high.

• medium (○): The technical and/or financial effort of the successfully attack is medium, also the price-performance ratio is moderate.

• low (-): The technical and/or financial effort is low and the successfully attack is easy to perform for skilled personnel.

• very low (--): The technical and/or financial effort of the successfully attack is very low, because the security leakages of the used algorithms are serious.

Algorithm Effort Comments

Hash Algorithms

RIPEMD-160 + Developed in Europe, no weaknesses found.

SHA-0 --

SHA-1 ○

Collisions are found for SHA-0 and SHA-1 (see [BC2005] and [WYY2005], [Sch2005]).

SHA-2 + The SHA-2 algorithm is not yet as well analyzed as SHA-0 and SHA-1. The cryptographers Gilbert and Handschuh have studied SHA-2 and found

no weaknesses.

Symmetrical Algorithms

AES ++ Vulnerability: Overdefined and sparse quadratic equations (see page 50).

DES -- Too short key length (56 bit). Possible backdoor (see page 51).

TDEA + Possible backdoor (see page 51).

Asymmetrical Algorithms

RSA + secure with appropriate key lengths (>1023 bits)

DH +

EC-DH ++ vulnerable to man-in-the-middle attack

MQV +

EC-MQV ++

Hugo Krawczyk has proposed alleged weaknesses of MQV in [Kra2005]. It seemed not be clear, that all the weaknesses are fixed by HMQV (refer to

[Men2005]). However, MQV is patented by Certicom, USA.

ElGamal + secure with appropriate key lengths (>1023 bits)

EC-ElGamal ++ secure with appropriate key lengths (>159 bits)

DSA + secure (uses 1024 bit)

EC-DSA ++ secure (uses 160 bit)

Table 2-10 Risk Analysis of Algorithms





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 61 of 145


2.3.4 Impact Analysis and Conclusion

The theoretical and mathematical background of algorithms and methods are mentioned in chapter 4.2. The impact of any security holes in algorithms and/or methods will lead to an insecure system. A quantification of how strong the impact on the system is, is very difficult to recognize, because the usage of the algorithm and/or methods in the system is not defined. For example, an successful side channel attack (EM-Analysis) on an AES implementation can result in a serious security leakage on the ground station, but the same bad implementation will cause no problem in space, because the side channel attack can not be realized in space in the same easy way. So this implementation error will lead to a system threat, e.g. perhaps GN27: hidden communication channels (refer to Chapter 2.2.3), if an attacker has access and measurement equipment to the encryption hardware. All described algorithms were analysed and assessed in chapter 2.3.3.4. The effort for attacks on ECC algorithms are very high (if an appropriate key length is used). The asymmetric algorithms based on the discrete logarithm problem are assessed with high, because attacks against this problem will be easier with the computation power in the future as on EC-Cryptography with the same key lengths. All algorithms assessed with a high or very high effort can be recommended for use in cryptographic systems. An impression about possible problems is given in the column of comments. The definite decision to use an algorithm in a system depends on further aspects, like performance, implementation issues, etc., discussed in phase 2 of this study.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 62 of 145


2.4 Aspects of Protocols The objective of this section is a risk assessment of protocols. Therefore a threat analysis is done and a linkage to the system vulnerabilities is made.

A short overview of space-link related security protocols is given in Chapter 4.5.

2.4.1 Protocol Attacks

Protocol attacks are threats, initiated by human sources. The basic assumption to perform these attacks is access to the affected communication link. Cracked or mal-configured computer systems, direct connections or wireless connections can provide this access, so the attacker can eavesdrop on the link and perform further traffic analysis. The objective is to collect information in order to start an attack to the analysed vulnerabilities of the attacked system or network. The most of the vulnerabilities are implementation weaknesses, so the complexity of these sequences, methods and algorithms is a very important aspect at the development, test and certification phase of a system. There are two possible cases of those vulnerabilities:

• Implementations of cryptography into communication protocols

• Implementations of cryptography and communication protocols in soft- or hardware As a result from these weaknesses soft-/hardware threats emerge. So every impact on those levels become sooner or later a system level threat. The security aspects in protocols especially the internet protocol is a fast-moving field, because the environment is, too. Many institutions, organisations and groups collect and provide information about vulnerabilities, attacks, etc… Official resources for instance are National Vulnerability Database (NVD, http://nvd.nist.gov/) and Common Vulnerabilities and Exposures (CVE, http://cve.mitre.org/). Unofficial resources are plentiful in the internet. Important to know is that an attacker has access to these resources too and additionally software packages can perform attacks to the known vulnerabilities automatically. This is a very serious threat inside public networks, where a lot of people have access to affected communication systems (e.g. security gateways, etc..).

The tables below list the threats to the different protocols in the system. The protocol threats are separated into the system locations where they are present.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 63 of 145


2.4.2 TC Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats

Threat Description Threat for

vulnerability

Confidentiality

Eavesdropping

The first passive attack, eavesdropping is the interception of communications by unintended recipients.

If no security mechanisms are used, capture of plain text messages is possible. It is very difficult, most of the time impossible to detect this attack.

Prot 3, Prot 4, Prot 10, Prot 11

Availability

Denial of Service (DoS)

A denial-of-service is an active attack to jam or destroy a communication link, network connectivity or distributed services by consuming the bandwidth of the attacked network or overloading the computational resources of the assaulted system.

Distributed DoS attack is an extension of a DoS attack where computer systems compromised by viruses or Trojan horse are advised to perform DoS attacks.


Entity Integrity and Access Control

Replay

A Replay is a simple active attack were a valid data transmission is maliciously or fraudulently repeated or delayed. Intentions are to disturb the protocol sequences or initiate malfunctions in the attacked system.

Replay attacks can be supplemented with data modifications.

Prot 9

Data Integrity

Data Modification

The modification of message data is an active attack were the attacker use masquerade or replay techniques in combination with a specific modification of the message data.


Table 2-11 Table of threats to TC protocols.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 64 of 145


2.4.3 TM Links (Gnd-to-Sc, Gnd-to-Gnd Wired, Gnd-to-Gnd Wireless, Sc-to-Sc) - Communication Channel Threats


vulnerability

Confidentiality

Eavesdropping




Availability





Entity Integrity and Access Control

Replay



Prot 9

Data Integrity

Data Modification



Table 2-12 Table of threats to TM protocols.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 65 of 145


2.4.4 Ground Protocol Threats


vulnerability

Confidentiality

Eavesdropping




Traffic Analysis

Traffic Analysis is the second passive attack. The purpose is to collect information about the networks, connected computer systems, timings, use of protocols of higher layers, use of cryptographic mechanisms, etc.

The possibility of monitoring a communication link is usual feasible with low effort.

Traffic analysis tasks may be supported by dedicated computer software programs, including commercially available programs. This is a high risk potential.

It is very difficult, most of the time impossibly to detect this attack. It is mostly the first step to prepare further attacks.

Prot 5, Prot 6, Prot 10, Prot 11,

Prot 12

Gateway clear-text

Messages are in clear text at gateways or boundaries of protocols. Prot 13

Availability





Key Mismatch Valid keys for the security services used on the protocol are out of sync between the ground station and the spacecraft

Prot 14

Entity Authentication and Access Control

Masquerade

(Spoofing)

Masquerading is the process of network address translation (NAT, also known as network masquerading or IP-masquerading) performed by re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall.

An attacker can use these techniques to pretend a different identity to communication partners. It is used in conjunction with replay attacks or data modification. The main profits of this attack are to get unauthorized access and to redirect communication paths.


Replay



Prot 9





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 66 of 145



vulnerability

Data Integrity

Data Modification



Table 2-13 Table of threats to ground protocols.

2.4.5 Spacecraft Protocol Threats


vulnerability

Confidentiality

Eavesdropping




Availability





Key Mismatch Valid keys for the security services used on the protocol are out of sync between the ground station and the spacecraft

Prot 14

Entity Authentication and Access Control

Replay



Prot 9

Data Integrity

Data Modification



Table 2-14 Table of threats to spacecraft protocols.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 67 of 145


2.4.6 Vulnerability Analysis

Table 2-15 identifies the vulnerabilities associated with the previously listed protocol threats. The vulnerabilities are listed with a vulnerability number, which is referenced by the threat lists. The columns to the right of vulnerabilities are show which protocols in the system are affected.

Location Vul.

Number Vulnerability Space-

craft Ground TM / TC

Link

Prot 1 No entity authentication mechanisms implemented * * *

Prot 2 Poor keys used in entity authentication mechanisms * * *

Prot 3 Lack of confidentiality mechanisms * * *

Prot 4 Poor keys used for confidentiality mechanisms * * *

Prot 5 Lack of traffic flow (connection) confidentiality services

*

Prot 6 Poor keys used for traffic flow confidentiality services

*

Prot 7 No data integrity services implemented * * *

Prot 8 Poor keys used for data integrity services * * *

Prot 9 Lack of data (message) counters * * *

Prot 10 Faulty implementation of security services * * *

Prot 11 Weak algorithms used for security services or mechanisms * * *

Prot 12 Confidentiality is applied only to the application layer * * *

Prot 13 Confidentiality is applied only to the data, transport or network layers

*

Prot 14 No key counter transferred between system units or no key counter recovery procedure

* *

Table 2-15 Protocol vulnerability listing.

2.4.7 Connectivity

The risks based on the connectivity are important aspects to develop a secure system design. Risks of pure link-by-link and end-to-end security realizations are shown in this chapter. Actually,





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 68 of 145


the combination of both types is used and it is reasonable to build a secure system under aspects of Quality of Service (QoS), protocol specific fragmentation, bit-efficiency, delay tolerances, access control/authorization and the usage of specific cryptographic algorithms and methods.

2.4.7.1 Link-by-link Security Realization

Every link in the chain has its own protocol (protocol A, B) and security mechanisms, so secure authorisation and access control schemes can be simply realized. Furthermore, the data contend can be filtered or virus checked to protect the network against protocol attacks up to data of application level protocol (e.g. realized in application level firewalls). The following figure shows a typical link-by-link realization.

USER PAYLOADGATEWAY

(1..n)Protocol A Protocol B

link A link B

link security mechanisms link security mechanisms

Figure 2-3 Link-by-link security realization

The main threat of this solution is in fact that confidential data (marked red in the following figure) will be processed in plaintext inside the security gateways. The user has to trust every single gateway in this chain.

GATEWAY

protocolmodule

A

protocolmodule

B

data

gateway

cryptographymodule

cryptographymodule

protocol A protocol B

Figure 2-4 Plaintext processing inside security gateways

It is an expensive effort to protect every security gateway in the chain against attacks to get confidential user data, the theft of cryptographic secrets, configuration changes and other physical attacks. Every security gateway must be actualised with authentication keys, crypto parameters, access and control schemes. This shows that a high management effort must be realized. The risk of configuration faults is very high. Furthermore, every protocol interface in the chain must be designed with respect to protocol specific fragmentations, link efficiency and QoS aspects in coherence with cryptographic conditions (e.g. algorithm based block lengths, etc..), if different algorithms/methods are applied.

If the communication link from end-to-end is not established, the authentication delays and key agreement delays of every link added up.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 69 of 145


2.4.7.2 End-to-end Security Realization

A security protocol can be realized between user and payload by using another protocol 'C' with security functionality. Protocol A and B are only unsecured transport protocols. Consequently, the confidentiality of the data is given over the complete communication link.

Authorisation and access control schemes can be realized only between user and payload. The data content can not be filtered or virus checked. So the service provider can apply user access control only within the payload. The following figure shows a simplified end-to-end security realization.

USER PAYLOADGATEWAY

(1..n)Protocol A Protocol B

link A link B

link security mechanisms

Protocol C

Figure 2-5 End-to-end security realization

The encrypted and signed message (application data, including the dedicated message header) must not be modified on the way through the system to guarantee the communication capability.

2.4.7.3 Combinations

The third possibility is the combination of both, to embed an end-to-end security link into link-by-link security (if required). This technique is called tunnelling.

This solution provides a flexible way to build a secure system, but it will produce some protocol overhead at those links where the tunnelling is used.

An authentication in combination with authorization for services (access to systems, functions, networks) is highly recommended, if a communication link uses a public network (especially the Internet).

2.4.8 Security Services on OSI and CCSDS Protocol Layers

The following tables (see Table 2-16 and Table 2-17) provide a quick view of the security services available on the OSI and CCSDS protocol layers. The tables have been divided into two colour coded sections with the yellow layers indicating link-by-link security and the light orange highlighting the layers capable of end-to-end security.

Figure 2-6 shows the available security for each CCSDS layer.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 70 of 145


OSI Layers

Physical Data Link Network Transport Session Presentation Application

Entity Authentication Yes Yes Yes

Data Authentication Yes Yes Yes

Access Control Yes Yes Yes

Data Confidentiality Yes Yes Yes Yes Yes

Traffic Flow Confidentiality Yes Yes Yes Yes

Data Integrity Yes Yes Yes

Table 2-16 Security services available on the different OSI layers.

CCSDS Layers

Physical Data Link Network Application

Entity Authentication Yes Yes

Data Authentication Yes Yes

Access Control Yes Yes

Data Confidentiality Yes Yes Yes Yes

Traffic Flow Confidentiality Yes Yes Yes

Data Integrity Yes Yes

Table 2-17 Security services available on the CCSDS layers.

Application Layer Security

ApplicationProcess

Transport Layer

Network and PacketLayer Security

Network (or Packet)Layer

Bulk Encryption

Data Link Layer

Physical Layer

Link Layer SecurityLogical Link Coding

Figure 2-6 CCSDS layer view with possible additional security.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 71 of 145


2.4.9 Implementation Aspects

As Chapter 2.4.1 emphasized, the implementation of protocols is an important issue.

The main conventional implementation designs of protocol functionality in combination with cryptography is shown in Table 2-18. The following ratings are estimations and shall represent guidelines, because a precise evaluation can only be performed at the actual implementation. It is often advisable to realize only vulnerable parts in hardware. For instance a hardware stack implementation for the internet protocol (IP) can be a protection against buffer overflow attacks.

The usage of an operating system (OS) plays an important role, too. Here, criterions like flexibility and development effort contradict security requirements of the system. The functional range (e.g. software modules like services, drivers or program packages) of an OS shall be reduced to an inevitable minimum that is necessary to fulfil the required functionality. A few of these implementation types are qualified especially to protect confidential mechanisms or other cryptographic secrets, but this must be evaluated at the actual design implementation. For instance cryptographic algorithms can be placed into a physical tamper protected chip or box. The vulnerability is only based on effects initiated by protocol attacks.

Flexibility means the possibility of changing, modifying and updating the protocol functionality. “Update” is understood as an fast reaction on recently discovered protocol vulnerabilities.

Costs means material costs, development costs and time, testability and integration aspects.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 72 of 145


Num Implementation Type Vulnerability

(high, medium, low)

Flexibility

(high, medium, low)

Costs

(high, medium, low)

1

Protocol handling is realized in hardware

Data handling is realized in hardware

Cryptography is realized in hardware

low low high

2


Data handling is realized in software


An operating system is not used

low low high

3




An operating system is used

low - medium low - medium medium - high

4

Protocol handling is realized in software




medium medium medium

5





medium - high medium - high medium

6



Cryptography is realized in software


medium - high medium - high low - medium

7



Cryptography is realized in software


high high low

Table 2-18 Impact of implementation types





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 73 of 145


2.4.10 Impact Analysis

The concrete impacts of protocol attacks to the system depend on the system architecture and the place and type of the attack. So refer to Section 2.2(Impact Analysis) with the information of the resulting system threats from the table in Section 2.4.1.

2.4.11 Conclusion

Today, space missions do not exclusively use closed, mission-only networks. End-to-end connections from user to spacecraft payloads over open networks (internet) have become standard. So the telecommunication link, including protocols/cryptography, is subject to more attacks than in the past. The security risks to both spacecraft and ground systems are increasing. The difficulty is to ensure a high system interoperability combined with high security. Threats originated in protocols are mostly connected with the used cryptography and implementation, so the development of all related system components has to be done with greatest care.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 74 of 145


3 OUTLINE OF STANDARDIZATION

During the past decades a large number of standards related with security/cryptography have been compiled and published by many different organizations. This section is intended to give an overview of some significant organizations which are concerned with cryptographic standards. Some important standards which may be applicable in the field of TM/TC-security are given in Annex 4.1. ISO –

International Organization for Standardization (http://www.iso.org/)

ISO is a non-governmental network of the national standards institutes of 156 countries, founded in 1947. ISO is the world's largest developer of standards and develops standards and technical reports in a large number of different fields. The work on cryptographic standards is mainly conducted by two technical committees: TC68 (Financial Services) and the respective Sub-Committees (SCs) of JTC1 (ISO/IEC Joint Technical Committee 1, Information Technology Standards). Relevant SCs of JTC1 for cryptography are:

• SC 17 - Cards and Personal Identification

• SC 27 - IT Security Techniques

• SC 37 - Biometrics

IEC –

International Electrotechnical Commission (http://www.iec.org/)

Founded in 1906, the IEC is a global organization that prepares and publishes international standards for all electrical, electronic and related technologies. These serve as a basis for national standardization and as references when drafting international tenders and contracts.

The IEC charter embraces all electro technologies including electronics, magnetics and electromagnetics, electroacoustics, multimedia, telecommunication, and energy production and distribution, as well as associated general disciplines such as terminology and symbols, electromagnetic compatibility, measurement and performance, dependability, design and development, safety and the environment.

Relevant tasks in the field of cryptographic are performed in the ISO/IEC Joint Technical Committee 1 (ISO/IEC JTC1).

ITU –

International Telecommunication Union (http://www.itu.int/)

Founded 1865 as the International Telegraph Union, the International Telecommunication Union is an international organization established to standardize and regulate international radio and telecommunications. Its main tasks include standardization, allocation of the radio spectrum, and organizing interconnection arrangements between different countries to allow international phone calls. The ITU is one of the specialized agencies of the United Nations.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 75 of 145


Within ITU, the ITU-T Study Group 17 (ITU-T SG 17) is the Lead Study Group for tele-communication security issues. Among other things, SG 17 is concerned with the following issues:

• Communications systems security

• Security architecture and framework

• Cyber security

• Security management

• Secure communication services

IEEE –

Institute of Electrical and Electronics Engineers (http://www.ieee.org/)

The IEEE is a non-profit, technical professional association of more than 365,000 individual members in approx. 150 countries.

Founded in 1963 the IEEE is a leading authority in technical areas ranging from computer engineering, biomedical technology and telecommunications, to electric power, aerospace engineering, consumer electronics etc. Especially two work groups of the IEEE are active in the area of cryptography: P1363 has developed standards for Public-Key-Cryptography and work group IEEE 802 for WLAN-technology.

CCSDS –

Consultative Committee for Space Data Systems (http://public.ccsds.org/)

Founded in 1982 as a multi-national committee, the CCSDS provides a forum for discussion of common problems in the development and operation of space data systems. Currently, there are ten member agencies, twenty-two observer agencies, and over 100 industrial associates. The member agencies are:

• Agenzia Spaziale Italiana (ASI)

• British National Space Centre (BNSC)

• Canadian Space Agency (CSA / ASC)

• Centre National d'Etudes Spatiales (CNES)

• Deutschen Zentrum für Luft- und Raumfahrt (DLR)

• European Space Agency (ESA)

• Federal Space Agency

• Instituto Nacional de Pesquisas Espaciais (INPE)

• Japan Aerospace Exploration Agency (JAXA)

• National Aeronautics and Space Administration (NASA)





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 76 of 145


The CCSDS strives to establish a world-wide, open, CCSDS-compatible virtual space data system for international cross support, interoperability, and science information interchange.

The CCSDS develops Recommendations for space data- and information-systems standards to

• reduce the cost to the various agencies of performing common data functions by eliminating unjustified project-unique design and development

• promote interoperability and cross support among cooperating space agencies to reduce operations costs by sharing facilities

ECSS –

European Cooperation for Space Standardization (http://www.ecss.nl/)

The ECSS is an initiative established in 1993 by national European space agencies, the European Space Agency (ESA), Industry and Associates to develop a coherent, single set of user-friendly standards for use in all European space activities. ECSS documents are progressively replacing the former ESA PSS series. ECSS develops standards in the following fields:

• Space engineering

• Space product assurance

• Space project management

ETSI –

European Telecommunications Standards Institute (http://www.etsi.org/)

The European Telecommunications Standards Institute is an independent, non-profit organization, whose mission is to produce telecommunications standards. ETSI is officially responsible for standardization of Information and Communication Technologies (ICT) within Europe. These technologies include telecommunications, broadcasting and related areas such as intelligent transportation and medical electronics. Founded in 1988, ETSI unites 688 members from 55 countries inside and outside Europe, including manufacturers, network operators, administrations, service providers, research bodies and users.

IETF –

Internet Engineering Task Force (http://www.ietf.org/)

The IETF is a large open international community of network designers, operators, vendors, and researchers, mainly concerned with the evolution of the Internet architecture and developing/promoting of Internet standards. The IETF started its work in 1986. The technical work of the IETF is done in its working groups (WGs), which are organized by topic into several areas (e.g., routing, security, etc.).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 77 of 145


Some working groups which are active in the area of security are given below:

• isms Integrated Security Model for SNMP

• msec Multicast Security

• pki4ipsec Profiling Use of PKI in IPSEC

• pkix Public-Key Infrastructure (X.509)

• sasl Simple Authentication and Security Layer

• syslog Security Issues in Network Event Logging

• tls Transport Layer Security

NIST –

National Institute of Standards and Technology (http://www.nist.gov/)

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration.

The Computer Security Division (CSD) is one of eight divisions within NIST's Information Technology Laboratory. The mission of NIST's CSD is to improve information systems security by:

• Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies

• Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems

• Developing standards, metrics, tests and validation programs

• Developing guidance to increase secure IT planning, implementation, management and operation

ANSI –

American National Standards Institute (http://www.ansi.org/)

ANSI is a private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system. ANSI was founded in 1918. It accredits standards developing organizations that meet a set of requirements and criteria governing the management of consensus standards development.

In 1974, ANSI approved the scope of activity for the X9 Standards Committee on Banking. The following two X9-sub-committees are active in the field of cryptographic standardization:

• X9D - Securities Processing

• X9F - Data & Information Security





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 78 of 145


Common Principles

Standardization is an essential requirement for the exchange of information; without it, networks will not work. With regard to cryptography, standardization:

• enhances security

• enables interoperability

• encourages innovation

• creates trust and confidence in products

• brings down costs

• helps prevent the duplication of effort

However, there are two major conditions without which standardization could hinder rather than accelerate progress:

• standards have to be developed at a speed that is consistent with user demands

• standards have to consider all interested parties to be widely accepted





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 79 of 145


4 ANNEX

4.1 TM/TC-System Applicable Standards This section lists some standards, recommendations and specifications, that may be applicable for secure TM/TC-systems.

4.1.1 System Design

Standard Title

CCSDS 350.0-G-1 The Application of CCSDS Protocols to Secure Systems. Green Book

CCSDS 713.5-B-1 Space Communications Protocol Specification (SCPS) - Security Protocol (SCPS-SP). Blue Book

CCSDS 733.5-O-1 Next Generation Space Internet - End-to-End Security for Space Mission Communications. Orange Book

ISO/IEC 17799 Information technology - Security Techniques - Code of Practice for Information Security Management

ISO/IEC 7498-2 Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture

ISO/IEC TR 13335-1 IT Security Techniques - Management of Information and Communications Technology Security - Part 1: Concepts and Models for Information and Communications Technology Security Management

ISO/IEC WD 13335-2 IT Security Techniques - Management of Information and Communications Technology Security - Part 2: Information Security Risk Management

ISO/IEC TR 13335-3 Information Technology - Guidelines for the Management of IT Security - Part 3: Techniques for the Management of IT Security

ISO/IEC TR 13335-4 Information technology - Guidelines for the Management of IT Security - Part 4: Selection of Safeguards

ISO/IEC TR 13335-5 Information Technology - Guidelines for the Management of IT Security - Part 5: Management Guidance on Network Security

ISO/IEC 18028 IT Network Security

ISO/IEC 18043 Guidelines for the Implementation, Operation and Management of Intrusion Detection Systems

ISO/IEC 18044 Security Incident Management

ISO/IEC 19790 IT Security Techniques - Security Requirements for Cryptographic Modules

NIST FIPS 140-2 Security Requirements for Cryptographic Modules

NIST FIPS 191 Guideline for Analysis of Local Area Network Security

NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems

NIST FIPS 201 Personal Identity Verification for Federal Employees and Contractors

NIST SP 800-12 Computer Security Handbook





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 80 of 145


Standard Title

NIST SP 800-14 Generally Accepted (Security) Principles & Practices

NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model

NIST SP 800-18 Guide for Developing Security Plans

NIST SP 800-23 Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems

NIST SP 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

NIST SP 800-30 Risk Management Guide for Information Technology Systems

NIST SP 800-34 Contingency Plan Guide for Information Technology Systems

NIST SP 800-35 Guide to IT Security Services

NIST SP 800-36 Guide to Selecting IT Security Products

NIST SP 800-40 Procedures for Handling Security Patches

NIST SP 800-41 Guidelines on Firewalls and Firewall Policy

NIST SP 800-42 Guideline on Network Security Testing

NIST SP 800-46 Security for Telecommuting and Broadband Communications

NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems

NIST SP 800-50 Building an Information Technology Security Awareness and Training Program

NIST SP 800-55 Security Metrics Guide for Information Technology Systems

ETSI TR 102 287 Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia (BSM); IP Inter-Working over Satellite; Security Aspects

ETSI TR 102 419 Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); Security Analysis of IPv6 Application in Telecommunications Standards

ITU-T X.805 Security - Security Architecture for Systems Providing End-to-End Communications

ITU-T X.810 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Overview

ITU-T X.811 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Authentication Framework

ITU-T X.812 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Access Control Framework

ITU-T X.813 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Nonrepudiation Framework





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 81 of 145


Standard Title

ITU-T X.814 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Confidentiality Framework

ITU-T X.815 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Integrity Framework

ITU-T X.816 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems: Security Audit and Alarms Framework

4.1.2 Algorithms and Implementation

Standard Title

General

ISO/IEC 15946-1 Cryptographic Techniques Based on Elliptic Curves - Part 1: General

ETSI EG 200 234 Telecommunications Security; A Guide to Specifying Requirements for Cryptographic Algorithms

IEEE 1363 IEEE Standard Specifications for Public-Key Cryptography

IEEE 1363a IEEE Standard Specifications for Public-Key Cryptography - Amendment 1: Additional Techniques

IEEE 1363.1 IEEE Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices

IEEE 1363.2 IEEE Standard Specification for Password-Based Public Key Cryptographic Techniques

IETF RFC 1750 Randomness Recommendations for Security

IETF RFC 2246 The TLS Protocol

ITU-T X.802 Data Networks and Open System Communications - Security - Information Technology - Lower Layers Security Model

ITU-T X.803 Data Networks and Open System Communications - Security - Information Technology - Open Systems Interconnection - Upper Layers Security Model

NIST SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generation for Cryptographic Applications

RSA PKCS 1 RSA Cryptography Standard

RSA PKCS 5 Password-Based Cryptography Standard

RSA PKCS 13 Elliptic Curve Cryptography Standard

SEGG SEC 1 Elliptic Curve Cryptography

SEGG SEC 2 Recommended Elliptic Curve Domain Parameters

Encryption

ISO/IEC 10116 Modes of Operation for an n-Bit Block Cipher Algorithm





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 82 of 145


Standard Title

ISO/IEC 18033-1 Encryption Algorithms - Part 1: General

ISO/IEC 18033-2 Encryption Algorithms - Part 2: Asymmetric Ciphers

ISO/IEC 18033-3 Encryption Algorithms - Part 3: Block Ciphers

ISO/IEC 18033-4 Encryption Algorithms - Part 4: Stream Ciphers

ISO/IEC 19772 IT Security Techniques - Authenticated Encryption Mechanisms

ANSI X3.92 Data Encryption Algorithm

ANSI X3.106 American National Standard for Information Systems - Data Encryption Algorithm - Modes of Operation

ANSI X9.52 Triple Data Encryption Algorithm Modes of Operation

NIST FIPS 197 Advanced Encryption Standard

NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques

IETF RFC 3394 Advanced Encryption Standard (AES) Key Wrap Algorithm

IETF RFC 3610 Counter with CBC-MAC (CCM)

Signatures

ISO/IEC 9796-2 Digital Signature Schemes Giving Message Recovery - Part 2: Mechanisms Using a Hash Function

ISO/IEC 9796-3 Digital Signature Schemes Giving Message Recovery - Part 3: Discrete Logarithm Based Mechanisms

ISO/IEC 15946-2 Cryptographic Techniques Based on Elliptic Curves - Part 2: Digital Signatures

ISO/IEC 15946-4 Cryptographic Techniques Based on Elliptic Curves - Part 4: Digital Signatures with Message Recovery

ISO/IEC 13888-1 Non-Repudiation - Part 1: General Model

ISO/IEC 13888-2 Non-Repudiation - Part 2: Using Symmetric Techniques

ISO/IEC 13888-3 Non-Repudiation - Part 3: Using Asymmetric Techniques

ANSI X9.30.1 Public Key Cryptography for the Financial Services Industry - Part 1: The Digital Signature Algorithm (DSA)

ANSI X9.62 Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

ETSI SR 002 176 Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures

NIST FIPS 186-2 Digital Signature Standard (DSS)

IETF RFC 2875 Diffie-Hellman Proof-of-Possession Algorithms

Authentication

ISO/IEC 9797-1 Message Authentication Codes (MACs) - Part 1: Mechanisms Using a Block Cipher





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 83 of 145


Standard Title

ISO/IEC 9797-2 Message Authentication Codes (MACs) - Part 2: Mechanisms Using a Dedicated Hash-Function

ISO/IEC 9798-1 Entity Authentication - Part 1: General

ISO/IEC 9798-2 Entity Authentication - Part 2: Mechanisms Using Symmetric Encipherment Algorithms

ISO/IEC 9798-3 Entity Authentication - Part 3: Mechanisms Using Digital Signature Techniques

ISO/IEC 9798-4 Entity Authentication - Part 4: Mechanisms Using a Cryptographic Check Function

ISO/IEC 9798-5 Entity Authentication - Part 5: Mechanisms Using Zero Knowledge Techniques

IETF RFC 1704 On Internet Authentication

IETF RFC 2104 HMAC: Keyed-Hashing for Message Authentication

ISO/IEC 10118-1 Hash-Functions - Part 1: General

ISO/IEC 10118-2 Hash-Functions - Part 2: Hash-Functions Using an n-Bit Block Cipher Algorithm

ISO/IEC 10118-3 Hash-Functions - Part 3: Dedicated Hash-Functions

ISO/IEC 10118-4 Hash-Functions - Part 4: Hash-Functions Using Modular Arithmetic

ISO/IEC 7816-8 Identification Cards - Integrated Circuit(s) Cards with Contacts

Part 8: Security Architecture and Related Inter-Industry Commands

ISO/IEC 7816-15 Identification Cards - Integrated Circuit(s) Cards with Contacts

Part 15: Cryptographic Information Application

ANSI X9.71 Keyed Hash Message Authentication Code

NIST FIPS 113 Computer Data Authentication

NIST FIPS 180-2 Secure Hash Standard (SHS)

NIST FIPS 196 Entity Authentication Using Public Key Cryptography

NIST FIPS 198 Keyed-Hash Message Authentication Code (HMAC)

NIST SP 800-38B Draft Recommendation for Block Cipher Modes of Operation: The RMAC Authentication Mode

NIST SP 800-38C Draft Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality

Key Generation / Key Management

ISO/IEC 11770-1 Key Management - Part 1: Framework

ISO/IEC 11770-2 Key Management - Part 2: Mechanisms Using Symmetric Techniques

ISO/IEC 11770-3 Key Management - Part 3: Mechanisms Using Asymmetric Techniques

ISO/IEC 15946-3 Cryptographic Techniques Based on Elliptic Curves - Part 3: Key Establishment

ISO/IEC 18031 Random Bit Generation

ISO/IEC 18032 Prime Number Generation

ANSI X9.80 Prime Number Generation, Primality Testing, and Primality Certificates





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 84 of 145


Standard Title

ANSI X9.82 Random Number Generation

ANSI X9.42 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography

ANSI X9.63 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography

NIST FIPS 181 Automated Password Generator

IETF RFC 2409 The Internet Key Exchange (IKE)

IETF RFC 2631 Diffie-Hellman Key Agreement Method

RSA PKCS 3 Diffie-Hellman Key Agreement Standard





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 85 of 145


4.1.3 Evaluation

Emerged from the US Federal Criteria (FC), the Canadian Trusted Computer Evaluation Criteria (CTCPEC) and the European Information Technology Security Evaluation Criteria (ITSEC), the Common Criteria (CC) were standardized by ISO/IEC and became an international standard for IT security evaluation in 1999 (ISO/IEC 15408).

The following organizations participated in the development of the CC:

Organization Country

Communications Security Establishment (CSE)

http://www.cse-cst.gc.ca/ Canada

Direction Centrale de la Sécurité des Systèmes d'Information (DCSSI, Central Information Systems Security Division)

http://www.ssi.gouv.fr/ France

Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal Office for Information Security)

http://www.bsi.de/ Germany

Nederlandse Organisatie voor toegepast-natuurwetenschappelijk onderzoek (TNO, Netherlands Organization for Applied Scientific Research)

http://www.tno.nl/ Netherlands

National Technical Authority for Information Assurance (CESG)

http://www.cesg.gov.uk/ United Kingdom

National Institute of Standards and Technology (NIST),

http://www.nist.gov/ United States of America

National Security Agency (NSA)

http://www.nsa.gov/ United States of America

Standard Title

ISO/IEC 18045 IT Security Techniques - Methodology for IT Security Evaluation

ISO/IEC 15408-1 Evaluation Criteria for IT Security - Part 1: Introduction and General Model

ISO/IEC 15408-2 Evaluation Criteria for IT Security - Part 2: Security Functional Requirements

ISO/IEC 15408-3 Evaluation criteria for IT Security - Part 3: Security assurance requirements

ETSI ES 202 382 Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method and Proforma for Defining Protection Profiles

ETSI ES 202 383 Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method and Proforma for Defining Security Targets





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 86 of 145


4.2 Mathematical Background This part of the annex presents a short list of (mathematical) notations, definitions and theorems. More details see in [BSS2002], [Mao2004] and [BS1997].

4.2.1 Mathematical Symbols

⇒ Implication

⇔ If and only if

∀ For all

∃ One exists

∃! At least one exist

exp( ) Exponential function

gcd Greatest common divisor

■ End of proof

� Indication that no proof is given here

a ≡ b mod n a is congruent to b modulo n

a � b mod n a is not congruent to b in modulo n

x The smallest integer is greater or equal x

x The greatest integer is smaller or equal x

O Empty set

# M Number of elements of a set (size of the set, cardinality of the set)

N Set of the natural numbers

Z Set of integer numbers

Z+ Set of the non negative integer numbers

R Set of real numbers

Q Set of rational numbers

Z/Zn Integers mod n

B ⊆ C The set B is a subset of C





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 87 of 145


B ≈ C The set B is equivalent to C

B ∪ C Union of the sets B and C

B ∩ C Intersection of the sets C and B

a b a divides b without remainder (a is a factor of b)

a S b a does not divided b without remainder ( a is not a factor of b)

x ∈ X x is element of the set X

x ∉ X x is not element of the set X

f : x → y Definition the function f for x and y, with x ∈ X and y ∈ Y

f -1 Inverse mapping of f

● Group operation

O The point at infinity

I Concatenation of two character strings

E Elliptic curve

Fp or GF(p) Finite field or Galois field





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 88 of 145


4.2.2 Integer Numbers

The usual notation for the set of the natural numbers is N = {1, 2, 3, 4,…} Eq. 4-1

and for the set of the integer numbers

Z = {…,-3, -2, -1, 0 1, 2, 3,…} . Eq. 4-2

Every natural numbers has an unique prime factor decomposition

n = p1λ1 ·… · pt

λt Eq. 4-3

with natural number exponents λ1,…,λt and different prime factors p1,…, pt . A number n ∈ N is called prime, if 1 and n are only the factors of n. For the integer numbers a and b there exist unique integers q and r with 0 K r < b .

a = qb + r . Eq. 4-4

The number r is called remainder. Both numbers q and b in Eq. 4-4 divide a - r without remainder. This is denoted by qa – r and ba – r .

The greatest common divisor of two positive integers a and b is the largest divisor common to a and b. The greatest common divisor is denoted by:

d = gcd(a,b) Eq. 4-5

Example

gcd(3,5) = 1, gcd(12,60) = 12, and gcd(12,90) = 6.

If gcd(a,b) = 1, a and b are called relatively prime, or coprime.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 89 of 145


4.2.3 Congruence

Definition 4-1

Let a,b ∈ Z and n ∈ N, then a and b are defined as congruent mod n, if na - b. Congruencies are denoted as

a ≡ b mod n. Eq. 4-6

In Eq. 4-6 n is called modulus. If nSa - b then a � b mod n, a and b are incongruent mod n.

Definition 4-2

The residue classes of a function f(x) mod n are all possible values of the residue f(x) mod n. Example

The residue classes of x 2 mod 6 are {0,1,3,4}, since 0 2 = 0 mod 6, 1 2 = 1 mod 6, 2 2 = 4 mod 6, 3 2 = 3 mod 6, 4 2 = 4 mod 6, 5 2 = 1 mod 6 are all the possible residues.

The function ρ

ρ : Z → Z /Zn Eq. 4-7

maps each integer to its corresponding residue class.

The congruencies have the following properties4 • a ≡ a mod m. • If a ≡ b mod m , then b ≡ a mod m. • If a ≡ b mod m and b ≡ c mod m, then a ≡ c mod m . �

4 These properties are similar to the properties of the equations. The congruence has another properties they are not similar to the properties of the equations. For example the equation 6x = 9 has one solution x = 3/2. The congruence 6x ≡ 9 mod 15 has three solutions x = 4, x = 9 and x = 14.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 90 of 145


Definition 4-3

A set of numbers a 0, a 1, ..., a (m-1) mod m form a complete set of residues, called a complete residue system (or a covering system), if they satisfy a i ≡ i mod m for i = 0, 1, ..., m-1.

Definition 4-4

Any system of Φ(n) integers, where Φ(n) is the Euler function (see Definition 4-8 below), representing all the residue classes relatively prime to n is called a reduced residue system (or incomplete residue system). Theorem 4-1

Let a, b, c ∈ Z a & 0. If abc and gcd(a,b) = 1, then ac . �

The arithmetic of the residue systems is the arithmetic of the remainders. It is also called as modular arithmetic. Theorem 4-2

Let a, b, c, m ∈ Z , m & 0. If ca ≡ cb mod m, and gcd(c,m) = 1, then a ≡ b mod m .

Proof

ca ≡ cb mod m ⇒ mca – cb ⇒ cmc(a – b). Because gcd(c,m) = 1, after Theorem 4-1 ma - b ⇒ a ≡ b mod m . ■

Theorem 4-3

If the residue class a1, a2, a3, … ak is a complete residue class mod m , and d ∈ Z, then the numbers d+a1, d+a2, d+a3, … d+ak are a completed residue class mod m too.

Proof

The number of the elements in booth cases are m, and from ai + d � aj + d mod m follows, that

ai � aj mod m for all i & j . ■

Theorem 4-4

If the residue class of a1, a2, a3, … ak is a complete residue class mod m, and d ∈ Z, and gcd(d,m) = 1 then the numbers da1, da2, da3, … dak are a completed residue class mod m too.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 91 of 145


Proof

The number of the elements is m and in the congruencies dai ≡ daj mod m is permitted to dividing with d (Theorem 4-2) ⇒ ai ≡ aj mod m and i = j . ■ Remark

If the modulus is a prime number p then the function in Eq. 4-7 maps all natural numbers in the complete residue class mod p. In this residue class it is possible to add and multiply. (Theorem 4-3 and Theorem 4-4 ).

Example

The addition and multiplication tables for the complete residue class mod 7:

Addition Multiplication

+ 0 1 2 3 4 5 6

0 0 1 2 3 4 5 6

1 1 2 3 4 5 6 0

2 2 3 4 5 6 0 1

3 3 4 5 6 0 1 2

4 4 5 6 0 1 2 3

5 5 6 0 1 2 3 4

6 6 0 1 2 3 4 5

· 0 1 2 3 4 5 6

0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6

2 0 2 4 6 1 3 5

3 0 3 6 2 5 1 4

4 0 4 1 5 2 6 3

5 0 5 3 1 6 4 2

6 0 6 5 4 3 2 1

Theorem 4-5

If the residue system of a1, a2, a3, … ak is an reduced residue system with gcd(ai ,m) = 1, 1 < i < k and gcd(d,n) = 1 then the numbers da1, da2, da3, … dak are an reduced residue system mod m too.

Proof

The proof is the same as the proof of the Theorem 4-4 .■





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 92 of 145


Example

The multiplication tables for the reduced residue system mod 12 is

Multiplication

· 0 1 5 7 11

0 0 0 0 0 0

1 0 1 5 7 11

5 0 5 1 11 7

7 0 7 11 1 5

11 0 11 7 5 1

Remark

If the modulus is a composite number then the element of the reduced residue system must be coprime to the modulus. In an reduced residue system only the multiplication is useable. This is a typical property of groups. The precise definition of a group is more abstract (see section 4.2.4 below).

4.2.4 Groups

A group is a set of objects with an operation defined between any two objects in the set.

Definition 4-5

A group (G, ●) is a set G together with an operation ● satisfying the following four axioms:

1. Closure axiom: ∀ a,b ∈ G : a ● b ∈ G.

2. Associativity axiom: ∀ a,b,c ∈ G : a ● (b ● c) = (a ● b) ● c.

3. Identity axiom: ∃! element e ∈ G : ∀ a ∈ G : a ● e = e ● a = a.

4. Inverse axiom: ∀ a ∈ G : ∃! a-1 ∈ G : a ● a-1 = a-1 ● a = e.

A group is abelian if ∀ a,b ∈ G : a ● b = b ● a . In other words an abelian Group is a commutative group.

In the denotation (G, ●) we often omit the operation ● and use G to denote a group. A group is called finite if the number of elements in the set G is finite, otherwise the group is infinite. The number of elements of a finite group is called the cardinality of the group and is denoted by # G.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 93 of 145


Remarks

• From the axioms it follows that for a,b ∈ G , c = a ● b, is uniquely defined . �

• From the axioms it follows that the inverse has the following properties ∀ a ∈ G : (a-1) –1 = a and

∀ a,b ∈ G : (a ● b)-1 = a-1 ● b-1 . �

• In a group only one operation is defined, denoted by the symbol: ●. It is possible, but not necessary to interpret this operation as an addition (additive groups) or a multiplication (multiplicative groups). The operation repeated k-times ∀ k ∈ N with the same element a ∈ G : (a ● a ● … ● a), is denoted by [k]a ∈ G , ∀ a ∈ G, if the operation is interpreted as an addition, and the same operation is denoted by ak ∈ G, ∀ a ∈ G, if the operation is interpreted as a multiplication. This is only a shorthand notation for the repeated group operation and not a new group operation between a and k. The notation of the inverse element -a is mostly used in additive groups, in multiplicative groups the usual notation of the inverse element is a-1.

Example

The set of the even numbers with the operation addition represent a (infinite) group. One can say, that this is an additive group. The set of the odd numbers with the operation addition don’t represent a group, because the sum of two odd number is even, so the closure axiom is not fulfilled.

4.2.5 Rings and Fields

A ring is a set of objects with two operations defined between any two objects in the set. Definition 4-6

A ring R is a set together with two operations + (addition) and · (multiplication) , and has the following properties:

1. Under addition R is an Abelian group; denote by 0 the additive identity element.

2. Under multiplication R satisfy Closure Axiom, Associativity Axiom and Identity Axiom;

denote by 1 the multiplicative identity element.

3. Commutativity Axiom : ∀ a,b ∈ R: a · b = b · a . 4. Distributivity Axiom : ∀ a,b,c ∈ R : (a + b) · c = a · c + b · c .





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 94 of 145


Remarks

The element 0 is called the zero element or the additive neutral element, the element 1 is called otherwise the unity element or the multiplicative neutral element. The element –a is called as negative of a, or the additive inverse of a.

Definition 4-7 (Definition of a field)

If the nonzero elements of a ring form a group under multiplication, then the ring is called a field

(denoted with F).

Remarks

The primary different between he ring and field, that in the field exist an element: a-1. This element is called as inverse of a, or the multiplicative inverse of a (see the definition of the group: Definition 4-5). A field is called finite if the number of elements in the set F is finite, otherwise the field is infinite. The finite field is called often a Galois field5. The finite field is denoted by Fp or by GF(p).

Examples

An example for a ring is the infinitive set of the integer numbers with the operations addition and multiplication. Its is clear, that in the set of the integer numbers the multiplicative inverse not exist. A well known example for the finite field is the set of the non negative integer numbers congruent to a prime p with the addition and the multiplication as operations. Let p = 7, them the set of the nonnegative integer numbers mod 7 are the numbers 0, 1, 2, 3, 4, 5 and 6. The additive neutral element is the zero, the multiplicative neutral element one. The unique negative elements is calculated by –a = p-a, and the unique inverse elements is calculated by Fermats little theorem6 a p-1 ≡ 1 mod p ⇔ a p-2 a ≡ 1 mod p. Because a -1 a ≡ 1 mod p ⇔ a -1 ≡ a p-2 mod p (see the table below).

Elements of F7 Negative Elements Inverse Elements

0 0 -

1 6 1

2 5 4

3 4 5

4 3 2

5 2 3

6 1 6

5 Evarista Galois, French mathematician. 1811 - 1832 . 6 See the remark to the Theorem 4-1 below





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 95 of 145


It is simple to control. Consider for example 2 in F7 then –2 = 5, because 2+5 ≡ 0 mod 7, and 2 -1 = 4, because 2 · 4 ≡ 1 mod 7. Subtraction is to be interpreted as addition of the negative element. For example 4 – 2 ≡ 2 mod 7 is to interpret as 4 + 5 ≡ 2 mod 7. Division is to be interpreted as multiplication with the inverse element . For example 4 / 2 ≡ 2 mod 7 is to interpret as 4 · 4 ≡ 2 mod 7. To raise to a power is to be interpreted as a repeated multiplication. The calculation of a logarithm is to interpret as the inverse operation of the calculation of the power. For example 23 ≡ 1 mod 7 is to be interpreted as 2 · 2 · 2 ≡ 1 mod 7 or rather as 4 · 2 ≡ 1 mod 7 (it is equivalent with 2 · 4 ≡ 1 mod 7). The calculation of the logarithm (the discrete logarithm problem, or DL problem) is the calculation of the number 3 from the numbers 2 (basis) and 1. For the cryptographic applications the fact, that the calculation of the power is relative simple and the calculation of the logarithm is complicated (for enough large numbers is virtually impossible) is very important. This allows to publish the number of the basis and the result of the powering, (in our example 2 and 1) and to keep secret the number of the logarithm (in our example 3). The property, that the calculation of a function is relatively simple and the calculation of the inverse function is virtually impossible is called a one way properties, and the function is called a one way function.

4.2.6 Euler- Fermat Theorem

Definition 4-8 The Euler’s phi Function

The function Φ : N → N with Φ(n) = # {k : 1 K k < n , gcd(k,n) = 1} is Euler’s famous phi function.

Example

n = 2, coprime to 2: 1 Φ(2) = 1

n = 3, coprime to 3: 1, 2 Φ(3) = 2 n = 4, coprime to 4: 1, 3 Φ(4) = 2 n = 5, coprime to 5: 1, 2, 3, 4 Φ(5) = 4

n = 6, coprime to 6: 1, 5 Φ(6) = 2 Generally, if n is a prime p, then Φ(p) = p – 1, since all k with 1 K k < p are coprime to p. If n is a composite number, namely the product of two prime p and q then

Φ(n) = Φ(pq) = Φ(p)Φ(q) = (p - 1)(q – 1) �. See example for p=3, q=7 and n=21 below.

Theoreme 4-1 The Euler-Fermat theorem

Let a ∈ Z/Zn and let Φ(n) denote Euler’s phi function. Then





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 96 of 145


a Φ(n) ≡ 1 mod n Eq. 4-8

Remark

If n is a prime p then Φ(p) = p – 1, and a p - 1 ≡ 1 mod p. This is called Fermats little theorem. Proof

The numbers which are coprime to n: r1, r2,…, r Φ(n) represent a reduced residue system to mod n. In this case for all a with gcd(a,n) = 1 the numbers ar1, ar2,…, arΦ(n) represent a residue class too

(see Theorem 4-5). Since ri � rj mod n it follows, that ari � arj mod n. In this case

(ar1)( ar2)…( ar Φ(n)) ≡ r1 r2…rΦ(n) mod n Eq. 4-9

Multiplying all ri by their own inverse elements ri

-1 we get

a Φ(n) ≡ 1 mod n ■ Eq. 4-10

Example

Let p = 3 and q = 7, n = pq = 21 , then Φ(n) = (p - 1)(q - 1) = 12 .

Let a = 4. The 12 elements which are coprime to 21, the residue class mod 21 are:

residue class of ri residue class of ari inverse elements ri-1 residue class of ariri

-1

r1 = 1

r2 = 2

r3 = 4

r4 = 5

r5 = 8

r6 = 10

r7 = 11

r8 = 13

r9 = 16

r10 = 17

r11 = 19

r12 = 20

ar1 = 4 · 1 ≡ 4 mod 21

ar2 = 4 · 2 ≡ 8 mod 21

ar3 = 4 · 4 ≡ 16 mod 21

ar4 = 4 · 5 ≡ 20 mod 21

ar5 = 4 · 8 ≡ 11 mod 21

ar6 = 4 · 10 ≡ 19 mod 21

ar7 = 4 · 11 ≡ 2 mod 21

ar8 = 4 · 13 ≡ 10 mod 21

ar9 = 4 · 16 ≡ 1 mod 21

ar10 = 4 · 17 ≡ 5 mod 21

ar11 = 4 · 19 ≡13 mod 21

ar12 = 4 · 20 ≡ 17mod 21

r1-1 = 1

r2-1 = 11

r3-1 = 16

r4-1 = 17

r5-1 = 8

r6-1 = 19

r7-1 = 2

r8-1 = 13

r9-1 = 4

r10-1= 5

r11-1= 10

r12-1= 20

ar1 · r1-1 = 4 · 1 ≡ 4 mod 21

ar2 · r2-1 = 8 ·11 ≡ 4 mod 21

ar3 · r3-1 = 16 ·16 ≡ 4 mod 21

ar4 · r4-1 = 20 17 ≡ 4 mod 21

ar5 · r5-1 = 11 · 8 ≡ 4 mod 21

ar6 · r6-1 = 19 ·19 ≡ 4 mod 21

ar7 · r7-1 = 2 · 2 ≡ 4 mod 21

ar8 · r8-1 = 10 ·13 ≡ 4 mod 21

ar9 · r9-1 = 1 · 4 ≡ 4 mod 21

ar10· r10-1 = 5 · 5 ≡ 4 mod 21

ar11· r11-1 = 13 ·10 ≡ 4 mod 21

ar12· r12-1 = 17 ·20 ≡ 4 mod 21

The product of all elements in the left column is 412 ≡ 1 mod 21 .





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 97 of 145


4.2.7 Elliptic Curves7

Here is a quick introduction to the theory of elliptic curves. For a more details see [Mao2004].

The usual form of an elliptic curve E over a finite field8 Fp in the context of cryptography is

E : y2 = x3 + ax + b Eq. 4-11

where a,b ∈ Fp .

This type of equation is called a Weierstrass9 equation.

The Eq. 4-11 defines for every x two ys (a positive and a negative) y, if the square root exists for y2 in Fp . The set E(Fp) consist all points (x,y), x ∈ Fp, y ∈ Fp which fulfill the defining Eq. 4-11 together with the Gaussien infinity point of the plane, denoted by O and called the point at infinity.

Example

Elliptic curve over F23 . Let p = 23 and the elliptic curve

E : y2 = x3 + x + 4 Eq. 4-12

over F23.

In the notation of Eq. 4-11 a = 1 and b = 4. The points in E(F23) are the point of infinity O and the following (x, y) twenty eight pairs:

(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3)

7 A similar study for ellipses leads one to consider elliptic integrals. These integrals have the form:

.∫−− 32

34 gxgx

dx

The denominator of the argument of the elliptic integral has the same form that the Eq. 4-11.

. 8 “Over a finite field” means, that all operations are calculated with the modular arithmetic of a finite field. 9 Karl Weierstrass, German mathematician. 1815 - 1897.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 98 of 145


(7, 20) (8, 8) (8, 15) (9, 11) (9, 12) (10, 5) (10, 18)

(11, 19) (11, 14) (13, 11) (13, 12) (14, 15) (14, 18) (15, 16)

(15, 17) (17, 19) (17, 14) (18, 9) (18, 14) (22, 5) (22, 19)

If the point on the elliptic curve P has the coordinates (x,y), then the point with the coordinates (x,-y) is called the point –P .

The positive and negative y values are interpreted modulo 23. For example (0, 2) and (0, 21) are positive and negative point pairs, with -2 ≡ 21 mod 23, or (1, 11) and (1, 12) are pairs, with -11 ≡ 12 mod 23. Generally the negative element –a in the modulo algebra mod p is interpreted as p - a.

Therefore the curve is symmetric to the x-axis (see Fig. 4-4): if the point P is a point on the curve, then the point -P is a point on the curve too.

In the example the set of x has 23 elements, and the set of y has 23 elements too. So it is possible to have maximum of 529 points (x, y pairs). But “on the curve” only 28 points exist.10 In other words the cardinality of the curve is 28, with the usual denotation: #E = 28.

10 This means that in the Eq. 4-12 in only 28 points the square root mod 23 exists. The square root exists, if the congruence a2 ≡ b mod p exists. In this case a is called square root of b. If a is square root of b then –a is a square of b too namely (p - a)2 = p2 + 2pa + a2 ≡ b mod p.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 99 of 145


Although is calculated over a finite field, it is possible to see the curve defined in Eq. 4-11 as an ordinary elementary curve in the plane. It is trivial that the curve is symmetrical to the x axis. There are two possibilities. If the polynomial x3 + ax + b has three real roots, the curve cuts the x axis in three points (see Fig. 4-1). If the polynomial x3 + ax + b has one real and two complex roots the curve cuts the x axis only in one point (see Fig. 4-2). The Eq. 4-13 prevents the existence of a double point on the x axis11.

4a3+27b2 � 0 mod p. Eq. 4-13

Fig. 4-1 The elliptic curve y2 = x

3 – 3x + 3.

The polynomial: x3 – 3x + 3 has one real and two complex roots

11 An example for a double point is the elliptic curve is E : y2 = x3 - 12x + 16. The polynomials x3 - 12x + 16 have a single zero in –4, and a double zero in +2 and 4a

3+27b2 = 0 see Fig. 4-3. This type of the elliptic

curve is unsuitable for applications in cryptography.

In the example with the Eq. 4-12 4a3+27b

2 = 4 + 432 = 436 � 0 mod 23

x

y





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 100 of 145


Fig. 4-2 The elliptic curve y

2 = x

3 – 4x + 3.

The polynomial x3 – 4x + 3 has tree real roots.

Both types of curves are used for applications in cryptographically. Curves with a double zero are unsuitable.

Fig. 4-3 An unsuitable elliptic curve y2 = x

3 - 12x + 16.

The polynomial x3 - 12x + 16 has a single zero in –4, and a double zero in +2.

x

y

x

y





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 101 of 145


Fig. 4-4 P and –P on the curve the curve E : y

2 = x

3 - 12x + 16

x

y

P

-P





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 102 of 145


4.2.8 Group Constructed Using Points on an Elliptic Curve

For a group, an operation and the identity element must be defined and shown that this operation fulfill the group axioms in the Definition 4-5. The group operation of the elliptic curves is often called point addition (or point duplication) although it is not the well known addition of the elementary algebra12.

The definition of the group operation is based on the property of elliptic curves, that a straight lines which connects two points of the curve cuts the curve in a third point. There is only one single exception, the line that is parallel to the x axis cuts the curve in the infinite point. This point is called the point at infinity and denoted by O .This point is the identity element of the group. Definition 4-9

The sum of three points (P1 , P2 , P3) on the curve with lie on a straight line is the identity element.

P1 ● P2 ● P3 = O Eq. 4-14

Fig. 4-5 Three points of the curve on an straight line

After the Definition 4-9 there are three possibilities for the point addition:

12 it must be emphasize again, that in a group exists only one operation.

x

y

P1

P2

P3





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 103 of 145


P1 ● P2 = - P3 (see Fig. 4-6 ) Eq. 4-15

P1 ● P3 = - P2 (see Fig. 4-7 ) Eq. 4-16

P2 ● P3 = - P1 (see Fig. 4-8 ) Eq. 4-17

Fig. 4-6 Point addition P1 ● P2 = Q3


x

y

P1

P2 = -Q2

P3

Q2 = P1 ● P3

x

y

P1

P2

P3 = -Q3

Q3 = P1 ● P2





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 104 of 145



If in a point addition:

P1 ● P2 = Q3 Eq. 4-18

P1 = P2 = P , then the point addition is a point duplication:

P ● P = [2]P (see Fig. 4-9 ) Eq. 4-19

x

y

P1 = - Q1

P2

P3

Q1= P2 ● P3





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 105 of 145


Fig. 4-9 Point duplication: P ● P = [2]P

It goes without sying, that the point addition is commutative:

P1 ● P2 = P2 ● P1 Eq. 4-20

The points on the elliptic curve are the elements of a commutative (Abelian) group. In the following the fulfillment the axioms in the Definition 4-5 (closuer axiom, associativity axiom, identity axiom, inverse axiom) is checked. The points on the curve with the point at infinity (O) fulfills the closure axiom. This follows from Definition 4-9 immediately.

The assiciativity immediately follows from the Definition 4-9 . From the Definition 4-9 it follows that

P ● -P = O Eq. 4-21

and with the commutativity

P ● -P ● P = P ● P ● -P = P ● O = O ● P = P Eq. 4-22

x

y

P

[2] P





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 106 of 145


From Eq. 4-22 follows, that the point at infinity is really the identity element (see Definition 4-6), so the identity axiom is fulfilled.

For any point P on the curve the point –P is the inverse element, so the inverse axiom is fulfilled.

The k-times repeated group operation is called as point multiplication13 and denoted by

Q = [k] P Eq. 4-23

This is a one way function. The calculation the Q from k and P is relative simple and the calculation of the k from Q and P with enough big Q and P is virtually impossible. This is called the elliptic curve logarithm problem (EC-DL problem)14.

13 This is only a shorthand notation for the repeated group operation and not a new group operation between k and P. It is more precise to say: scalar multiplication. 14 It must be emphasized again, that only one operation exists in a group. The operation of the group is the point addition. This group operation is neither an addition nor a multiplication in the classical sense. In this means that use of the words “point addition”, “point multiplication” and “logarithm” is deceptive. However we use these words, because in the literature they are unfortunately in this way used.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 107 of 145


4.2.9 Concluding Remarks

The asymmetrical methods are based on the characteristic of the one way functions. An one way function is a bijective transformation of an independent variable into a dependent variable with the characteristic, that computation of function f : x → y is easy but computation of the inverse function f-1 is 'difficult' (i.e. virtually impossible). This property allows to publish the value of y and keep the value of x secret. One way functions are the factorisation problem and the discrete logarithm problem. At the factorisation, it is simple to multiply two (big) prime numbers, but it is difficult to find the two prime factors. At the discrete logarithm, it is easy to compute the power in a Galois field, but it is difficult to compute the corresponding discrete logarithm (DL problem). The DL problem for the elliptic curve (EC-DL problem) is defined in Eq. 4-23. For different applications see section 2.3.3.3. For cryptographically applications the one way property is embedded in a cryptographically protocol. The classical protocol are based on a Galois field and over the field is the protocol defined (see Fig. 4-10).

Protocols and algorithmsover the Galois field

Galois filed

Fig. 4-10 Classical protocol definition (see RSA in 2.3.3.3)

EC protocols and algorithms are defined over a group of an elliptic curve and the elliptic curve is defined over the Galois field.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 108 of 145


Galois field

Protocols and algorithms

over the ellitic curve group

Group definition with the elliptic curve:

y2 = x3 + ax + b

over the Galois field

Fig. 4-11 EC protocol definition (see EC-DSA in 2.3.3.3 )

The group algebra of an elliptic curve is parameterised with the parameters a and b. The properly defined parameters afford more safety and allows to use smaller keys. To construct the correct elliptic curve see [BSS2002].

In this short annex we discussed only the Galois field Fp with p prime. It is possible to define a Galois field with pm whereas p prime and m ∈∈∈∈ N. . . . The most used prime is the prime 2.... In this case the curve definition (Eq. 4-11) have a modified form, but the degree of the curve is 3, as in the Eq. 4-11 and the definition of the group operation is the same too.

The so called hyper elliptic curve have an higher grad as the curve in the Eq. 4-11 and the group operation is defined different as in Fig. 4-6 , Fig. 4-7and Fig. 4-8 .

4.3 Detailed Description of Attacks to RSA Algorithm

In order to give an impression of the costs of attacks on encryption algorithms, an relatively easy mathematical attack on RSA algorithm is described below.

The main attacks of the RSA algorithm are:

In step 2 on page 52 : compute p and q ← n (factorisation attack)

In step 3 on page 52 : compute φ(n) ← n (estimation attack of φ(n) from n)

In step 8 on page 52 : compute m ← c (discrete logarithm attack).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 109 of 145


For the secure use of the RSA it is necessary to control the quality of all numbers and to use relatively long numbers. For the next few years a RSA key of 2048 bit is necessary. However, there are special cases which are not secure. We discussed here only the factorisations attacks. Methods of factorizations can be categorized as follows

• methods to easily find small prime factors, like e.g. exhaustive division by suitable prime factors, by Pollard’s Rho or by Lenstra’s elliptic curves method.

• methods to combine congruencies, like number field sieves, e.g. the quadratic sieve or the continued fraction algorithm.

In the following section, number field sieves are considered in more detail.

Differences of Squares

To divide a given natural number n by way of trial by each prime less than sqrt(N) quickly gets impractical if n becomes large. Already Fermat tried to represent n as difference of squares, e.g. N = 1591 = 1600 – 9 = 40 2 – 3 2 = (40+3) (40–3) = 43 · 37. The general idea is based on a lemma attributed to Fermat. Lemma

Let X,Y eeee Z, and N eeee N. If X 2 = Y 2 mod N and X & ± Y mod N then gcd (N,X+Y) and gcd (N,X–Y) are non-trival factors of N.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 110 of 145


Proof

The first condition X 2 = Y 2 mod N is equivalent to N | (X+Y)(X–Y). Hence N is a factor of said product. Due to the second condition N is a factor neither of X+Y nor of X–Y. Therefore, both X+Y and X–Y have a factor in common with N. ■

This lemma leads to the following version of a factorizing algorithm: 1. For a given N e N find X and Y with X 2 = Y 2 mod N and X & ±±±± Y mod N

2. Compute gcd (N,X+Y) and gcd (N,X–Y) by way of the Euclidean algorithm.

3. Repeat the first two steps until N is fully factorized. Remark

If 2 S N is a product of two natural numbers p and q, not necessarily prime, i.e. N = p·q, then there exists a pair (X,Y) of numbers with X 2 = Y 2 mod N, namely X := (p+q)/2 and Y := (p–q)/2 with 1. X 2–Y 2 = (p 2+2pq+q 2)/4 + (p 2–2pq+q 2)/4 = p·q = N

2. X–Y = q & 0 mod N and X+Y = p & 0 mod N

The following theorem guaranties the existence of enough X,Y e Z with X 2 = Y 2 mod N and not too many X,Y e Z with additionally X & ± Y mod N.

Theorem

Let 2 < N eeee N be an odd, composite natural number with prime factor representation N = ie

ip∏ .

Then there are φ(N) 2 k ordered pairs (X,Y) of natural numbers which satisfy

1 K X,Y K N, gcd (XY,N) = 1, and X 2 = Y 2 mod N

This set of ordered pairs (X,Y) contains φ(N) 2 ordered pairs which in addition satisfy

X = ± Y mod N

Proof

Let 1 K Xo K N be relatively prime to N, i.e. gcd (Xo,N) = 1. We will show that there are 2 k ordered pairs (Xo,N) satisfying 1 K Xo,Y K N, gcd (XoY,N) = 1, and Xo

2 = Y 2 mod N. The solutions Y are constructed by way of the Chinese Remainder Theorem.

Let pi be a prime factor of N. Consider Xo2 = Y 2 mod ie

ip which is equivalent to ieip | (Xo+Y)(Xo–Y).

Assume that ieip | (Xo+Y) and ie

ip | (Xo–Y). This implies pi | (Xo+Y)+(Xo–Y), i.e. pi | 2Xo. Because N is odd we know that pI & 2 so that pi | Xo follows contradicting the precondition gcd (Xo,N) = 1.

Therefore, ieip is a factor of either Xo+Y or Xo–Y. Thus, if Y = ± Xo mod ie

ip then Y is a suitable solution.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 111 of 145


Together pi &&&& 2 and gcd (Xo, ieip ) = 1 imply gcd (2Xo, ie

ip ) = 1, i.e. Xo and –Xo are incongruent

modulo ieip . Hence there are exactly two solutions Y of Xo

2 = Y 2 mod pie_i for each 1 K i K k. The

Chinese Remainder Theorem then guaranties 2 k solutions of X 2 = Y 2 mod N as required.

The second statement of the theorem is obvious since by precondition N is odd, gcd (Xo,N) = 1 so that Xo and –Xo are incongruent modulo N implying that there are exactly two Y which satisfy Xo = ± Y mod N with 1 K Y K N and gcd (Y,N) = 1. ■

Corollary

The two factors gcd (N,X+Y) and gcd (N,X–Y) are complementary factors (no factor of N is a factor of both X+Y as well as of X–Y). If N is a power of a prime then N cannot be represented as a difference of squares because according to the theorem all pairs (X,Y) with Xo

2 = Y 2 mod N at the same time fulfill X = ± Y mod N.

Summarizing, we see that the number of promising pairs (X,Y) is too large to make the guess and check approach feasible. The next section presents a method to generate suitable quadratic congruencies.

Factor Bases

Definition Congruencies (X,Y) with X2 = Y mod N and X &&&& ± Y mod N are called simple quadratic. Congruencies (X,Y) with X = Y mod N are called simple.

The idea is to multiply several simple quadratic congruencies in order to get a quadratic congruency.

A natural number Y with known prime factor decomposition N = ie

ip∏ is quadratic if all ei are

even. The exponent vector, i.e. the vector (ei)i=1…∞, of a quadratic Y has only even coordinates. Hence in multiplying simple quadratic congruencies (X,Yi) with X2 = Yi mod N we have to make sure that the sum the exponent vectors of the Yi has only even coordinates. It obviously suffices to check that the sum of exponent vectors modulo 2 has only even coordinates.

In order not to handle exponent vectors of any length, Morrison and Brillhart have limited their lengths.

Definition A factor basis is defined to be the set of all primes less than a (not too large) threshold B depending on N. A natural number Y is called B-smooth if all prime factors of Y are less than B. Then, the length of exponent vectors is pi(B) = # {1 K p K B: p is prime}. Let us call v(Yi) the modulo 2 reduced exponent vector of Yi. Then v(Yi) is an element of the pi(B)–dimensional vector space

)B(p2

iF . In this vector space pi(B)+1 vectors are linear dependent so that pi(B)+1 simple congruencies Xi

2 = Yi mod N always can be combined to a quadratic congruence by way of the efficient Gauss elimination modulo 2. This all amounts to Dixon’s Random Squares Method [Dix1981].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 112 of 145


Step 1 a) Choose 1 < a < N at random. Compute ra = a2 mod N, the smallest non negative remainder

of ap devided by N.

b) Compute v(ra). If v(ra) is the zero vector then check whether or not a = 2ie

ip∏ holds.

If it does then discard this congruency and continue with step c). Otherwise define X = a

and Y = 2ie

ip∏ and stop.

c) Repeat steps a) and b) until pi(B)+1 congruencies have been established.

Step 2 From these pi(B)+1 column vectors v(ra) build the pi(B) x pi(B)+1 matrix R and solve the

system of linear equations R x = 0 for x e e e e 1)B(p

2iF +

by Gauss elimination modulo 2.

Step 3

Compute f(p) = and set Y = ∏∏∏∏ pif(p) and Y = ∏∏∏∏ xi ai….

Then, we have X 2 = Y 2 mod N by construction.

Advantageous is that the complexity of this algorithm is known, disadvantageous is that there are more efficient factorizations, namely sieves.

Sieve Based Methods

The theoretical foundation of the following description of the factorizing algorithm based on the general number field sieve, NFS can be found in [BLP1993], [BL1993]. Let f(x) = fD xD + fD-1 x

D-1 +…+ fo e Z[x] be an over Q irreducible polynomial of degree D, let m e N such that f(m) = 0 mod n but f(m) & 0. Let ρ e C be a complex root of f. Then Q[x]/f(x) = Qρ) is a field. Define the polynomial g(x) by g(x) := fD

D-1 f(x/fD). Then the following lemma holds.

Lemma 1. The polynomial g(x) e Z[x] is normalized and irreducible.

2. ω = fD ρ is a root of g(x).

3. The two fields Q(ρ) and Q(ω) are isomorphic.

4. The mapping ψ: Z[ω] ! Z/nZ defined by ψ (ω) = fD m mod n is a ring isomorphism. Now, the idea is to define a set S subset Z2 of a even number of pairs (a,b) e Z2 such that

∏∈

+S)b,a(

)mb(a = xo² e Z and ∏∈

ρ+S)b,a(

)b(a = δo² where δo e Q(ρ)

Then δ²

∏∈

ρ+S)b,a(

SD )b(af = ∏

∈

ω+S)b,a(

D )ba (f := δ² e Z[ω]

is a square in Z[ω].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 113 of 145


Because ψ is a homomorphism we obtain the following quadratic congruency

y²:= ψ(δ)² = ψ (δ²) mod n = ψ ( ∏∈

ω+S)b,a(

D )ba (f ) mod n

= ∏∈

ω+ψS)b,a(

D )ba (f mod n = ∏∈

+S)b,a(

DD m)fba (f mod n

= ∏∈

+S)b,a(

SD )mb(af mod n = fD

|S| xo =: x²

Summarizing, computing the square root of x² in Z and the square root of δ² in Z[ω] a quadratic congruency is obtained.

Hence, essentially the number field sieve algorithm consists of the following basic steps:

input an odd, composite n e N which is not a power of a prime.

1. Choose a suitable over Q irreducible polynomial f(x) with root ρ and some integer m e N such that f(m) = 0 mod n but f(m) & 0.

2. Compute a set S of an even number of pairs (a,b) e Z2 with

∏∈

+S)b,a(


ρ+S)b,a(


3. Compute the square root x of ∏∈

+S)b,a(

SD )mb(af in Z and the square root δ of

∏∈

ω+S)b,a(

D )ba (f in Z[ω] and set y = ψ (δ).

4. Compute n1 = gcd(x-y,n) and n1 = gcd(x+y,n). If n1 (and hence also n2) is a trivial divisor of n then repeat the algorithm starting from step 2 with a new set S.

Output the two factors n1 and n2 of n, i.e. 1 < n1,n2 e N with n = n1 n2.

Two remarks are in order:

First, the congruencies constructed by the algorithm might not fulfil x & ±y mod n. Even if there is no proof that the factors constructed by the algorithm are generated at random, practice seems to corroborate that this is the case. Because there are two favourable out of four possible cases how the factors may be assigned to x-y or x+y, it is sensible to state that the probability of a non-trivial factor is ½. Therefore, a small number of runs of steps 2 to 4 will generate non-trivial factors of n with sufficiently high probability. Second, in order to reduce the size of the set S it is sensible to restrict the pairs (a,b) of S to be relatively prime: namely, for (a,b) e S with gcd(a,b) > 1 let ao = a/gcd(a,b) and bo = b/gcd(a,b). Then we have

gcd(a,b) fD (ao+bo m) = fD (a+b m) = ψ (fD a+b ω) = ψ (gcd(a,b)(fD ao+bo ω))

= gcd(a,b) ψ (fD ao+bo ω) mod n Dividing both sides by gcd(a,b) we get the same congruency as generated by the pair (ao,bo). Summarizing, pairs (a,b) with gcd(a,b) > 1 do not provide new congruencies.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 114 of 145


Construction of S to Sieve Based Methods

The construction consists of two steps: first, a set T of favorable pairs (a,b) e Z² is constructed and second, from this set T of pairs the set S is extracted which fulfills

∏∈

+S)b,a(


ρ+S)b,a(


Construction of T

Again, to generate quadratic congruencies it is sensible to generate pairs of integer numbers with known prime factor decomposition. To do so, the number field sieve uses two factor bases, a so called rational one, i.e. FBR = {p1, p2, …, pR} of the first R primes, and a so called algebraic one, i.e. FBA = {(p1, cp1), (p2, cp2), …, (pA, cpA)} ⊂ R = {(p, cp): f(cp) = 0 mod p, p is prime and no factor of fD and cp e {0,1, …, p–1}} \union {(p, ∞): p is a factor of fD}. The number p in (p,cp) e R is called the norm of a factor basis element. Let the function N(a,b) be defined by N(a,b) := (-b)D f(-a/b).

Definition: A pair (a,b) e Z² is called a (good) relation if and only if a and b are relatively prime and if

a+b m = ∏∈ R

p

FBp

e p with ep e N0 and |N(a,b)| = ∏∈ A

cp)(p,

FB)cp,p(

f p with f(p,cp) e N0

for a given rational factor basis FBR and a given algebraic factor basis FBA. Remark:

The second property that N(a,b) decomposes over FBA guaranties in the end that

∑∈

ρ+S)b,a(

)cp,p( )ba(f is even. A proof of this fact can be found in [BLP1993].

Starting with a grid AB = {(a,b) e Z²: Amin K a K Amax} and 1 K b K Bmax} then firstly pairs which are not relatively prime are deleted from AB (gcd-sieve), secondly pairs which do not decompose over FBR are deleted from AB (rational sieve) and thirdly pairs for which N(a,b) do not decompose over FBA are deleted from AB (algebraic sieve). Firstly, the very many divisions in the gcd-sieve are avoided by computing a starting index in each row of AB and identifying the elements to be deleted by incrementation of this index. Secondly, a similar idea can be used to identify pairs which do not decompose over FBR. Construction of S

From the set T all pairs (a,b) are to be deleted with odd exponents in the prime factor decomposition of a+b m. (The idea is to control the deletion/selection on the parity of the exponents.) This deletion is based on a theorem by [BLP1993] and on the solution of a system of linear equations with a sparse binary coefficient matrix A, namely S = {(a,b) e T:λ(a,b)=1}, where λ (a,b) are the binary coefficients of the modulo 2 exponent vectors of a+b m over FBR and N(a,b) over FBA.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 115 of 145


Computing the Square Roots to Sieve Based Methods

In the following, certain quadratic factors involving the polynomial g are omitted. The computation

of the square root of ∏∈

+S)b,a(

SD )mb(af in Z is relatively simple because |S| and the exponents

over the chosen factor basis FBn are even, so that x = ∏∈

∑∈

ni

Sb)(a,

)b,a(i

FBp(

)e(i

2

S

D pf follows.

In order to compute the square root of ∏∈

ω+S)b,a(

D )ba (f in Z[ω] one can factorize the polynomial

X² – ∏∈

ω+S)b,a(

D )ba (f e Q(ω)[X] over Q(ω) by methods of [Wan1976] or [WR1976].

However, methods using so called inert primes together with ideas of Couveignes are demonstrated to be more efficient in [Zay2005].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 116 of 145


Run-time of the Factorisation

Investigations of [BLP1993] show that the run-time complexity of factorisation by the number field sieve is subexponential as is the run-time complexity of factorisation by the quadratic sieve in [DDL1993].

However, the factorisation by number field sieve is asymptotically more efficient than by the quadratic sieve.

In order to give some impression of the run-time of the number field sieve algorithm to factorise large integer numbers some practical results are presented in [Zay2005]. Obviously, choice of the polynomial f and the number m, choice of the size of the factor bases and, in general, parallelisation is the key to efficient factorisation of large integers.

Decimal digits of n Run-time of the algorithm on a 21 MIPS machine

10 27 sec

20 58 sec

30 344 sec

40 35 min

50 25.72 hours

60 90.5 hours

65 253 hours

71 55.5 days

75 100 days

80 176 days

107 7 years

Table 4-1 Factorization runtime vs. decimal digits





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 117 of 145


4.4 Overview Cryptographic Methods and Algorithms There are several methods available upon which security services like confidentiality, authenticity and data integrity are based:

• Key agreement

• Symmetric encryption / decryption, uses the same key for encryption and decryption of the message

• Symmetric authentication (also provides data integrity), uses the same key for signing the message and verification of its signature

• Asymmetric public-key encryption / decryption, uses different (but related by some mathematical principles) keys, encryption is performed by using publicly known encryption key (public key), decryption is performed by using secret decryption key (private key), everyone can encrypt a message, but the desired recipient only can decrypt this message

• Asymmetric public-key authentication (also provides data integrity check), uses different (but related by some mathematical principles) keys, signing of the message is performed by using secret sign key (private key), verification of the message's signature is performed by using publicly known verification key (public key), everyone can verify the signature of a message, but the desired signee only can sign this message

The methods above are used to build three basic types of cryptosystems:

• Pure symmetric cryptosystems using only symmetric methods: o Used in some special applications o Low complexity

o High data throughput o Requires complex and sophisticated key distribution scheme

• Pure asymmetric cryptosystems using only asymmetric methods: o Rather unusual

o More complex than symmetric systems o Low data throughput

o Only practicable for small amount of data (up to few kBytes)

• Hybrid cryptosystems using symmetric and asymmetric methods to overcome the disadvantages and limitations of above types: o Mostly used type of cryptosystem o More complex than pure asymmetric systems

o Allows high data throughput by using symmetric methods o Mitigates key distribution problem by using asymmetric methods (either session key

agreement procedure, or asymmetric session key encryption)





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 118 of 145


Three main scenarios for secure (confidential and authenticated) communication are:

• Bi-directional communication using pre-shared keys (shared secret), unidirectional communication is possible also: o Use symmetric encryption / decryption and authentication methods

o The session keys (resp. some kind of secret data used to generate the session keys) are pre-shared between communication partners, i.e. they are distributed in appropriate way among partners ahead of communication e.g. as code-books

o Each communication session uses a key pair (dedicated encryption and authentication key) from the pool of available keys. Under some circumstances each direction requires dedicated key pair, thus a total of four keys per session may be needed. In general, each key should be used for at most one session, after which this key should be removed from the pool.

• Bi-directional communication using on-demand session keys generated during preceding key agreement phase:

o Use key agreement and asymmetric authentication methods for session key agreement and symmetric encryption / decryption and authentication methods for subsequent communication

o In general, key agreement methods only allow for common session keys to be established between communication partners, but are not capable to provide the definitely evidence that the session keys were established with the desired communication partner (vulnerable to man-in-the-middle attack). Therefore, key agreement methods are often used in conjunction with asymmetric authentication methods. The authentication methods ensure that the data exchanged during key agreement phase is originated by desired communication partner, the key agreement methods allow to establish session keys, which are known by the desired communication partners only.

• Unidirectional communication using on-demand session keys, which are itself encrypted by means of asymmetric encryption methods allowing the addressed recipient to recover the session keys: o Use asymmetric encryption / decryption and authentication methods for session keys,

and symmetric encryption / decryption and authentication methods for the message itself

o Used when the key agreement methods cannot be applied due to the unidirectional communication (e.g. E-mail communication)

o The sender generates session keys, encrypts and signs the message, then encrypts the session keys with public encryption key of the recipient and signs those encrypted session keys with own private sign key15. The encrypted and signed session keys followed by encrypted and signed message are sent to the recipient. The recipient verifies the signature of the encrypted session keys with the public verification key of the sender and decrypts the session keys with own private decryption key, then verifies the signature of message and decrypts the message by using session keys.

15 Whether the session keys are first encrypted and the encrypted session keys are then signed or the session keys are first signed and the signed session keys are then encrypted (together with the signature) depends on the used algorithms since some asymmetric encryption algorithms force limitations on the amount of data to be encrypted





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 119 of 145


4.4.1 Key Agreement

Key agreement methods are used to mitigates key distribution problem for symmetric encryption / decryption and authentication methods. Instead of intricate and vulnerable key distribution ahead of communication the key agreement methods allow the session keys to be generated (agreed) on demand in a secure way, resulting in the use of unique16 session keys for each communication session. Following attributes of the key agreement protocols are desired:

• Known-key security: key agreement protocol should generate unique session keys; the overall security of protocol should not be affected by an adversary learning some session keys

• Forward secrecy: compromising of long-term secret keys of one or more communication parties should not affect the secrecy of previously generated session keys

• Key control resistance: neither communicating party should be able to force the session key to a specific value

• Key-compromise impersonation resistance: disclosure of A's long-term private key should not allow an adversary to impersonate other parties to A (an adversary can impersonate A to other parties since the long-term private key is precisely the value that identifies A )

• Key (entity) authentication: the secret session keys should be agreed between the identified communicating parties only

• Unknown key-share attack resistance: communication party B (e.g. a bank) cannot be coerced to share the session keys with A (e.g. a customer) without B's knowledge. This is an attack on the last point if the key confirmation step is omitted: dishonest party E (e.g. an adversary) let B to believe it shares the session keys with E, but in fact, B shares the session keys with A. Based on the false assumption that B shares the keys with E, B may act upon transmitted data from A as if the data were originated from E, i.e. the identity of A is adopted by E.

There are three classes of key agreement methods, providing:

• Agreed-only session keys: communicating parties A and B have agreed17 upon session keys, but neither A or B has sent authenticated exchange data (compliant with the first three attributes)

• Authenticated session keys (AK): communicating parties A and B have agreed upon session keys, A and B have sent authenticated18 exchange data (compliant with all except the last attributes)

• Authenticated and confirmed session keys (ACK): communicating parties A and B have agreed upon session keys, A and B have sent authenticated exchange data, and they have confirmed that they use the same session keys (compliant with all attributes)

The authentication during key agreement may be performed in an implicit or an explicit way:

16 The probability to hit an already used key is negligible due to the size of key space (e.g. 2256 ≈ 1077 different keys for AES-256) 17 A and B believe that they use the same session keys, but they have not confirmed that 18 No additional authentication data is sent for key agreement methods using implicit authentication





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 120 of 145


• The implicit authentication uses the values of ephemeral public and private keys (used for generation of the unique session keys) as well as the values of long-term public and private keys (used for authentication) of both parties to calculate the session keys. A party uses its private ephemeral and long-term keys, the long-term pubic key of other party and ephemeral public keys of both parties to calculate the session keys. Since the long-term private key is also used for the calculation of the session keys, the desired communication parties only are able to calculate the same session keys. Of course, the authenticity of the other party's long-term public key must be verified by some means, e.g. by using certificates. The advantage of implicit authentication are (often) the reduced number of expensive computations and lower bandwidth. On the other hand, an implicit authentication protocol must be designed very carefully to minimize the impact of possible attacks and many implicit authentication protocols were proven to be vulnerable.

• The explicit authentication uses the values of ephemeral public and private keys only to calculate the session keys. A party uses its private ephemeral and the public ephemeral keys of the other party to calculate the session keys. The exchanged key agreement data is explicit authenticated by using asymmetric authentication methods (i.e. digital signatures), thus requiring long-term private and public key for authentication. Since the origin of key agreement data is authenticated the session keys are established among desired communication parties. The fact that the session keys are derived from the ephemeral keys only means that an adversary needs to learn only one private ephemeral key19 and captured related exchanged key agreement data (as sent over public network) to easily impersonate this party to the others in the future. The adversary then possesses the private ephemeral key for key derivation and a properly authenticated public ephemeral key that other parties will silently accept.

19 It is often noted that many implementations protects its private ephemeral key not as strong as the private long-term key





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 121 of 145


4.4.2 Symmetric Encryption

Only one key is used by the symmetric encryption algorithm for the encryption operation and decryption operation. Often, the decryption key is absolutely equivalent to the encryption key. A somewhat different decryption key is needed by a few encryption algorithms, but mostly the key scheduler of the encryption algorithm generates the decryption key out of the encryption key, so the user only needs to know the encryption key.

4.4.2.1 Classes of Algorithms

A possible classification of symmetric key algorithms and their popular algorithms are shown in Figure 4-1. Stream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits and encrypt them as a single unit. In general, a stream cipher is as less efficient than a block cipher algorithms. Each block cipher can be switched into a stream cipher by using the right mode [DSIIDA2]. Therefore, only block cipher algorithms are explored in this document. Modern cipher algorithms belong to the class of product ciphers. Shannon introduced the principals of confusion and diffusion, used by product ciphers. The development of good block cipher algorithms are based upon these two principals (refer to [Sch96]).

Confusion is used to obscure the context between the plain text, the cipher text and the key. This can be done by substitution. An input of plain text is output to cipher text. Such a module is called S-Box. An S-Box can be a XOR-operation or a look-up table. Diffusion is used to distribute the effects of particular bits of plain text or the key on as much cipher text as possible. The easiest way of diffusion is the transposition or permutation. On an easy permutation encryption algorithm the plain text information is only arranged in a different manner. Modern encryption algorithms uses more complex types of diffusion in order to ensure that the plain text is scattered over the whole cipher text. The security of most block ciphers is increased by using several rounds, meaning relatively weak operations are concatenated in one round and repeated several times. A product cipher that uses substitution and permutation can be called substitution-permutation network (SP-Network). AES and IDEA are SP-network, but also product and block ciphers. A Feistel cipher or Feistel network is a product cipher with a particular structure. It was first used by the IBM cryptographer Horst Feistel. The advantage of the Feistel network is that the encryption and decryption operations are very similar, even identical in some cases, requiring only a reversal of the key schedule (refer to [Sch96]). A typical Feistel network is the DES algorithm.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 122 of 145


Product Cipher

Stream CipherBlock Cipher

Symmetric Key

Algorithms

Feistel NetworkSubstitution-Permutation

Network

Blowfish DES CAST-128 AES

RC4 One-Time-Pad

IDEA

Symmetric_Encryption_Classes_20051122.odg

Figure 4-1 Symmetric encryption classes and typically algorithms.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 123 of 145


4.4.2.2 Mode of Operation

The modes of operation, their synchronization behavior and their error propagation were discussed already in [DSIDA2]. Nevertheless a short summery and upgrading is done in this section. The method how to use a block cipher in an encryption system can be different. All modes of operation can provide confidentiality and some can provide message integrity.

The mostly used modes are listed in Table 4-2. This list is not exhaustive. For more information about encryption modes refer to [ISO10116], [Sch96].

The behavior regarding self synchronization, error propagation and known security issues are shown in Table 4-3. The property of an mode to recover from bit errors on the transmission line or on the RF-link is called self synchronization.

Name Description

Modes providing only confidentiality

ECB Electronic CodeBook Mode:

The simplest encryption mode is the electronic codebook (ECB) mode. A plain text is encrypted to cipher text in blocks of N bits by a block cipher with N bits wide data input. This is the native usage of an block cipher. The encrypted data blocks are not depending from any previous encrypted data block and two data blocks with identical plain text have the same values if the same encryption key is used.

CBC Cipher Block Chaining Mode:

In CBC mode the current plain text block is XORed with the previous cipher text block. For the first plain text block a value called Initialization Vector (IV) is taken instead of the cipher text block. The IV is used to get a different cipher text although the plain text and encryption key is the same in two separate encryption processes.

CFB Cipher FeedBack Mode:

In CFB mode the plain text block is XORed with the result of encrypted cipher text or at the first time with the result of encrypted Initialization Vector (IV). The block algorithm is only used in encryption mode. It is possible to use the block algorithm with a block width of m-bit as a stream cipher with the block width of 1 ≤ n ≤ m bit.

OFB Output FeedBack Mode:

The plain text is XORed with the result of the last encrypted feedback value, starting with the Initialization Vector (IV). Because the feedback is not depending from the plain- or cipher text, it is sometimes called internal feedback. The block algorithm is only used in encryption mode.

CTR Counter Mode:

In CTR Mode the plain text is XORed with the result of an encrypted counter. The security of the CTR Mode is only based on the block algorithm, not on the counter characteristics. It is only necessary that the counter change his value for each encryption round. It is possible to encrypt less than m-bit block algorithm width. The block algorithm is only used in encryption mode.

Modes providing confidentiality and message integrity

GCM Galois Counter Mode:

An encryption and a authentication is combined by the GCM mode in the following manner:

1. The plain text is encrypted in a CTR mode.

2. The cipher text is used for the message authentication code calculation by a GHASH function.

The GHASH function compresses a 128 x n bit message into a 128 bit hash value (refer to [YMK05]).

CBC-MAC

Cipher Block Chaining Message Authentication Code:

An MAC algorithm, based on the CBC mode and defined as ISO standard in [ISO9797]. CBC-MAC has security deficiencies as mentioned in [BKR2000].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 124 of 145


Name Description

CMAC A variation of CBC-MAC, proposed from Black and Rogaway. As for CBC-MAC, a message M is encrypted in CBC mode and a MAC is derived from the encrypted message and has the length 0 < Tlen < b, where b is the block length of used encryption algorithm. It is recommended that Tlen ≥ 64 bit (refer to [NIST38B] ).

Table 4-2 Modes of operation

Mode Self Synchronization

Error Propagation Known Security Issues

ECB On block level. One bit error causes one block error. Bit errors only affect the according block.

Insecure for redundant data or recurrent packet structures (Mickey-Mouse-Effect, see [DSIDA2]).

CBC On block level. The according plaintext block is completely false decrypted and the following plaintext block will show the bit error at the same position as occurred in ciphertext block, so two blocks are affected by one bit error.

None.

CFB On block level. A bit error in the ciphertext results in a bit error in the decrypted plaintext and the following m/n+1 blocks will be erroneous.

m - blocklength of encryption algorithm,

n - blocklength of the stream cipher 1 < n ≤ m

None.

OFB No synchronization.

One bit error causes one block error. None.

CTR No synchronization.

One bit error causes one block error. None.

GCM None.

CBC-MAC Security deficiencies, see [BKR2000].

CMAC

MAC is erroneous, so error propagation and self synchronisation are not relevant !

None.

Table 4-3 Behavior of Mode of Operation





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 125 of 145


4.4.3 Asymmetric Methods

The mathematical base for asymmetrical methods is the characteristic of one way functions. A one way function is a bijective transformation of an independent variable into a dependent variable with the characteristic, that computation of function f : x → y is easy but computation of the inverse function f-1 is 'difficult' (i.e. virtually impossible). This property allows the value of y to be published while keeping x a secret.. Well-known one way functions are the factorization problem and the discrete logarithm problem. For factorization, it is simple to multiply two (big) prime numbers, but it is difficult to find the two prime factors from only the end product. For the discrete logarithm problem, it is easy to compute the power in a Galois field, but it is difficult to compute the corresponding discrete logarithm (DL). The safety depends on the mathematical quality of the methods and the cryptographic quality of the applied keys.

There are many forms of asymmetric methods, including:

• asymmetric encryption algorithm or public-key encryption: keeping a message secret from anyone that does not possess a specific private key.

• asymmetric digital signature algorithm or public-key authentication: allowing anyone to verify that a message was created with a specific private key.

• key agreement: generally, allowing two parties that may not initially share a secret key to agree on one.

4.4.4 Cryptographic Keys

There are three basic classes of approved cryptographic algorithms: hash algorithms, symmetric key algorithms and asymmetric key algorithms. The classes are defined by the number of cryptographic keys that must be used in conjunction with the algorithm. Pure called hash algorithms (e.g. RIPEMD-160) require no keys. Hash algorithms generate a small message digest from a large message and are used as components in many cryptographic processes. They are not secured against manipulation. The usage of a key in conjunction with a hash algorithm will result in message authentication codes (MAC). Hash algorithms can be modified to MAC (e.g. RIPEMD-160 will extended to HMAC) and it is possible to use symmetric encryption modes of operation as MAC (e.g. CBC-MAC, CMAC, GCM). For further details refer to [ISO10118], [ISO9797] and [Sch96]. Symmetric key algorithms (sometimes known as a secret key algorithms) use a single key to transform data. Symmetric keys are often known by more than one entity; however, the key must remain secret between any entities authorized to access data protected by that algorithm and key. Asymmetric key algorithms, commonly known as public key algorithms, use two related keys to perform their functions: a public key and a private key. The public key may be known by anyone; the private key must be under the sole control of the entity that “owns” the key pair. Even though the public and private keys of a key pair are related, knowledge of the public key does not reveal the private key.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 126 of 145


4.4.4.1 Classes of Keys

To evaluate the risk of keys it is useful to know the different classes of the keys so their special security belongings can be satisfied. Several different classes of keys, grouped according to function and according to their useful life span (life cycle), are defined.

• Signing keys: Signing keys are the private keys of a public/private key pair that are used by public key algorithms to generate digital signatures with possible long-term implications. When properly handled, signing keys can be used to assure authentication, integrity and non-repudiation. Signing keys require confidentiality and integrity protection, and correct association with any domain parameters. If multiple signing keys are used (e.g., for different applications), then provision must be made to ensure that each key is only used for the appropriate application or usage.

• Signature verification keys: Signature verification keys are the public keys of a

public/private key pair that are used by a public key algorithm to verify digital signatures, either for non-repudiation purposes, to determine the integrity of data, to authenticate a user’s identity, or a combination thereof. The integrity of these keys must be protected, and an association with any domain parameters, the usage or application, the public key owner and with the correct signing key must be assured. The key must be validated to ensure that the purported owner of the key has the private signing key (i.e., proof of possession must be established). The verification key needs to be available while any data signed using the associated private keymay need to be verified. There is no requirement for the confidentiality of signature verification keys.

• Secret authentication keys: Secret authentication keys are used with symmetric key

algorithms to authenticate users, messages, or communication sessions. These keys must remain confidential, and the integrity must be protected. The association with another entity using that key must be maintained in order to provide entity authentication. If multiple authentication keys are used (e.g., for different applications or different communication associations or different data), then provision must be made to ensure that each key is only used for the appropriate application, communication association or data.

• Private authentication keys: Private authentication keys are used with public key algorithms

to authenticate users, messages, or communication sessions. Non-repudiation is not necessary for private keys used only for authentication. However, these keys must remain confidential, and the integrity must be protected. If multiple authentication keys are used (e.g. for different applications), then provision must be made to ensure that each key is only used for the appropriate application.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 127 of 145


• Public authentication keys: Public authentication keys are used with public key algorithms to authenticate users, messages, or communication sessions. The integrity, but not the confidentiality, of these keys must be protected. The association with the public key’s owner must be maintained in order to provide entity authentication. If multiple authentication keys are used (e.g. for different applications), provision must be made to ensure that each key is associated with the appropriate application, communication association or data.

• Long term data encryption keys: Secret symmetric keys that are used with symmetric

algorithms to protect the confidentiality of data over long periods. Keys used for the encryption of other keys are discussed below. These keys require confidentiality and integrity protection, and must remain available and associated with the encrypted data, communication association or application as long as the data encrypted under these keys is maintained in its encrypted form.

• Short term data encryption keys: Secret symmetric keys that are used with symmetric

algorithms to protect the confidentiality of data, such as the messages exchanged during one communication session. For each communication session new keys (session keys) are generated. Once they are no longer needed, they should be securely destroyed. Keys used for the encryption of other keys are discussed below.

• Random Number Generation keys: Secret symmetric keys used with a symmetric algorithm

to generate pseudorandom numbers. These keys require confidentiality and integrity protection, should be associated with the RNG application, and should be retained until replaced or no longer needed.

• Key encrypting keys used for key wrapping: Key encrypting keys used for key wrapping are

used with symmetric key algorithms. This key encrypting key may encrypt either data encrypting keys or other key encrypting keys. These keys require confidentiality and integrity protection, and may need to remain available (for possible key recovery). These keys may also need to remain associated with the application, the other entity, and the keys they encrypt for the life of any key that is encrypted by the key encrypting key and the data associated with the encrypted keys (because of a possible compromise).

• Master key used for key derivation: A “master key” may be used to derive other keying

material. These keys require confidentiality and integrity protection, and may need to remain available (for possible key recovery). These keys may also need to remain associated with the application, the other entity, and the keys that are derived for the life of any derived key and the data associated with the derived keys (because of a possible compromise).

• Keys derived from a master key: The keys should be protected in accordance with their

use, and may need to remain associated with the Master Key from which they are derived.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 128 of 145


• Key transport private keys: Key transport private keys are used to decrypt keys that have

been encrypted by the associated public key using a public key algorithm. They are usually used to establish multiple keys (e.g. data encrypting keys or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). These private keys require confidentiality and integrity protection. They may need to remain available (for possible key recovery), and may need to remain associated with the correct application or usage, and with the keys they decrypt (because of a possible compromise).

• Key transport public keys: Key transport public keys are used to encrypt keys using a public

key algorithm. They are used to establish keys (e.g. data encrypting keys or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). These keys require integrity protection (but not confidentiality protection), and must be correctly associated with the key’s owner. These keys should be validated prior to their use, and should be retained until no longer needed (e.g. the public/private key pair is replaced or key transport will no longer be required).

• Static key agreement private keys: Static private keys are used for key agreement to

establish keys (e.g. key encrypting keys, data keys or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). These private keys require confidentiality and integrity protection and must remain available and associated with the correct domain parameters. If multiple static private keys are used (e.g. for different applications), then provision must be made to ensure that each key is only used for the appropriate application. These keys should be retained until replaced or no longer needed to determine a key (e.g. key agreement will not be performed).

• Static key agreement public keys: Static public keys used for key agreement are used to

establish keys (e.g. key encrypting keys, data keys or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). The keys require integrity protection, and the correct association with the owner of that key and any domain parameters must be assured. If multiple static public keys are used (e.g. for different applications), then provision must be made to ensure that each key is only used for the appropriate application. These keys should be validated prior to their use and should be retained until replaced or no longer needed to determine a key (e.g. key agreement will not be performed).

• Ephemeral key agreement private keys: Ephemeral private keys used for key agreement are used once to establish one or more keys (e.g. key encrypting keys, data keys, or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). These keys require confidentiality and integrity protection during the key agreement process. The ephemeral private keys should be destroyed at the completion of the key agreement process.

• Ephemeral key agreement public keys: Ephemeral public keys used for key agreement are used once to establish one or more keys (e.g. key encrypting keys, data keys, or MAC keys) and, optionally, other keying material (e.g. initialisation vectors). These keys require integrity protection, but not confidentiality protection. These keys should be validated prior to their use and should be destroyed at the completion of the key agreement process.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 129 of 145


• Secret authorization key: Secret authorization keys are used to provide access privileges to

an entity. The key is known by the access authority and an entity seeking access to resources. The secret authorization key requires confidentiality and integrity protection and should be correctly associated with the application and with the entity seeking access.

• Private authorization key: Private authorization keys are used to provide access privileges

to an entity. The key is known only by an entity seeking access to resources. The private authorization key requires confidentiality and integrity protection and should be correctly associated with the application.

• Public authorization key: Public authorization keys are used to verify access privileges by

an entity that knows the associated private key. The public key may be known by anyone. The public authorization key requires integrity protection and should be correctly associated with the application and with the entity seeking access.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 130 of 145


4.4.4.2 Quality of Cryptographic Keys

Security of cryptographic methods begins during the key production. Good keys must not be predictable. For example sequentially assigned numbers would be conceivably unsuitable keys. In addition, statistical characteristics for example of pseudo-random numbers can offer potentials of attack and/or increase the probability to forecast the key. Keys should be selected therefore in the ideal case absolutely coincidentally from the available key set. In addition it comes that with some cryptographic algorithms all keys are not equivalently well suitable. In these cases it has to be paid attention to select no "weak" keys with which the procedure offers only a reduced security.

By the example of a one time PAD encryption it is demonstrated how a weak key effects the encryption result negatively. In Figure 4-2 the original data can be seen. Figure 4-3 shows the result with a weak key. Figure 4-4 shows the encryption with a better key. The key of the picture in Figure 4-3 has also a random structure but the bits are not evenly distributed.

Figure 4-2 Original picture

Figure 4-3 Picture encrypted with a weak key

Figure 4-4 Picture encrypted with a better key





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 131 of 145


4.4.4.3 Key Length

Apart from the used algorithm the security of a cryptographic system also depends on the selected key length. Especially because it is the fastest and often also the only way of decrypting data with an unknown key to crack the key by trying (Brute Force attack). As it can be seen in the different tables for key length at symmetric encryption, it is possible to crack the keys which were meant to be safe a few years ago, when investing a sufficient large effort in calculating power.

Recapitulating it can be said that depending on the used cryptographic system, the key choice procedure becomes a central role for the security. The requirements for the respective keys must be specified for each cryptographic algorithm separately.

4.4.5 Cryptographic Parameters

Using correct parameters in cryptographic functions is important for security. All cryptographic algorithms, whether symmetric or asymmetric algorithms are affected by weak cryptographic parameters. For example randomly selecting EC parameters may result in a poor EC and insecure cryptographic function or bad guessed S-Boxes in a substitution-permutation network can cause security holes. Fortunately, the selection of cryptographic parameters is mostly done by cryptographers and tested for a long period.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 132 of 145


4.5 Overview of Security Protocols This chapter gives an overview about the implementation of cryptographic functionalities of space link related protocols and IP-based network protocols.

An overview of the CCSDS protocols and depending layers is given in the following figure:

Figure 4-5 Protocol layer model [SCPS05].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 133 of 145


4.5.1 IPv6

The IPv6 (Internet Protocol 6) is the “next generation” data-oriented network layer standard, designed to address the concern of IPv4 address exhaustion. Currently, the IPv6 standard is most useful for mobility, quality of service, privacy extension, and so forth.

4.5.1.1 IPv6 Packet

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

Figure 4-6 IPv6 packet header structure

The IPv6 packet is consist of two main parts: the header and the payload (see Figure 4-6). The header is in the first 40 bytes of the packet and contains:

• source and destination addresses (128 bits each),

• the version (4-bit IP version),

• traffic class (8 bits, Packet Priority),

• flow label (20 bits, QoS management),

• payload length (16 bits),

• next header (8 bits), and

• hop limit (8 bits, time to live).

The payload can be up to 64k in size in standard mode, or larger with a "jumbo payload" option. There have been two slightly different versions of IPv6. The now-obsolete initial version, described in RFC 1883, differs from the current proposed standard version, described in RFC 2460, in that 4 bits have been reassigned from flow label to traffic class. All other differences are minor. The routing header would then specify the additional routing information for the packet, and then indicate that, for example, the TCP header comes next. This is analogous to the handling of AH and ESP in IPsec for IPv4 (which applies to IPv6 as well).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 134 of 145


4.5.1.2 IPsec

IPsec is a set of protocols developed by the IETF to support secure exchange of packets on top of the network layer, thus enabling all services working on top of IP to automatically use its security mechanism. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec is available for IPv4, too.

Alternatives to IPsec are:

• PPTP, (Point To Point Tunneling Protocol) originally from developed from Microsoft and Ascend. Through Windows widely used. PPTP is not standardized, the Internet Draft has expired in 1997.

• L2F, (Layer 2 Forwarding) developed by Cisco, Nortel and Shiva. The RFC 2341 category is historic.

• L2TP, (Layer Two Tunnelling Protocol) is a proposed standard: IETF RFC 2661. RFC 3193 is a proposed standard to combine L2TP and IPsec.

These alternatives, in comparison to IPsec, are they weak or/and historic. IPsec is a very complex suite of protocols. One cause of the complexity is that IPsec provides mechanisms, not policy: rather than define such-and-such encryption algorithm or a certain authentication function, it provides a framework that allows an implementation to provide “nearly anything” that both ends agree upon.

IPsec uses two different protocols - AH and ESP - to ensure the authentication, integrity and confidentiality of the communication. It can protect either the entire IP datagram or only the upper-layer protocols: the modes are called tunnel mode and transport mode. In tunnel mode the IP datagram is fully encapsulated by a new IP datagram using the IPsec protocol. In transport mode only the payload of the IP datagram is handled by the IPsec protocol inserting the IPsec header between the IP header and the upper-layer protocol header (refer to [RFC2401]).

AH versus ESP

Authentication Header (AH) and Encapsulating Security Payload (ESP) are the two main protocols used by IPsec and they authenticate (AH) and encrypt + authenticate (ESP) the data transmitted over that connection. They are typically used independently, although it is possible (but uncommon) to use them both together. The ESP protocol allows the payload to be encrypted without being authenticated. Encryption without authentication is not useful (refer to [RFC2403], [RFC2404], [RFC2405], [RFC2406], [Sch99]).





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 135 of 145


0123456701234567

0 1

Security Parameters Index (SPI)

2 3

01234567 01234567

Next

Header

Payload

LengthRESERVED

Sequence Number

Authentication Data (variable)

Figure 4-7 AH packet diagram

Field description in Figure 4-7:

• Next Header - Identifies the protocol of the transferred data

• Payload Length - Size of AH packet

• RESERVED - Reserved for future use (all zero until then).

• Security Parameters Index (SPI) - Identifies the security parameters in combination with IP address

• Sequence Number - A monotonically increasing number, used to prevent replay attacks

• Authentication Data - Contains the data necessary to authenticate the packet





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 136 of 145


0123456701234567

0 1

Security Parameters Index (SPI)

2 3

01234567 01234567

Next

Header

Payload

LengthRESERVED

Sequence Number

Pad

Length

Next

Header

Authentication Data (variable)

Payload * (variable)

Padding (0-255 bytes)

Figure 4-8 ESP Packet Diagram

Field description in Figure 4-8:

• Security Parameters Index (SPI) - Identifies the security parameters in combination with IP address

• Sequence Number - A monotonically increasing number, used to prevent replay attacks

• Payload Data - The data to be transferred

• Padding - Used with some block ciphers to pad the data to the full length of a block

• Pad Length - Size of padding in bits

• Next Header - Identifies the protocol of the transferred data

• Authentication Data - Contains the data used to authenticate the packet





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 137 of 145


Tunnel mode versus transport mode

The transport mode provides a secure connection between two endpoints as it encapsulates IP's payload, while tunnel mode encapsulates the entire IP packet to provide a virtual secure hop between two gateways [RFC2402].

AH ESP ESP + Authentication

Transport Mode Authenticates IP payload, selections of IP header and IPv6 extensions header

Encrypts IP payload and any IPv6 extensions headers following the ESP header

Encrypts IP payload and any IPv6 extensions headers following the ESP header, authenticates IP payload but not IP header

Tunnel Mode Authenticates entire inner IP packets, selections of outer IP header and outer IPv6 extensions header

Encrypts entire inner IP packets

-

Table 4-4 Transport/Tunnel mode SA

The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across the un-trusted internet. Eliminating transport mode also eliminates the need to separate the machines on the network into the two categories of hosts and security gateways. [Sch99]

VersionTraffic

ClassFlow Label

Payload LengthNext

Header

Hop

Limit

Acknowledgement number

More TCP Header parameters

Encryption Parameters

(Initialization Vectors)

Source IP Address

Destination IP Address

Payload Type

(optional)

Authentication

data

Padding Length

Padding

Sequence Number

Security Parameter Index (SPI)

IP HeaderIP HeaderIP HeaderIP Header Encryption HeaderEncryption HeaderEncryption HeaderEncryption Header TCP HeaderTCP HeaderTCP HeaderTCP Header PayloadPayloadPayloadPayloadEncryptionEncryptionEncryptionEncryptionTrailerTrailerTrailerTrailer

Source Port Destination Port

Sequence Number

Figure 4-9 Transport Mode Encryption (dark gray = encrypted data)





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 138 of 145


VersionTraffic

ClassFlow Label

Payload LengthNext

Header

Hop

Limit

Acknowledgement number

More TCP Header parameters

Encryption Parameters

(Initialization Vectors)

Source IP Address


Payload Type

(optional)

Authentication

data

Padding Length

Padding

Sequence Number

Security Parameter Index (SPI)

IP HeaderIP HeaderIP HeaderIP Header Encryption HeaderEncryption HeaderEncryption HeaderEncryption Header TCP HeaderTCP HeaderTCP HeaderTCP Header PayloadPayloadPayloadPayloadEncryptionEncryptionEncryptionEncryption

TrailerTrailerTrailerTrailer

Source Port Destination Port

Sequence Number

VersionTraffic

ClassFlow Label

Payload LengthNext

Header

Hop

Limit

Source IP Address


Inner IP HeaderInner IP HeaderInner IP HeaderInner IP Header

Figure 4-10 Tunnel Mode Encryption (dark gray = encrypted data)

4.5.1.3 Key Management

IKE (Internet Key Exchange) exists in order to allow two endpoints to properly set up their Security Associations, including the secrets to be used. IKE uses the ISAKMP (Internet Security Association Key Management Protocol) as a framework to support establishment of a security association compatible with both ends.

Multiple key-exchange protocols themselves are supported, with Oakley being the most widely used. IPsec key exchange typically uses port 500/udp. ISAKMP allows great latitude to the participants in the exact messages that are sent and the exact processing that is done. This makes it extremely hard to give any reasonable statement about the security properties achieved by the protocols (refer to [RFC2407], [RFC2408]). IKE versus manual keys

Since both sides of the conversation need to know the secret values used in hashing or encryption algorithms, there is the question of just how this data is exchanged. Manual keys require manual entry of the secret values on both ends, presumably conveyed by some out-of-band mechanism, and IKE (Internet Key Exchange) is a sophisticated mechanism for doing this online. IKE is the default key-exchange protocol for ISAKMP and, at the moment, the only one. IKE is built on top of ISAKMP and performs the actual establishment of both ISAKMP SAs and IPsec SAs (refer to [RFC 2409]). Main mode versus aggressive mode

These modes control an efficiency-versus-security tradeoff during initial IKE key exchange. "main mode" requires six packets back and forth, but affords complete security during the establishment of an IPsec connection, while aggressive mode uses half the exchanges providing a bit less security because some information is transmitted in clear text [RFC2409].





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 139 of 145


4.5.1.4 Limitations to IPsec

The following limitations exists for usage of IPsec

• Firewalls can not peek inside encrypted packets.

• Traffic engineers want to look inside packets.

• New techniques for handling unusual links - satellite hops, wireless LANs, constant bit rate ATM, etc. - require examining, replaying and tinkering with packets.

• NAT boxes are incompatible with end-to-end IPsec and dynamic addressing not well supported.

• No centralised and dynamic management systems for security policies are provided by IPsec.

• No functional and recognised Public Key Infrastructure (PKI) is provided by IPsec.

4.5.1.5 IPv6 Mobility

It was necessary to develop new security mechanisms for mobile IPv6 route optimisation. The new mechanisms rely on the routing infrastructure to provide some level of the authorisation of IP addresses. IPsec is still used in mobile IPv6 to protect the signaling between the mobile nodes and their home agents. The current specifications create a hard binding between static IP addresses, security associations, and IKE endpoints. This creates some undesirable complexity and limitations to the protocol. For instance, current protocols do not easily allow dynamic allocation of home addresses, as security policies are tied to the addresses. Any mobility solution must protect itself against misuses of the mobility features and mechanisms. In mobile IPv6, most of the potential threats are concerned with false bindings, usually resulting in Denial-of-Service attacks. Some of the threats also pose potential for Man-in-the-Middle, hijacking, confidentiality and impersonation attacks. The main threats this protocol protects against, are the following (refer to [RFC3775]):

• Threats involving binding updates sent to home agents and correspondent nodes

• Threats associated with payload packets: payload packets exchanged with mobile nodes are exposed to similar threats as that of regular IPv6 traffic

• Threats associated with dynamic home agent and mobile prefix discovery

• Threats against the mobile IPv6 security mechanisms themselves: An attacker might, for instance, lure the participants into executing expensive cryptographic operations or allocating memory for the purpose of keeping state. The victim node would have no resources left to handle other tasks





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 140 of 145


The main security features are the following:

• Reverse tunneling as a mandatory feature

• Protection of binding updates sent to home agents

• Protection of binding updates sent to correspondent nodes

• Protection against reflection attacks that use the home address destination option

• Protection of tunnels between the mobile node and the home agent

• Closing routing header vulnerabilities

• Mitigating Denial-of-Service threats to the Mobile IPv6 security mechanisms themselves

4.5.2 Delay Tolerant Network (DTN)

The on the OSI-layers based internet is a connected, chatty network, with the following dependencies (refer to [War2003]):

• Bi-directional end-to-end path

• Short round trips

• Continuous connectivity

• Low or constant transmission latency

• Low error rate

• Low congestion

• High transmission rate

• Symmetrical data rates

• Common name or address expression syntax or semantics

• Data arrival in transmission order

Application

TransportTCP

Phys 1Phys 1

Link 1

NetworkIP

Link 1 Link 2

Phys 2 Phys 2 Phys 3Phys 3

Link 2 Link 3

Network IP

Application

TransportTCP

NetworkIP

Link 3

Network IP

Subnet 1 Subnet 2 Subnet 3

Figure 4-11 Internet subnet connections

Interplanetary Internet (network of regional internets) is a network of networks, where the networks are not all the time connected, thus a store-and-forward network based on a wireless backbone with the following properties:





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 141 of 145


• intermittent connectivity

• variable delay

• asymmetric data rates

• high error rates

Whole messages (entire blocks of application-program user data) - or pieces (fragments) of such messages are moved (forwarded) from a storage place on one node (switch) to a storage place on another node. The storage places can hold messages indefinitely, they are called persistent storage, as opposed to very short-term storage provided by memory chips. Internet routers use memory chips to store (queue) incoming packets for a few milliseconds while they are waiting for their next-hop routing-table lookup and an available outgoing router port. DTN routers need persistent storage for their queues for one or more of the following reasons: a communication link to the next hop may not be available for a long time. One node in a communicating pair may send or receive data much faster or more reliably than the other node. A message, once transmitted, may need to be retransmitted if an error occurs at an upstream/downstream node or link, or if an upstream/downstream node declines acceptance of a forwarded message. The DTN architecture implements store-and-forward message switching by overlaying a new protocol layer - called the bundle layer - on top of heterogeneous region-specific lower layers.

Application

TransportTCP (a)

Phys 1Phys 1

Link 1

NetworkIP (a)

Link 1 Link 2

Phys 2 Phys 2 Phys 3Phys 3

Link 2 Link 3

Transport(a)

Application

TransportTCP (b)

NetworkIP (b)

Link 3

Network (a)

Bundle Bundle

Network(a)

Network(b)

Bundle

Breakdown

Transport(b)

Subnet 1 Subnet 2 Subnet 3

Figure 4-12 DTN - subnet connections

The bundle layer ties together the region-specific lower layers so that application programs can communicate across multiple regions. The bundle layer stores and forwards entire bundles or bundle fragments between nodes. A single bundle-layer protocol is used across all networks (regions (regions = nodes with similar network/transport protocols )) that make up a DTN.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 142 of 145


4.5.3 Space Communications Protocol Standard (SCPS)

The SCPS protocol suite is described in [SCPS05].

“SCPS is a protocol suite designed to allow communication over challenging environments. Originally developed jointly by NASA and DoD’s USSPACECOM to meet their various needs and requirements. These protocols have been found to be applicable in meeting the needs of the satellite and wireless communities.

DTN (Optional)

Layer 6 /

Presentation

Layer 2 / Data Link

Layer 3 / Network

Layer 4 / Transport

Layer 1 / Physical

Layer 5 / Session

CCSDS or other

Data Link

IPsec

Physical

Data Link

TCP

Physical

SCPS-TP

OSI Modell SCPS TCP/IP

Layer 7 /

Application

SCPS-FP or other

Application

FTP or other

Application

IP

SCPS-SP

SCPS-NP

Figure 4-13 SCPS Protocol Layer





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 143 of 145


The SCPS protocols include:

• A file handling protocol (the SCPS File Protocol or SCPS-FP), optimised towards the up-loading of spacecraft commands and software and the downloading of collections of telemetry data. The SCPS-FP is based on the well-known Internet File Transfer Protocol (FTP) (refer to [717.0-B-1]).

• An underlying retransmission control protocol (the SCPS Transport Protocol or SCPS-TP), optimised to provide reliable end-to-end delivery of spacecraft command and telemetry messages between computers that are communicating over a network containing one or more potentially unreliable space data transmission paths. The SCPS-TP is based on the well-known Internet Transmission Control Protocol (TCP). Note that the SCPS-TP extensions to TCP solves similar problems in other environments, such as those of the mobile/wireless and tactical communications communities (refer to [714.0-B-1]).

• A data protection mechanism (the SCPS Security Protocol or SCPS-SP) that provides the end-to-end security and integrity for message exchange. The SCPS-SP is derived from the Secure Data Network (SDNS) "SP3" protocol, the ISO Network Layer Security Protocol (NLSP), the Integrated Network Layer Security Protocol (I-NLSP), the Internet Engineering Task Force's (IETF) Internet Protocol Security (IPSEC) Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols (refer to [713.5-B-1]).

• A networking protocol (the SCPS Network Protocol or SCPS-NP) that supports both connectionless and connection-oriented routing of these messages through networks containing space or other wireless data links. The SCPS-NP is based on the well-known Internet Protocol (IP), with modifications to support new space routing needs and increased communications efficiency (refer to [713.0-B-1]). “





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 144 of 145


4.5.4 SSL/TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS), its successor, are cryptographic protocols which provide secure communications on the Internet. The term "SSL" as used here applies to both protocols unless clarified by context.

4.5.4.1 TLS 1.1

TLS 1.1 is the next generation of the TLS protocol. TLS 1.1 is currently a draft and is expected to be published as an RFC in 2006. TLS 1.1 clarifies some ambiguities and adds a number of recommendations. Main reason for the new version number is a modified format for the encrypted packages, which is done to protect against a certain form of attack (refer to [RFC 2246], [RFC 2712], [RFC 3268], [RFC 3546]).

4.5.4.2 Attacks on SSL / TLS

In the following the attacks on SSL are listed:

• Early weak keys: Some early implementations of SSL could use a maximum of only 40-bit symmetric keys because of U.S. government restrictions on the export of cryptographic technology. The U.S. government explicitly imposed a 40-bit key space small enough to be broken by brute-force search by law enforcement agencies wishing to read the encrypted traffic, while still presenting obstacles to less-well-funded attackers. After several years of public controversy, a series of lawsuits, and eventual US government recognition of changes in the market availability of 'better' cryptographic products produced outside the U.S., the authorities relaxed some aspects of the export restrictions. The 40-bit key size limitation has mostly gone away. Modern implementations use 128-bit (or longer) keys for symmetric key ciphers.

• Timing attack: After performed some timing measures in a setup where an attacker is situated "not too far" from the server and obtained the distributions, which represent the time taken for a padding error message and the time taken by a MAC error message.

• Dictionary and brute force: Two types of attacks can be performed:

• a brute force attack where all characters to be found are in an alphabet Z of size 64 or 256 for example and each element of the alphabet is used to guess bytes of the password.

• a dictionary attack where words of a dictionary are used in order to guess a password. The dictionary is ordered in decreasing probability of the character guessed in the password.





ESA Doc. No.: D1.2

Issue: 3.0 Date: 2006-05-05

Page: 145 of 145


4.5.5 Next Generation Space Internet (NGSI)

A security working group at the CCSDS deals with the difficulty of bringing together secure ground network technologies (IPsec) and secure space technologies to provide efficient, end-to-end, secure communications between terrestrial-based and orbiting hosts. The report [730.0-G-1] describes the Next Generation Space Internet (NGSI) architecture. Standards are in experimental phase. Target dates for Blue book issues are estimated spring 2006 with information on security standards for CCSDS and CCSDS cross support infrastructure (e.g. authentication, encryption, integrity, key management, key distribution, etc.). Further outputs from this security working group are the development of reference implementations, performance of interoperability testing and security guidelines for interoperability.

The main aspects from Next Generation Space Internet are:

• researching and recommending mechanisms to support dynamic utilization of space link communications services;

• integrating end-to-end resource reservation mechanisms, such as the Resource Reservation Protocol (RSVP), with the dynamic link utilization mechanisms;

• researching user-transparency via the Mobile Internet Protocol (IP) for real-time user-to-payload interaction;

• providing efficient end-to-end security and key management mechanisms which take advantage of existing approaches in the terrestrial environment, such as IP Security (IPsec), and providing ‘space link-friendly’ approaches for the space segment.