[Date Prev][Date Next][Thread Prev][Thread Next] - [Date Index][Thread Index][Author Index]

Re: Question about AO-40 telemetry

> From: Claudio Martins <ctpm@mega.ist.utl.pt>
> Subject: Re: [amsat-bb] Question about AO-40 telemetry
> Date: Sat, 20 Apr 2002 01:02:48 +0100
> 	[...]
> I suppose that if such a simple matter is to become taboo then maybe there is 
> something wrong. Or maybe my only mistake was to speak about something for 
> which AMSAT builders gave little thought about in their past satellite 
> projects, although I find this hard to believe.
> 	[...]

Sometimes the blunt answers work best.

Based on my incomplete understanding of the techniques employed,
the security mechanisms used in AO-40 are (in a theoretical
sense) weak and should not be used as a model for satellite security.

Having said that, how should one design a strong security system
for small satellite command channels?

As you hinted in your earlier e-mail, good communications
security requires the use of strong cryptographic techniques.
In general, the network security community can provide you much
better answers than can the amateur satellite community.

I believe that a good text on the theoretical basis of network
security would provide a good starting place for your research.
I don't know that the ones I have within reach are necessarily any
better that a number of others.

Next, you could examine the techniques used with communications
protocols, particularly the IP protocols, to authenticate the 
originator of traffic (e.g., to ensure that the command actually
originated from a legitimate command station) to ensure the integrity
of messages (e.g., that the messages weren't tampered with by a third
party) and to prevent replays of previous messages.  Note that
command messages don't need to be encrypted to provide these
protections.  Start with the IPSec protocols, specifically the
Authentication Header.

The Consultative Committee for Space Data Systems (CCSDS) also has
some documents that may be of interest (http://www.ccsds.org).
I would start with "The Application of CCSDS Protocols to Secure
Systems" (http://www.ccsds.org/documents/pdf/CCSDS-350.0-G-1.pdf)
which provides a nice overview of security requirements for satellites
and potential approaches to meeting those requirements.  (You might
also suggest that this be required reading for all AMSAT board members.)
Next, you might want to look at "Space Communications Protocol
Specification (SCPS) - Security Protocol"

Finally, you should probably think about issues unique to small satellites.
A few that come to mind are:

o	Key management.  Do you need more than one key for the
	satellite?  One for each potential control operator?  One
	super-secret key that is used by a very small group to manage
	the rest of the keys?

o	Power requirements, both computational and electrical.
	Traditionally, cryptographic techniques have required a
	fair amount of computational power.  I believe that some
	work has been done on cryptographic techniques for use
	in environments with limited computational power (I haven't
	looked at these, but I am supposed to in the next few

o	Mechanisms of last resort.  Ultimately, a well-designed,
	non-trivial satellite needs some mechanism that permits
	the ground controllers to reset the satellite into some
	some known state when the satellite becomes really confused.
	This mechanism must be of the highest reliability, which
	generally means that it must be implemented
	with a very small number of simple hardware components
	(and probably no software components).  This may imply that
	this last-resort mechanism needs to bypass the cryptographic
	security mechanisms.  This is probably a good research topic.

By the way, can anyone provide references to any papers in the amateur
satellite community concerning the use of cryptographic
techniques to protect satellite command traffic?  In the
small satellite community?  None of this is, as they say,
is rocket science, so I assume that a number of papers have
already been published on this topic.

Finally, with my usual lack of modesty, I believe that protecting the
command channels of valuable amateur satellites (e.g., perhaps
everything more than simple FM-repeater-in-the-sky satellites)
should be of great interest to AMSAT.  On a bad day, I might even
go so far to suggest that the AMSAT Board of Directors should adopt a
position requiring that the command channels of all AMSAT-affiliated
satellites be protected with strong cryptographic techniques.

Via the amsat-bb mailing list at AMSAT.ORG courtesy of AMSAT-NA.
To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org