RE: [amsat-bb] Question about AO-40 telemetry

["Timothy J. Salo" <salo@xxxxxxxxxxx>]

> From: "Rick Fletcher" <rfletcher@plumdragon.com>
> Subject: RE: [amsat-bb] Question about AO-40 telemetry
> Date: Sat, 20 Apr 2002 10:17:37 -0700
> 
> Thanks for so emphatically declaring your opinion but that's all it is.
> I've worked with a variety of security mechanisms and a large number of
> security professionals over the past 25 years and they'd wholeheartedly
> disagree with you.	...

The aphorism that one shouldn't disclose the security mechanisms
employed simply doesn't translate from the realm of physical security
to that of modern, strong (i.e., cryptographic) communications security.

(Given your 25-year tenure, and given that modern cryptographic
practice in only about 25 years old (arguably starting with RSA's
1978 paper), I suspect your expertise is in physical, rather than
network security.)

If a satellite command channel is using encryption or cryptographic
signatures, it is probably going to be pretty obvious to outside
observers.  Disclosing which strong technique is being used won't
make any practical difference.  For example, if disclosing the technique
makes brute force attacks ten times easier, then perhaps an
attacker could find the key in an average of a million years rather
than ten million years (or whatever, depending on the key length).
I suppose if that concerns you, you could add a few bits to the key
length to compensate for the fact that you disclosed the algorithm
being used.  I believe that by any reasonable measure, disclosing the
strong, cryptographic techniques employed (assuming a reasonable key
length) won't have any practical adverse effect on the security of
the system.

It appears that today amateur satellites may be using embarrassingly
poor techniques to protect the command channels.  One way to 
rectify this situation is for the AMSAT Board of Directors to
insist that a public security review be conducted (and passed)
before AMSAT funds a satellite project.  In a similar fashion,
the AMSAT BoD might consider adopting a set of "best practices"
for protecting amateur satellite command channels.

-tjs
----
Via the amsat-bb mailing list at AMSAT.ORG courtesy of AMSAT-NA.
To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org