An Approach for Recovering Satellites and their Cryptographic Capabilities in the Presence of SEUs and Attacks by Marcio Juliato & Catherine Gebotys
An Approach for Recovering Satellites and their Cryptographic
Capabilities in the Presence of SEUs and Attacks
Marcio Juliato and Catherine Gebotys
Dept. of Electrical and Computer Engineering, University of Waterloo
200 University Avenue West, Waterloo, ON, Canada
fmrjuliat,cgebotysg@uwaterloo.ca
Abstract
The problem of recovering satellites from failures or at-
tacks, and bringing them back to an operational and safe
stateiscrucialforsatellitereliability. However, thereislim-
ited research in this area, despite the recent interest in in-
corporating security in satellites. This research proposes a
trusted hardware module approach for recovering the satel-
lite’scryptographiccapabilitiesafteranSEUhascorrupted
acryptographickeyoranattackhascompromisedthesatel-
lite. The proposed trusted modules are estimated to con-
sume no more than 266mW of total power using an Altera
Cyclone II FPGA. Different security levels are supported
with the trusted module approach in order to meet the re-
quirements of particular designs. Security analysis in terms
of brute force attack for different types of satellite orbits
is also presented. We show that the time spent in a brute
force attack against the proposed system is completely in-
dependent of the computing power of an attacker, resulting
in a very secure system. This research is important for ad-
dressing key recovery which is crucial for present and future
satellites.
1. Introduction
The growing availability of technology around the world
has posed new threats in several areas. Since countries
heavily rely on commercial satellites for communication,
any threat to a satellite could have the potential for putting
a nation’s critical infrastructures at risk [19, 21, 2]. Satel-
litesbeingcompromisedhavealsobeenreported[10,17,7],
clearly demanding incorporation of security into satellites.
Even with the current importance of these spacecrafts, their
security has relied on obscurity and uniqueness of the sys-
tems [5]. Unfortunately making satellites secure is a com-
Date: August 18, 2008.
plex problem given their stringent constraints including low
energy, low power, high reliability, and low cost.
Satellites traditionally communicate with two types of
ground stations: communications stations and control sta-
tions. The latter will be referred to as “ground stations”
for short. Satellite links can be divided into three groups:
1) Telemetry, tracking and control links (TT&C); 2) Data
links; and 3) Cross-links. The TT&C link is important since
it provides mission secrecy and reliable control of the satel-
lite. Hence it requires both conﬁdentiality and authentica-
tion. Thus a symmetric and asymmetric cryptosystem with
cryptographic keys onboard the satellite is a necessity.
The cryptographic modules must satisfy the stringent re-
strictions on the satellites hardware size and weight as well
as the unit’s power consumption and dissipation since the
satellite has a limited power supply. Furthermore, it is im-
portant to design fault tolerant hardware so that the effects
of radiation (solar, cosmic) on circuits do not cause critical
failures which could lead to the loss of the satellite. The
fact that the system will be in orbit means that it will not
be easily accessible, and as such, would have to perform for
long periods of time without physical maintenance.
Oneofthemajorfactorsthatcomplicatetheimplementa-
tion of security in the TT&C link is the presence of fault in-
ducing radiation in space. Particles originating from space
are the best documented causes of a class of errors known
as Single Event Upsets (SEUs) [14] making such errors of
great concern in aerospace applications. SEUs are generally
a form of soft error, i.e., they are errors that occur in the cir-
cuitry of a system that can cause a bit to be ﬂipped into an
erroneous state, but are not damaging to the hardware. Typ-
ically satellites employ FPGAs due to their low volumes.
In this technology a cryptographic key can get damaged by
both the corruption of the FPGA conﬁguration data [9] and
directly in a storage element designed for key storage in the
FPGA. Several Altera FPGAs [6] have built-in cyclic re-
dundancy check (CRC) circuitry, which checks the internal
FPGA’s conﬁguration data, and request the reconﬁguration
of the device if it detects any corrupted bit. Though provid-ing a certain level of SEU resistance, this approach does not
protect the user data stored or being processed within the
device. As a consequence, user data must be protected by
other means as Triple Modular Redundancy (TMR) [22, 3]
and Hamming codes [11]. Hamming codes are especially
interesting in terms of storage area when large registers are
used, which is exactly the case of the cryptographic keys’
registers addressed in this paper.
Although incorporation of security into satellites is com-
plex due to the stringent constraints on power, energy, cost
and reliability, an important emerging new problem to be
addressed is how to recover from compromised keys, SEU
damaged keys, as well as supporting new keys for higher
security levels. Section 2 presents some related work, while
Section 3 focuses on our approach to recover satellites from
faults and attacks. In Section 4 the implementation of the
trusted modules is described, and experimental results are
given in Section 5.
2. Related Work
Traditionally, the proposed methodologies for the miti-
gation of SEUs in aerospace applications have focused on
the protection of entire systems or tasks, thus consuming
a large amount of resources. In [3] it is suggested the use
of full Triple Modular Redundancy (TMR) and read back
and reconﬁgure to fully protect systems from SEUs. Re-
searchers [24] attempt to reduce the costs associated with
fault mitigation techniques by only applying them to the
most critical components of a design.
Some research [12, 23, 1] proposes the use of satellites
for key distribution and authentication in communication
systems. However, the satellites’ security is not addressed.
There is limited research focusing on incorporating secu-
rity in commercial satellites despite the constant growth in
applications using them. This is probably due to the false
assumption that satellites are out of reach of attackers. This
context has led the United States General Accounting Of-
ﬁce to publish a report [19] calling for a higher level of
protection for the country’s critical infrastructure. This re-
port presents various threats, concluding that the security of
commercial satellites should be more fully addressed.
In [26] an on-board security architecture for earth ob-
servation satellites is proposed. It also presents a fault-
tolerant AES based on parity-based fault detection scheme
and Hamming codes to mitigate SEUs or single bit faults
in AES on-board implementations. In [20] a proposal is
presented to generate cryptographic keys from features as-
sociated directly with the actual satellite. However, such a
technique is only valid if we assume that an attacker never
gains control over the satellite. Otherwise, an intruder could
learn the satellite characteristics and then have enough in-
formation to easily derive future cryptographic keys.
Apart from the research outlined above, there is limited
research addressing the recovery of cryptographic capabil-
ities of satellites that have suffered faults due to SEUs or
from attacks leading to compromised keys. This paper pro-
poses an approach based on trusted modules, which can re-
cover a satellite damaged by SEUs or even when an attacker
has broken into it.
3.SatelliteRecoveryfromFailuresandAttacks
Considering the important role of commercial satellites
in modern communication systems, it is crucial to maintain
them functioning all the time. Attackers on the ground can-
not be disregarded, given that they may try to compromise
satellites’ operations or even break into them. An attacker
could for example, send commands to a satellite compro-
mising its correct orbit. In this case, emergency com-
manding should be performed with some sort of authenti-
cation [4]. Furthermore, such an attacker can break into the
satellite and modify, for example, its FPGA conﬁguration
or program memory. Therefore, satellites must quickly re-
cover from these attacks and return to a reliable state. After
that, it must safely renegotiate new cryptographic keys and
re-establish a secured channel with the ground station.
SEUs can affect any key at any moment, therefore it is
possible to get one or more keys corrupted simultaneously.
In addition, hardware failures such as power outage and
chip failure can happen due to a number of reasons (tem-
perature, satellite position, etc). Due to these problems, it
may be necessary to issue a general reset where the FPGA is
reconﬁgured and the program memory re-initialized. Again
in this scenario, a complete set of cryptographic keys can
be lost. Depending on the type of the key that is lost, the
satellite can adopt a speciﬁc recovery technique.
3.1. Simple Methods for Key Recovery
Depending on the type of key that is lost, the satellite
could adopt a speciﬁc recovery technique. For example,
in the case of losing only the public or the private keys, a
point-to-point key transport technique based on symmetric
encryption, as presented in [25, 13], could be used to re-
establish the satellite’s public and private keys. However
in order to use this approach, it is assumed that the satel-
lite always has a secured channel with the ground station.
The ground station creates new private and public keys,
which are sent to the satellite through the secured channel.
This is worth doing since asymmetric key generation is too
expensive in terms of power consumption. Likewise, the
Needham-Schroeder public key protocol [16, 25, 13] could
be used to address the problem of permanent damage of
symmetric keys. When the ground station and the satellite
possess each other’s valid and authentic public keys, they
2would run the Needham-Schroeder protocol to negotiate a
new symmetric key. However again, this method involves
public key cryptographic operations which is not suitable
for the low energy/power requirements of the satellite.
More robust approaches need to be developed for satel-
lite cryptography. For example, assumptions of a secured
channel with the ground station may not hold due to a SEU-
corrupted (or attacker compromised) encryption key. Fur-
thermore low energy techniques are necessary. This pa-
per proposes speciﬁc trusted modules which are suitable for
supporting satellite recovery from corrupt keys. The archi-
tecture of the trusted modules as well as their associated
threat models are outlined next.
3.2. Hash Based Approach
The ﬁrst threat model to consider assumes that an at-
tacker never gains control over the satellite, but listens to all
communication (ground station–satellite, satellite–satellite)
and also sends control signals to the satellite. We assume
that a satellite stores hardwired information k0, which is
built-induringitsconstructionandunknowntoanyattacker.
Hence, it is assumed that the agency which built the satellite
will disclose this information only to the agency that will
control it. In other words, besides the manufacturer, only
the ground station and the satellite know k0. Notice that k0
must not be stored in the FPGA since it could get corrupted
by SEUs or lost in reconﬁguration.
Further, k0 must never be used as a key. Once this value
isdiscoveredor leakedby anymeans, the satellitewill never
be able to re-establish a secured channel with the ground
station. In fact, that is why this threat model assumes that
an attacker never breaks into the satellite. Once k0 is read by
an attacker, he or she has learned the most important piece
of information that is used to create all the future crypto-
graphic keys.
Additionally, the FPGA may be reconﬁgured remotely
and the FPGA’s conﬁguration ﬁle could also be corrupted
by SEUs. Hence, it is necessary to store a minimum
conﬁguration ﬁle in a programmable read-only memory
(PROM). This minimum, permanently stored capabilities
include some mandatory functions for the recovery process,
such as basic arithmetic operations and a hash function. The
PROM should also store a minimum program to be loaded
into the program memory. Even though this threat model
assumes that FPGA reconﬁguration may occur, addressing
the reconﬁguration itself is out of scope of this work.
Considering the implementation of the proposed tech-
nique in current satellites, k0 could be a serial number, an
ID number, or any other data that only the satellite and the
ground station know, and which is readable by the FPGA.
It would be better still if k0 was randomly created during
the satellite construction. Moreover, a bigger k0 could be
formed by concatenating more than one source of informa-
tion. In new satellites, k0 should be randomly created, be
hardwired in the satellite circuitry, and be readable by the
FPGA. This permanent storage of information would then
be immune to SEUs for the whole lifetime of the satellite.
The recovery can be performed as follows: The ground
station sends a nonce n to the satellite, which is deﬁned as
a random number used no more than once. To construct
a new symmetric key k, the satellite concatenates k0 with
n, and computes its hash. More precisely, k := H(k0jjn).
In addition, the ground station performs the same compu-
tation. Observe that the nonce brings freshness to the key
generation, ensuring that every time n changes, so does the
key k. Thus, it is possible for the satellite to frequently
change the cryptographic keys. The generated key k should
be long enough to match the required security level and a
hash function should be chosen accordingly.
Atthispoint, thesatelliteandthegroundstationsharethe
same session key k, and can re-establish a secured channel.
This approach is relatively simple, only requiring the com-
putation of one hash. It is secure, given that it is infeasible
for an attacker to compute k from n and assuming that k0 re-
mains unknown to the attacker. As a consequence, only the
ground station and the satellite can generate the same key k
since they are the only two entities knowing k0. Due to its
simplicity, it can be used either in existing or new satellites,
and also reused as many times as it becomes necessary by
simply changing the nonce n.
3.3. Trusted Modules Approach
The next threat model makes the same assumptions of
the ﬁrst threat model, but with two additional assumptions:
i) an attacker can break into the satellite, can modify the
FPGA conﬁguration and the program memory, and thus
control the entire satellite; ii) Due to the presence of an at-
tacker, the satellite may not always have a hash function
implemented in the FPGA logic to create a new key. When
more harsh and realistic scenarios are taken into account,
this threat model becomes mandatory. The trusted module
approach is the main strategy to protect modern satellites
from failures and attacks, and as such, it is on the focus of
the remaining sections of this paper.
Since an attacker can modify the satellite’s untrusted
computing system, it becomes impossible to recover the
control over the satellite without the help of trusted mod-
ules. Thus, it is mandatory to have the trusted modules
implemented with fault-tolerance and out of reach of at-
tackers, i.e. apart from the general computing platform. In
order to avoid a man-in-the-middle attack in the satellite’s
circuitry, it is mandatory to have a secure information path
between the radio-frequency circuitry and the trusted mod-
ules. The proposed approach uses three trusted modules,
3including a trusted random number generator available only
to the trusted modules.
The trusted hash and conﬁguration module, shown in
Figure 1, is responsible for checking the integrity of some
system components, i.e., the hashes of the program mem-
ory, the current FPGA conﬁguration, and the FPGA conﬁg-
uration ﬁle. For example, by using the scheme presented in
[8], the integrity of the untrusted storage elements can be
veriﬁed. The trusted module also contains some elementary
circuitry to re-initialize the program memory and to conﬁg-
ure the FPGA from the minimal conﬁguration ﬁle. Given
that the efﬁcient hashing technique is well studied in [8],
the remainder of this will focus on the details of the trusted
reset and key recovery modules.
Figure 1. Trusted hash and conﬁguration
module, used to check the integrity of the
satellite’s components.
The trusted key recovery module, is responsible for re-
covering cryptographic keys. This module stores l keys
(k1;k2;:::;kl) in a table, to be referred to as secrets table.
The index of this table is a number n, which is b-bits long,
thus leading to an address space of size 2b. Actually, n is
denoted as an one-time key recovery secret, which is sent
to the satellite in the clear (i.e. no encryption is needed)
by the ground station following the recovery protocol to be
described in Section 3.4. If n points to a position holding
a key, such a key is output. Observe that the one-time key
recovery secret is never used as a key itself. Otherwise, any
entity listening to the communication could use n to decrypt
future encrypted messages.
The strength of this module relies on two fundamental
features: i) the l keys are randomly distributed throughout
the 2b positions of the table, and ii) b is made big enough to
become infeasible for an attacker using brute force to ﬁnd
a position containing a key. It is feasible to implement the
proposed scheme by using a selection circuitry, as shown in
Figure 2. With that, only l storage elements are required for
the keys, even maintaining a huge address space. This way,
up to l key recoveries can be performed by the ground sta-
tion. Therefore, the greater l, the longer the satellite’s pro-
tection against key losses. However, the smaller l, the less
storage is needed in the satellite. For example, one could
use 128-bit keys, l = 64;128; or 256, and b = 64;128; or
256 bits.
Another important feature of the trusted key recovery
module is that, once a given key is read, it is removed from
the secrets table and never used again. This also means that
a given one-time key recovery secret is used only once. If
reused, attackers could perform replay attacks and easily
break the proposed scheme.
Figure 2. Table and selection circuitry used
for recovering k from one-time secret n.
The trusted reset module, is related to the system restart.
Its function is the issue of a general reset signal to bring the
satellite to a reliable state from which the rest of the system
can be recovered. This module can also be thought as a ta-
ble, but instead of outputting a key when it receives a valid
one-time reset secret s, it issues a general reset. The reset
signal causes the FPGA to be reconﬁgured (with minimum
capabilities) and the program memory to be restored. Fur-
thermore, once a reset position is used, it is destroyed and
can never be accessed again. This prevents an attacker from
resetting the satellite through a replay attack using an old
reset secret s.
When these three trusted modules are implemented in
a satellite, it becomes possible to detect when one of its
crucial components gets corrupted, bring the satellite to a
reliable state, and restore its cryptographic capabilities. For
that, a recovery protocol is used, whose details are shown in
the next section.
3.4. Recovery Protocol
From time to time, during the normal operation of the
satellite, the trusted hash module checks the integrity of the
programmemory, theFPGA’scurrentconﬁguration, andthe
FPGA’s conﬁguration ﬁle. The computed hashes are then
sent to the ground station. Since the trusted hash module is
out of reach of attackers, it can detect any data corruption
on those components due to intentional and unintentional
causes, e.g. SEUs and attacks. Given that the ground sta-
tion knows the hashes of the FPGA conﬁguration and pro-
gram memory, a simple comparison determines whether the
satellitehassomecrucialcomponentcorrupted. Ifthatisthe
case, the ground station broadcasts a message to the com-
municating parties stating that the faulty satellite is not reli-
able, and imposes that all parties stop communicating with
4it. It is up to the ground station to decide what to do next
with the satellite. In some cases only a cryptographic key
recovery may be necessary, whereas in more severe cases,
a reset followed by a key recovery may be performed. The
latter case is more complex and is exempliﬁed below.
In order to proceed with the recovery as the entity con-
trolling the satellite, the ground station uses the one-time
secrets n for key recovery and s for the reset. As shown in
Figure 3, a challenge-response protocol is used. The ground
station ﬁrst requests the initiation of the trusted reset proto-
col. Then the satellite generates a random number r and
sends it to the ground station. After that, the ground sta-
tion performs an exclusive-or (©) of s and r, and responds
(s © r) to the satellite. Finally, the satellite knows r and
(s © r), performs r © (s © r), and thus recovers s. For the
key recovery procedure, the protocol is exactly the same,
but n is used instead of s.
Figure 3. Recovery protocol based on
challenge-response.
When the trusted reset module receives s, it indexes its
secrets table. If s corresponds to a valid address, a general
reset signal is issued. Next, the accessed address in the se-
crets table is destroyed. This means that an attacker could
listen to s but could never reuse it in a replay attack to issue
a new system reset. Therefore, this action is performed only
once and uniquely by the holder of the one-time reset secret
s. As a result of the reset signal, the FPGA and the pro-
gram memory are reconﬁgured. After that, the satellite will
send a status message to the ground station, which contains
information on the success of the reset operation and also
the new hashes of the FPGA conﬁguration ﬁle and program
memory.
After these steps, the satellite is in a safe state, but still
does not have a secured channel with the ground station. At
this point the key recovery protocol takes place. Again, the
ground station requests the initiation of the protocol. The
satellite generates a new random number r0, and sends it to
the ground station. The ground station computes (n © r0)
and sends it back to the satellite. Next, by knowing r0 and
(n © r0), the satellite recovers n. Finally, the trusted key
recovery module uses n to index its secrets table and out-
puts a cryptographic key, which is then used to establish a
secured and authenticated channel with the ground station.
Additionally, the ground station can use the new secured
channel to send new program and FPGA conﬁguration ﬁles
to the satellite. This may be an important step, since at-
tacks or failures may have occurred due to bugs or security
holes in the previous system’s embedded hardware or soft-
ware. Later on, the ground station broadcasts a message
allowing other parties to resume their communications with
the satellite. Although a worst case scenario has been de-
scribed, the recovery can be simpler depending on the type
of the failure. For example, it may be necessary only to re-
cover a cryptographic key, and the satellite reset may not be
needed.
One may argue that it would be much faster and cheaper
not to use the challenge-response protocol, and instead of
that, send s and n directly to the satellite. We consider that
a valid argument, however the challenge-response protocol
is used to increase the security of the system by taking into
account the time t spent in the communications between the
groundstationandthesatellite. Moreprecisely, thecommu-
nicationtimet(inseconds)isdeterminedbyt = d=c, where
disthedistance(inKm)betweenEarthandthesatellite, and
c is the speed of light in vacuum (299,792.458 Km/s).
This point becomes much clearer when observed from
the perspective of an attacker. Without the challenge-
response protocol, an attacker could perform a concurrent
attack by sending an (invalid) one-time secret after the
other. In fact, the delay between two trials would be the
time spent by the satellite to process the one-time secret,
which is performed quite quickly. Now, considering the
challenge-response protocol, an attacker cannot perform a
concurrent attack and is imposed to exchange 3 messages
with the satellite, thus spending 3t seconds in communica-
tion time between two trials. The status message can be
temporarily discarded by the attacker.
Table 1. Protocol delay
Satellite Distance d from Protocol Delay
Type Earth (Km) (3 messages) (s)
LEO 80 (minimum) 2.40x10
¡3
MEO 1,700 (minimum) 5.10x10
¡2
GEO 35,700 (minimum) 1.07
Mars 78,338,750 (average) 2.35x10
3
Table 1 shows the protocol delay, considering the ex-
change of 3 messages, for different kinds of satellites [18],
e.g. Low Earth Orbit (LEO), Medium Earth Orbit (MEO),
and Geosynchronous Orbit (GEO) satellites. An estimate
of the average communication time with a satellite orbit-
ing Mars [15] is also included given the interests of many
space agencies on that planet. A ground station that knows
the one-time secrets would spend 2.4ms on the challenge-
response protocol while recovering a LEO satellite. If the
satellite was orbiting Mars, it would spend 2350s (about 39
minutes). We are assuming that these communication de-
lays are acceptable for ground stations in most cases, and
is worth doing because of the extra security that it brings to
the system. Consequently, one-time secrets can use fewer
bits, thus saving valuable implementation area.
54. Trusted Modules Implementation
The implementation of the trusted modules consists of
four components: control unit, address counter, secrets and
keys table, and compare secret unit. The internal archi-
tecture of the trusted modules is shown in Figure 4. The
control unit is responsible for receiving the one-time secret
and for managing its evaluation. The whole process takes
four clock cycles to: access the keys/secrets table, compare
the stored secret with the received one, destroy the used se-
cret, and increment the address counter. Even though the
trusted reset and key recovery modules have different func-
tions, their internal architectures are very similar. The only
difference, represented by the dashed lines in Figure 4, is
the additional circuitry for managing the cryptographic keys
within the trusted key recovery module.
Figure 4. Trusted modules architecture.
The secrets table stores l secrets, each of them b bits
wide, which are protected against errors by the use of ham-
ming codes. Actually, all secrets are stored in an encoded
form, by adding p parity bits to each storage element. When
thememoryisread, aninternalHammingdecodercorrectsa
potential bit ﬂip caused by SEUs, and sends the secret to the
secret compare unit. The implementation of the trusted re-
set module considers secrets of 64, 128 and 256 bits, which
requiretheadditionof7, 8, and9paritybits, respectively. In
the case of the trusted key recovery module, the secrets and
keys are stored together in the same storage element. This
saves some parity bits in its Hamming encoded form, thus
requiring only 8, 8, and 9 parity bits, respectively to encode
the 64, 128 and 256-bit secrets along with the 128-bit keys.
Hence, the total memory bits required to store the secrets is
given by l¤(b+p), and l¤(128+b+p) to store the secrets
along with the keys.
Further, if an unrecoverable error is found in the stored
secret or key, e.g. two bit ﬂips, the control unit is informed.
Consequently, the address counter is incremented and the
ground station instructed to use the next one-time secret.
One-time secrets are indexed sequentially through a pointer
generated by the address counter unit. This unit consists of
a fault-tolerant (log2l)-bit counter, allowing for l resets/key
recoveries. It accounts with a Hamming encoder/decoder
pair to keep the counter in an encoded form, so that it can
correct one bit ﬂip and detect two bit ﬂips.
Once the stored secret is read from the secrets table, it is
sent to the compare secret unit. Then, the compare secret
unit performs a bit-wise comparison between the stored se-
cret and the one-time secret under test. From the compar-
ison results, the control unit determines whether or not to
issue a reset signal (a key, in the case of the key recovery
module). If the one-time secret was ”guessed” correctly,
the stored secret is zeroed in the secrets table (along with its
corresponding key, in the case of the key recovery module).
Finally, thecontrolunitincrementstheaddresscounter, thus
preparing the trusted module for the next recovery process.
In case of an error in the address counter, its value can
be reset by the control unit. In the sequence, the control
unit executes a series of counter increments, until it detects
that the secret coming from the secrets table is different of
zero. At this point, it knows that the address pointer has
been recovered to its correct position. Likewise, the control
unit follows this procedure to recover the address counter
after FPGA reconﬁgurations. Despite this work shows the
implementation of the secrets table using the FPGA’s RAM
blocks, an actual implementation in a satellite should use
ﬂash memory, so that its contents are not lost in an eventual
FPGA reconﬁguration.
5. Experimental Results and Discussion
Our experimental results are based on the several im-
plementations using an Altera CycloneII EP2C35F672C6
FPGA. The synthesis of the trusted modules are presented
along with an analysis of brute force attacks. All the syn-
thesis were performed using QuartusII version 7.2.
Table 2. Trusted Reset Module:
Implementation Results
Secret # of Area Mem. Freq. Dynamic/Total
(bits) Resets (LEs) (bits) (MHz) Power (mW)
64 502 4608 62.24 10.78 / 137.95
64 128 507 9216 63.50 11.03 / 137.83
256 512 18432 63.03 12.25 / 139.36
64 887 8768 59.01 14.83 / 151.01
128 128 892 17536 58.97 16.17 / 153.44
256 901 35072 58.83 16.80 / 153.48
64 1642 17024 57.14 17.37 / 173.95
256 128 1647 34048 56.06 19.28 / 177.18
256 1654 68096 54.18 20.56 / 177.19
As shown in Table 2, the simplest implementation of the
trusted reset module uses 64-bit secrets and can issue up
to 64 reset signals. In this conﬁguration, the module oc-
cupies 502 logic elements (LEs), operates at 62.24MHz,
and uses 4608 memory bits for the secrets table. Besides,
it consumes 10.78mW of dynamic power and 137.95mW
of total power. The total power consumption includes I/O
6power dissipation and the static power dissipation (about
81mW for the trusted reset modules). In its most secure
version, using 256-bit secrets and being able to issue up to
256 reset signals, the module occupies 1654 LEs, runs at
54.18MHz, and uses 68096 memory bits. Further, it con-
sumes 20.56mW of dynamic power and 177.19mW of to-
tal power. Furthermore, compared to the simplest version,
themoresecureversionconsumes1.91 timesmoredynamic
power and occupies 3.3 times more area.
Table 3. Trusted Key Recovery Module:
Implementation Results (128-bit keys)
Secret # of Area Mem. Freq. Dynamic/Total
(bits) Keys (LEs) (bits) (MHz) Power (mW)
64 1213 12864 56.73 21.34 / 209.36
64 128 1219 25728 55.34 20.92 / 208.35
256 1224 51456 58.33 23.33 / 209.81
64 1674 17024 55.78 29.81 / 231.25
128 128 1686 34048 55.19 29.97 / 230.14
256 1691 68096 57.57 31.96 / 231.49
64 2356 25216 52.97 38.05 / 264.60
256 128 2356 50432 51.75 39.23 / 265.30
256 2372 100864 50.73 40.65 / 266.02
The results shown in Table 3, refer to the trusted key re-
covery modules working with 128-bit keys. In its simplest
version, the module uses 64-bit secrets and can issue up to
64keys. Forthat, itoccupies1213LEs, 12864memorybits,
and operates at 56.73MHz. It has dynamic power consump-
tion of 21.34mW, whereas its total power consumption is
209.36mW. Again, the static power dissipation of all trusted
key recovery modules is about 81mW.
On the other hand, its most secure version uses 256-bit
secrets and allows for 256 key recoveries. This mod-
ule utilizes 2372 LEs, 100864 memory bits, and runs at
50.73MHz. Further, it has dynamic and total power con-
sumption of 40.65mW and 266.02mW, respectively. More-
over, this module occupies 1.95 times more area, and con-
sumes 1.9 more dynamic power than its simplest version.
Table 4. Trusted Reset and Key Recovery:
Processing Times
Secret # of Reset Key Recovery
(bits) Keys/Resets Proc. Time (ns) Proc. Time (ns)
64 64.27 70.51
64 128 62.99 72.28
256 63.46 68.58
64 67.79 71.71
128 128 67.83 72.48
256 67.99 69.48
64 70.00 75.51
256 128 71.35 77.29
256 73.83 78.85
Movingtotheprocessingtimeanalysis, onemayobserve
through Table 4 that all modules are quite efﬁcient. The
slowest and the fastest trusted reset module have process-
ing times of, respectively, 73.83ns and 64.27ns. Similarly,
the slowest trusted key recovery module executes a key re-
covery in 78.85ns, while the fastest one performs the same
operation in 70.51ns.
In order to determine the strength of the modules against
brute force attacks, we must also to take into account the
communication protocol delay. Because of the trusted mod-
ules’ processing times are quite small in face of the protocol
delay, the former can be disregarded in the determination of
the total time spent in a brute force attack. Additionally,
the total number of trials that an attacker must perform in
a brute force attack is 2b, where b is the number of bits of
the one-time secret. Moreover, an attacker can perform no
better than wait for the end of each protocol run to launch
another trial. Thus, the total time (in seconds) spent in a
brute force attack is 2b ¤ 3t, where 3t is the time spent ex-
changing 3 protocol messages as given by Table 1. The
total time (in years) spent in a brute force attack against the
trusted modules are presented in Table 5. Since these times
are completely independent of the computational power of
the attacker, it can be concluded that the proposed schemes
are very secure.
Table 5. Brute Force Attack
Secret Brute Force Attack (years)
(bits) LEO MEO GEO Mars
64 1.40x10
9 2.99x10
10 6.27x10
11 1.38x10
15
128 2.59x10
28 5.51x10
29 1.16x10
31 2.54x10
34
256 8.82x10
66 1.87x10
68 3.94x10
69 8.64x10
72
The less secure system is obtained when 64-bit secrets
are used in conjunction with LEO satellites. In this case, a
brute force attack would take 1.40x109 years. However, the
farther the satellite is, the more secure the scheme becomes
for the same secret size. For instance, a satellite implement-
ing the same modules, but orbiting Mars, would raise the
total time of a brute force attack to 1.38x1015 years. On
the other hand, if the construction constraints of a satellite
allows for the use of more hardware area, 256-bit secrets
could be used. As a result, a brute force attack would be-
come in the order of 1057 harder. For example, it would
take 8.82x1066 for an attacker to break such a system im-
plemented in LEO satellites, where as this number would
increase to 8.64x1072 years for satellites orbiting Mars.
As can be computed from Table 2, this increased secu-
rity level of using 256-bit secrets does not lead to a big in-
crease in the implementation area, memory bits, and dy-
namic power consumption, when compared to 64-bit se-
crets. Actually, the trusted reset modules would occupy
3.23 times more LEs, 3.69 times more memory bits, and
consume 1.67 times more dynamic power. Similarly, from
Table 3, the trusted key recovery modules would occupy
1.94 times more LEs, 1.96 times more memory bits, and
consume 1.74 times more dynamic power. Although larger
secret sizes leads to higher levels of security without in-
creasing too much area and power consumption, the secu-
rity level achieved with 64-bit secrets may be enough for
most applications.
76. Conclusions
This paper provides a set of techniques to recover satel-
lites that suffer attacks or severe failures caused by SEUs.
Several implementations of the trusted modules using var-
ious levels of security and number of recoveries are pre-
sented using an Altera Cyclone II FPGA. For instance,
a trusted reset module working with 256-bit one-time se-
crets and allowing for 256 satellite resets, utilizes 1654 LEs
and 68096 memory bits. It issues a reset signal in only
73.83ns when operating at 54.18MHz, while its dynamic
and total power consumption is, respectively, 20.56mW and
177.19mW.
In contrast, a trusted key recovery module allowing for
256 key recoveries and using 256-bit one-time secrets, oc-
cupies 2372 LEs and 100864 memory bits. This module
can recover a key in 78.85ns when operating at 50.73MHz,
with dynamic and total power consumption of 40.65mW
and 266.02mW, respectively.
A brute force attack against these modules would take
8.82x1066 years, when they are applied to LEO satellites.
Since the time spent in a brute force attack is completely
independent of the computing power of the attackers, the
proposed scheme can be considered very secure. In sum-
mary, this research addresses the problem of bringing satel-
lites to a safe state after key losses, major failures or attacks,
and also securely restoring their cryptographic capabilities.
This research is important for support the incorporation of
security into satellites.
References
[1] M. Arslan and F. Alagoz. Security issues and performance
study of key management techniques over satellite links. In
11th Intenational Workshop on Computer-Aided Modeling,
AnalysisandDesignofCommunicationLinksandNetworks,
pages 122–128, 2006.
[2] S. Bain. The increasing threat to satellite communica-
tions. Online Journal of Space Communication, 6, Novem-
ber 2003.
[3] P. Blain, C. Carmichael, E. Fuller, and M. Caffrey. Seu mit-
igation techniques for Virtex FPGAs in space applications.
In MAPLD Proceedings, 1999.
[4] CCSDS. The application of CCSDS protocols to secure
systems. Informational Report 350.0-G-2, CCSDS, January
2006.
[5] CCSDS. Security threats against space missions. Informa-
tional Report 350.1-G-1, CCSDS, October 2006.
[6] A. Corporation. Error Detection and Recovery Using CRC
in Altera FPGA Devices. Altera Corporation, January 2007.
AN 357.
[7] S. Fleming. Hacker inﬁltrates military satel-
lite. Online: The Register, March 1999.
http://www.theregister.com/1999/03/01/
hacker inﬁltrates military satellite/.
[8] B. Gassend, G. Suh, D. Clarke, M. van Dijk, and S. De-
vadas. Caches and hash trees for efﬁcient memory integrity
veriﬁcation. In Ninth International Symposium on High-
Performance Computer Architecture (HPCA 2003), pages
295–306, 2003.
[9] P. Graham, M. Caffrey, J. Zimmerman, P. Sundararajan,
E. Johnson, and C. Patterson. Consequences and categories
of SRAM FPGA conﬁguration SEUs. In MAPLD Proceed-
ings, 2003.
[10] T. L. Group. Hackers seize UK military satellite. On-
line, March 1999. http://www.landﬁeld.com/isn/mail-
archive/1999/Mar/0001.html.
[11] R. W. Hamming. Error detecting and error correcting codes.
Bell System Technical Journal, 26(2):147–160, April 1950.
[12] I. Ingemarsson and C. Wong. Encryption and authentica-
tion in on-board processing satellite communication sys-
tems. IEEETransactionsonCommunications, 29(11):1684–
1687, November 1981.
[13] A. Menezes, P. Oorschot, and S. Vanstone. Handbook of
Applied Cryptography. CRC Press, 1996.
[14] G. Messenger and M. Ash. Single Event Phenomena.
Springer, 2006.
[15] NASA. Solar system exploration webpage. Online, Febru-
ary 2008. http://solarsystem.nasa.gov/planets.
[16] R. Needham and M. Schroeder. Using encryption for au-
thentication in large networks of computers. Communica-
tions of the ACM, 21(12):993–999, 1978.
[17] T. Newspaper. British hackers attack MoD satellite, March
1999. http://www.telegraph.co.uk/connected/main.jhtml?
xml=/connected/1999/03/04/ecnhack04.xml.
[18] U. of Concerned Scientists (UCS). UCS
satellite database. Online, February 2008.
http://www.ucsusa.org/global security/space weapons.
[19] U. S. G. A. Ofﬁce. Critical infrastructure protection: Com-
mercial satellite security should be more fully addressed.
Technical Report GAO-02-781, United States General Ac-
counting Ofﬁce, 2002.
[20] E. Papoutsis, G. Howells, A. Hopkins, and K. McDonald-
Maier. Key generation for secure inter-satellite communica-
tion. In Second NASA/ESA Conference on Adaptive Hard-
ware and Systems (AHS 2007), pages 671–681. IEEE Com-
puter Society, 2007.
[21] K. Poulsen. Satellites at risk of hacks.
Online: SecurityFocus, October 2002.
http://www.securityfocus.com/news/942.
[22] D. Pradhan. Fault-Tolerant Computer System Design.
Prentice-Hall, 1996.
[23] A. Roy-Chowdhury, J. Baras, M. Hadjitheodosiou, and
S. Papademetriou. Security issues in hybrid networks with
a satellite component. IEEE Wireless Communications,
12(6):50–61, 2005.
[24] P. Samudrala, J. Ramos, and S. Katkoori. Selective
triple modular redundancy (STMR) based single-event up-
set (SEU) tolerant synthesis for FPGAs. IEEE Transactions
on Nuclear Science, 51:2957–2969, 2004.
[25] D. Stinson. Cryptography Theory and Practice. CRC Press,
3rd edition, 2005.
[26] T. Vladimirova, R. Banu, and M. Sweeting. On-board se-
curity services in small satellites. In MAPLD Proceedings,
2005.
8