A Novel Approach to Transport-Layer Security for Spacecraft Constellations

Spacecraft constellations seek to provide transformational services from increased environmental awareness to reduced-latency international finance. This connected future requires trusted communications. Transport-layer security models presume link characteristics and encapsulation techniques that may not be sustainable in a networked constellation. Emerging transport layer protocols for space communications enable new transport security protocols that may provide a pragmatic alternative to deploying Internet security mechanisms in space. The Bundle Protocol (BP) and Bundle Protocol Security (BPSec) protocol have been designed to provide such an alternative. BP is a store-and-forward alternative to IP that carries session information as secondary headers. BPSec uses BP’s featureful secondary header mechanism to hold security information and security results. In doing so, BPSec provides an in-packet augmentation alternative to security by encapsulation. BPSec enables features such as security-at-rest, separate encryption/signing of individual protocol headers, and the ability to add secondary headers and secure them at waypoints in the network. These features provided by BPSec change the system trades associated with networked constellations. They enable security at rest, secure content caching, and deeper inspection at gateways otherwise obscured by tunneling

Analysis of the DoIP Protocol for Security Vulnerabilities

DoIP, which is defined in ISO 13400, is a transport protocol stack for diagnostic data. Diagnostic data is a potential attack vector at vehicles, so secure transmission must be guaranteed to protect sensitive data and the vehicle. Previous work analyzed a draft version and earlier versions of the DoIP protocol without Transport Layer Security (TLS). No formal analysis exists for the DoIP protocol. The goal of this work is to investigate the DoIP protocol for design flaws that may lead to security vulnerabilities and possible attacks to exploit them. For this purpose, we deductively analyze the DoIP protocol in a first step and subsequently confirm our conclusions formally. For the formal analysis, we use the prover Tamarin. Based on the results, we propose countermeasures to improve the DoIP's security.We showthat the DoIP protocol cannot be considered secure mainly because the security mechanisms TLS and client authentication in the DoIP protocol are not mandatory. We propose measures to mitigate the vulnerabilities thatwe confirm to remain after activating TLS. These require only a minor redesign of the protocol

Implementation of Event-Based Dynamic Authentication on MQTT Protocol

This paper proposes an authentication mechanism on the MQ Telemetry Transport (MQTT) protocol. The exchange of data in the IoT system became an important activity. The MQTT protocol is a fast and lightweight communication protocol for IoT. One of the problems with the MQTT protocol is that there is no security mechanism in the initial setup. One security attack may occur during the client registration phase. The client registration phase has a vulnerability to accept false clients due to the absence of an authentication mechanism. An authentication mechanism has been previously made using Transport Layer Security (TLS). However, the TLS mechanism consumes more than 100 KB of data memory and is not suitable for devices that have limitations. Therefore, a suitable authentication mechanism for constraint devices is required. This paper proposes a protocol for authentication mechanisms using dynamic and event-based authentication for the MQTT protocol. The eventbased is used to reduce the computing burden of constraint devices. Dynamic usage is intended to provide different authentication properties for each session so that it can improve authentication security. As results, the applied of the event-based dynamic authentication protocol was successful in the constraint devices of  microcontrollers and broker. The microcontroller, as a client, is able to process the proposed protocol. The client uses 52% of the memory for the proposed protocol and only consumes 2% higher than the protocol without security. The broker can find authentic clients and constraint devices capable of computing to carry out mutual authentication processes to clients. The broker uses a maximum of 4.3 MB of real memory and a maximum CPU usage of 3.7%

Improving efficiency and security of IIoT communications using in-network validation of server certificate

The use of advanced communications and smart mechanisms in industry is growing rapidly, making cybersecurity a critical aspect. Currently, most industrial communication protocols rely on the Transport Layer Security (TLS) protocol to build their secure version, providing confidentiality, integrity and authentication. In the case of UDP-based communications, frequently used in Industrial Internet of Things (IIoT) scenarios, the counterpart of TLS is Datagram Transport Layer Security (DTLS), which includes some mechanisms to deal with the high unreliability of the transport layer. However, the (D)TLS handshake is a heavy process, specially for resource-deprived IIoT devices and frequently, security is sacrificed in favour of performance. More specifically, the validation of digital certificates is an expensive process from the time and resource consumption point of view. For this reason, digital certificates are not always properly validated by IIoT devices, including the verification of their revocation status; and when it is done, it introduces an important delay in the communications. In this context, this paper presents the design and implementation of an in-network server certificate validation system that offloads this task from the constrained IIoT devices to a resource-richer network element, leveraging data plane programming (DPP). This approach enhances security as it guarantees that a comprehensive server certificate verification is always performed. Additionally, it increases performance as resource-expensive tasks are moved from IIoT devices to a resource-richer network element. Results show that the proposed solution reduces DTLS handshake times by 50–60 %. Furthermore, CPU use in IIoT devices is also reduced, resulting in an energy saving of about 40 % in such devices.This work was financially supported by the Spanish Ministry of Science and Innovation through the TRUE-5G project PID2019-108713RB-C54/AEI/10.13039/501100011033. It was also partially supported by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project EGIDA (CER-20191012), and by the Basque Country Government under the ELKARTEK Program, project REMEDY - Real tiME control and embeddeD securitY (KK-2021/00091)

SIGMA: A mobility architecture for terrestrial and space networks.

Internet Protocol (IP) mobility can be handled at different layers of the protocol stack. Mobile IP has been developed to handle mobility of Internet hosts at the network layer. Mobile IP suffers from a number of drawbacks such as the requirement for infrastructure change, high handover latency, high packet loss rate, and conflict with network security solutions. As an alternative solution, a few transport layer mobility protocols have been proposed in the context of Transmission Control Protocol (TCP), for example, MSOCKS and TCP connection migration. In this dissertation, a S&barbelow; eamless I&barbelow; P-diversity-based G&barbelow; eneralized M&barbelow; obility Architecture (SIGMA) is described. SIGMA works at the transport layer and utilizes IP diversity to achieve seamless handover, and is designed to solve many of the drawbacks of Mobile IP. It can also cooperate with normal IPv4 or IPv6 infrastructure without the support of Mobile IP. The handover performance, signaling cost, and survivability issues of SIGMA are evaluated and compared with those of Mobile IP. A hierarchical location management scheme for SIGMA is developed to reduce the signaling cost of SIGMA, which is also useful to other transport layer mobility solutions. SIGMA is shown to be also applicable to managing satellite handovers in space. Finally, the interoperability between SIGMA and existing Internet security mechanisms is discussed

Unicast UDP Usage Guidelines for Application Designers

Publisher PD

Options for Securing RTP Sessions

The Real-time Transport Protocol (RTP) is used in a large number of different application domains and environments. This heterogeneity implies that different security mechanisms are needed to provide services such as confidentiality, integrity, and source authentication of RTP and RTP Control Protocol (RTCP) packets suitable for the various environments. The range of solutions makes it difficult for RTP-based application developers to pick the most suitable mechanism. This document provides an overview of a number of security solutions for RTP and gives guidance for developers on how to choose the appropriate security mechanism

Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration

Growing traffic demands and increasing security awareness are driving the need for secure services. Current solutions require manual configuration and deployment based on the customer's requirements. In this work, we present an architecture for an automatic intent-based provisioning of a secure service in a multilayer - IP, Ethernet, and optical - network while choosing the appropriate encryption layer using an open-source software-defined networking (SDN) orchestrator. The approach is experimentally evaluated in a testbed with commercial equipment. Results indicate that the processing impact of secure channel creation on a controller is negligible. As the time for setting up services over WDM varies between technologies, it needs to be taken into account in the decision-making process.Comment: Parts of the presented work has received funding from the European Commission within the H2020 Research and Innovation Programme, under grant agreeement n.645127, project ACIN