I wish I could have been there, but Labor Day vacation plans took
precedence. From the notes, if we care more about authentication
than secrecy, we can just sign messages rather than encrypt them.
We only need a nonce if we're concerned about resistance to replay
attacks. If replay attacks are part of the threat model, then we
have an active attacker. What about availability? The cube sat has a
small power and thermal budget, and a hypothetical attacker could
deny access by exhausting the power/thermal resource with repeated
authentication failures. Thwarting an active attacker might need to
involve security into the physical communications layer, such as
frequency-hopping or key-based multiple-access. That constrains
communications controller choices.
The command structure suggests authentication, then payload. That
implies we'd be authenticating sessions rather than just messages.
Why are we taking a session-based approach rather than a
message-based approach? What parts of the control protocol need to
be stateful? It'd make things easier and more error-resilient if we
could keep it stateless. (Or keep minimal state, such as a simple
monotonic counter to address the replay concern.)
> If you want to talk satellite communications systems, join us!
psas-avionics mailing list