Preparation of enabling space technologies and building blocks: Boosting MO security with end2end encryption and space HSMaaS with SDLS

Objectives: The contract combines two companies. Both had their own objectives, that are demonstrated in an OPS-SAT experiment: •CGI: PKI-based MO application end-to-end encryption in MAL. •Skudo: IoD/IoV of HSM providing standard encryption functions implemented on an FPGA chip exposed by a PKCS#11 compliant interface.

Background and justification: This activity creates a Public Key Infrastructure (PKI) based security solution in ground-to-space communication, demonstrated in an OPS-SAT experiment, where the onboard cryptography is optionally supported by an HSM. There are three interconnected themes in this work: •The target protocol is Message Abstraction Layer (MAL) of Mission Operations (MO) framework. The activity implements handshake, mutual authentication using X.509 Public Key (PK) certificates, symmetric encryption following simplified TLS 1.3. •In MO infrastructure the data security is limited to select transport implementations. The MAL encryption shall make MO applications secure end-to-end regardless of transport choice or protocol bridging. •The onboard cryptographic functions are carried out by an HSM implemented in Verilog on a single FPGA chip.   Achievements and status: •End-to-end MO application security demonstrated in OPS-SAT experiment 146. The MO framework proved to be extensible for the security addition. The OPS-SAT ground and space MO infrastructure was repackaged with a reusable "Secure MAL" component (developed in this work). The system was configured to use Curve25519 keys and 256bit AES/GCM encryption. •Skudo HSM (AES-GCM, Ed25519, X25519, SHA512, X.509, tRNG) implemented on the FlatSAT and on the mitySOM Cyclone-V FPGA chip. IoV not achieved. Benefits: •The MAL security improvement is applicable to existing and new MO applications. •Hardware-based cryptographic support provided via the HSM/FPGA developed for the Cyclone-V FPGA.