E-Laun: OTAR resistant to evil launchers

Authors: Alexandre Duc, Grégoire Guyot and Pascal Perrenoud

The Consultative Committee for Space Data Systems (CCSDS) link security depends on long-lived symmetric keys. Although the Space Data Link Security (SDLS) does support in-orbit rekeying, it does so only with symmetric techniques, i.e., by encrypting new keys under a pre-shared master key or deriving from it, leaving missions exposed should that master key be compromised. We propose two protocols called Double and Triple Diffie–Hellman (2DH/3DH) to extend SDLS with asymmetric rekeying without altering its frame format. In 2DH, the ground station sends a single ephemeral public key and derives fresh symmetric keys with the satellite’s static key, staying within minimal on-board resources. The 3DH variant lets both ends contribute with ephemeral secrets, providing perfect forward secrecy at the cost of one extra communication, an extra scalar multiplication and the need for a good entropy source on the spacecraft. Both protocols result in replay-safe, over-the-air rekeying mechanisms that fit the bandwidth and storage limits of small satellites, thereby eliminating dependence on any long-term symmetric secret. We also analyzed the implications of our protocols with respect to threats from potentially malicious launch operators, referred to as evil launchers, who might gain unauthorized access to spacecraft cryptographic key material be- fore deployment. We show how our protocols stay secure against such threats. Moreover, given the future risks posed by quantum computing, we conducted a preliminary state-of-the-art review of post-quantum cryptographic (PQC) algorithms. Our analysis identified suitable PQC algorithms in such a use-case. Future work will focus on integrating these PQC algorithms within the proposed rekeying framework, preparing space communication for long-term resilience.