FR2506101A1 - Transmission format for protecting privacy of satellite telecontrol - uses information in preamble to access satellite memory for decoding and authenticating message - Google Patents

Abstract

The identifying preamble to a transmitted word contains a secret key number which permits selection in the satellite memory of the secret key to be used for the decoding process. The preamble also contains the message number which changes for each message and also the length of the message. The authentification sequence is calculated from the secret key and message number and will change for each message. The octets containing a command such as for steering or switching equipment are accompanied by a cryptogram containing the same command configured with an algorithm dependent on the secret key, message number and the order of the command. On reception this data determines the decoding algorithm and after decoding, the cryptogram phrase is compared with the control phrase. If there is any difference the message is rejected.

Description

PROTECTION METHOD FOR REMOTE CONTROLS
SATELLITES AGAINST INTRUSIONS
The present invention relates to a method of protecting satellite remote controls against intrusion.

 The operation of satellites of all kinds (telecommunications, observation, etc.) is controlled from the ground, by remote control, both with regard to the payload and with regard to navigation and control devices.

 It is extremely easy, in the current state of remote control processes, to replace the control center of a satellite, to remote control it and put it in a situation which seriously disrupts the service or even which leads to the loss of the satellite. This type of attack is called intrusion. On the other hand it can be harmful for a third party to know the activities of a satellite, by intercepting remote control messages sent in clear.

Currently satellite remote control messages are transmitted in clear in a standardized format according to the ESA standard or the standard
COMSAT, in particular. There are no special provisions to deal with intrusions and interceptions.

 The method according to the invention prevents intrusions and interceptions by means of protection.

According to the invention a method of protecting satellite remote controls against intrusion, where the remote control message is composed of an identification preamble, followed by words or sentences containing commands is characterized in that the preamble comprises
- a number designating a secret key stored on board the satellite,
- a message number, different for each message,
- the length of the message,
- an authentication sequence, calculated according to the secret key and the message number, and the number of bits of which is large enough for the systematic test of all the possible combinations to be longer than the duration of use of the satellite, in that the bytes containing a command are accompanied by a cryptogram containing the same command encrypted with an algorithm depending unpredictably, on the value of the secret key, on the number of the message, and on the rank of the command in the message ; and in that, on reception, a command is executed if and only if the following conditions are satisfied: the information number is valid, the authentication sequence is exact, the bytes containing the command can be identified by the cryptogram which accompanied, the rank of the command is not greater than the length of the message announced in the preamble.

 The invention will be better understood and other characteristics will appear with the aid of the description which follows and of the figures relating thereto.

 - Figure 1 shows schematically the format of a remote control sentence according to the ESA standard.

 - Figure 2 shows schematically the format of a message composed of a series of n sentences, according to the ESA standard.

 FIG. 3 represents an example of a remote control message protected against intrusion and respecting the format of the ESA standards.

FIG. 4 represents an example of a remote control message protected against intrusion and having a format derived from that of the standards
ESA.

 FIG. 5 represents an example of a flowchart for generating a protected remote control message, implementing the method according to the invention.

 FIG. 6 represents an example of an authentication flowchart, upon reception, of a remote control message protected by the method which is the subject of the invention.

The signals considered are binary signals. According to the ESA standard, remote control messages are made up of sentences that follow one another without interruption (FIC.2). Each sentence (FIG.l) includes:
a preamble 1 for identifying the satellite and the remote control module concerned in the satellite. It has sixteen bits;
- mode 2 information, relating to the nature of the remote control conveyed by the phrase (piloting remote control, loading of data into a computer, switching of emergency equipment, etc.). It comprises four bits repeated once , or eight bits in total;
a first control word 3 which comprises a byte plus four bits of error detecting code 4; the whole being repeated once, there are twenty four bits in total;
- a second control word 5, of the same format as the first;
- a third control word 6, in the same format as the first.

 Each sentence has a total of ninety-six bits. The command contained in a sentence is executed as soon as its transmission is complete, except, of course, in the event of detection of errors.

 The method according to the invention is described in an example where the format of the remote control messages obeys the ESA standards, then in an example where the ESA standards are modified to shorten the length of the message.

In addition, protection against intrusion and protection against interception will be described successively.

Intrusion into a remote control can take the following forms:
- the repetition of an authentic remote control message, recorded then retransmitted later;
- sending numerous random sequences, in the hope that one of them will be considered authentic by the satellite;
- modification of a remote control message. A third party can prevent a message from being received by scrambling while recording.

Then it can retransmit it, immediately after, by replacing certain sentences with sentences ordering operations harmful to the satellite. It can, on the other hand, extend an authentic message by adding sentences, recorded during previous remote controls.

 These various attacks are countered by the combined use of a preamble, composed of K sentences authenticating the sender, and a cryptogram sentence associated with each command sentence. FIG. 3 represents a remote control message thus composed. The sentences are, in this example, in ESA format. The identification preamble 7 is followed by a command phrase nO 1, then by a cryptogram phrase nO 1, then by a command phrase n 2 followed by a cryptogram phrase n "2, etc., until to the command phrase nO n followed by the cryptogram phrase nO n.

Each sentence of the preamble being in ESA format, contains three authentication bytes, or twenty four useful bits. The entire preamble contains the following information:
- a secret key number, which allows selection in the
memory of the device on board the satellite, the secret key to use for decryption. When a secret key is compromised, that is to say is supposed to be known to the enemy, a new key is used and its use irreparably inhibits the previous key;
- a message number, which changes with each message, thus preventing a third party from sending an authentic message already received once by the satellite;
- the length of the message. In the example of figure 3 it is the number n. It prevents a third party from extending an authentic message by adding sentences to it;
- an authentication sequence, calculated according to the secret key and the message number, which therefore changes with each message. On the other hand, its number of useful bits is large enough for the systematic test by a third of all the possible combinations to be longer than the duration of use of the satellite; for example, this number of bits can be forty eight, which occupies two sentences in ESA format. This prevents intrusion by random sequences tried in large numbers.

 The cryptogram phrase, associated with a command phrase, is calculated according to the three command bytes that this phrase contains (in the ESA standard). The algorithm used depends on the secret key, the message number, and the rank of the sentence in the message. On reception, this data determines the decryption algorithm. After decryption the cryptogram sentence is compared with the command sentence. If the result of the decryption does not comply, the order is rejected. The pair command phrase-cryptogram phrase is attached to a well-defined preamble, by the key number and the message number. The preamble and the cryptogram phrase work together to prevent an intrusion by substitution of a useful phrase-cryptogram phrase pair. If a third party substitutes for this couple a couple records in another authentic message, the message number being wrong, the cryptogram phrase does not will not be deciphered correctly, it will not be identical to the useful sentence, so the command will not be accepted.

 If a third party records an authentic message while scrambling its reception, then retransmits it by having changed the order of the useful sentences, to change the sequence of the remote controls, the decryption is incorrect, because the decryption algorithm also depends on the rank of the phrase in the message.

 A variant consists in encrypting, on reception, the command phrase with the algorithm which was used for the transmission to obtain the cryptogram phrase, then in making the comparison with it.

 Another variant relates to satellites liable to be endangered by an intrusion consisting in scrambling the reception of a message, then in re-transmitting it, without modification, but with a certain delay. This mainly concerns scrolling satellites. To avoid this type of intrusion, the message number is made up of the actual time. The time of reception of the message is compared with the time of transmission contained in the preamble.

This process would require a clock on transmission and a clock on reception which are strictly synchronous, for which two high-precision clocks would be necessary. A high-precision clock on board the satellite would unnecessarily weigh it down. In the method according to the invention, only one clock is used. It is located on board the satellite and can be of poor accuracy because it also serves as a reference for the earth station by transmitting time signals via the satellite-ground telemetry link.

A variant of the method according to the invention uses a sentence format derived from the ESA format. In this there is a double redundancy of the transmitted information, since the command phrase and the cryptogram phrase convey the same command; on the other hand, each byte of useful information is doubled, which again constitutes redundancy. The proposed variant consists in removing the first redundancy in order to halve the length of the message. Figure 4 shows a remote control phrase in modified ESA format, which successively includes:
a preamble 12 for identifying the satellite and the remote control module concerned by the message, ie sixteen bits;
- mode information 13, relating to the nature of the remote control contained in the sentence, it is doubled; either four bits;
a first control word 14, composed of a control byte and four bits of error detecting code, that is to say twelve bits;
a cryptogram 15, composed of the first eight bits of a cryptogram of the three control bytes contained in the sentence, and four bits of error detecting code, ie twelve bits;
- a second control word 16, composed of a control byte and four bits of error detecting code, ie twelve bits;
- a cryptogram 17, composed of eight other bits of the cryptogram of the three control bytes contained in the sentence, and four bits of error detecting code, ie twelve bits;
a third control word 18, composed of a control byte and four bits of error detecting code, ie twelve bits;
a cryptogram 18, composed of eight other bits of the cryptogram of the three control bytes contained in the sentence, and four bits of error-detecting code, ie twelve bits.

 The total number of bits is ninety six in a sentence to ESA standards. There is no need to transmit a cryptogram phrase following this command phrase. The reduction in the duration of the message makes it possible in particular to reduce the operating time of the decoder on board the satellite, and therefore to reduce its energy consumption.

 In the previous description, only protection against intrusion has been considered, but it is desirable to also protect messages against interception, by not sending sentences or plain words. In the method according to the invention, the sentences or the control words are encrypted with an algorithm different from that used for the cryptogram associated with the sentence or the control word, at least by one of the initialization data, such as a rank parameter. The comparison is then made after deciphering each of the two pieces of information.

The invention is not limited to the embodiment described and shown. It is within the reach of those skilled in the art to apply it to remote control messages transmitted according to other standards, in particular the COMSAT standard. In this standard, the remote control comprises three phases:
- sending the command to the satellite;
- the return to the ground of this order, in order to verify its accuracy;
- sending an execution order.

 The method according to the invention applies to the message conveying the command. Its execution can be protected by limiting the period of validity of the order and by authorizing only one execution per order.

 FIG. 5 represents an example of a flowchart for generating a remote control message protected against intrusion and interception and having the format, derived from the ESA standards, described previously.

 These logic operations can be carried out by conventional circuits with wired logic or programmed logic, the realization of which is within the reach of those skilled in the art.

 The operator who wishes to execute a remote control supplies the device with a secret key number. If the key used previously risks being known to the enemy, the operator can choose a new one, which will, by convention, have a higher number. The key number is entered in a memory, called message memory, where, as the sequence proceeds, all the information making up the message is written. In order to use the ESA format, this information is stored in the form of 3 bytes preceded by 2 mode bits.

 The key number is used to read the value of the key in the key memory.

 The operator provides a message number N2. The number N1 of the previous message is read from a memory known as the previous message number memory. If, following an operator error, N2 is less than or equal to N1, the number N2 is rejected and the operator is invited to choose another one. He can choose N2 = N1 + 1, but it is not compulsory. When the number N2 is recognized as valid it is written to the message memory.

With the message number N2 and the secret key as data, the device calculates an authentication sequence composed of K x 24 bits, so that it fills an integer number K of sentences in format
Modified ESA, which is taken as an example here. A conventional cryptological algorithm is used, for example the Data Encryption Standard, standardized in the USA by publication F1135 nO 46 of the NBS, of January 15, 1977. This sequence is recorded in the message memory, in the form of K groups of three bytes , with two mode bits preceding each group.

 The operator chooses the remote control he wants to run. It corresponds to one or more ESA sentences. Each sentence contains 3 command bytes and 2 mode bits.

 These data are contained, in clear, in a memory called memory of the remote controls. For each remote control, the memory also indicates the number n of sentences constituting the remote control. This number n is read, then stored in the message memory.

 A counter, called a phrase counter, is reset to zero. It is used to detect the end of the processing of the n sentences of the remote control. Let i be the value of its content.

 This counter is incremented by one. The data of the first sentence of the remote control is read from the memory of the remote controls.

They are encrypted according to two different algorithms depending on the key, the message number and the rank i of the sentence. In the case of the first sentence rank i is equal to one. The three bytes of the sentence give three bytes encrypted by the first algorithm and three bytes encrypted by the second algorithm. Conventional cryptological block transformation algorithms can be used. It is possible to use the same algorithm by changing one of the initialization data to differentiate the two ciphers. The encrypted bytes are written to the message memory, with the two mode bits (unchanged). The content of the counter is tested. If it is different from n, the preceding operations are repeated from the incrementation of the counter.

 When the content of the counter is equal to n, all the data necessary for the message are ready. The message is put into modified ESA format, then transmitted: the message memory is read in blocks, each block containing two mode bits and six bytes. The sentence consists of a header of sixteen bits, always the same, designating the satellite. Then are sent: the two mode bits, repeated once, the first command byte (encrypted), followed by four bits of detector code '', a cryptogram byte, followed by four bits of error detecting code, the second command byte (encrypted), followed by four bits of error detecting code, a cryptogram byte, followed by four bits of error detecting code 'errors, the third command byte (encrypted) followed by four bits of error detecting code, one byte cryptogram, followed by four bits of error detecting code.

 FIG. 6 represents an example of a flowchart for authenticating, on reception, a remote control message protected by the method which is the subject of the invention, and having the modified ESA format.

 At the start, the decoder system is waiting to receive a message. When a message is received the error detection bits are tested to check that there is no transmission error. If there is one, the system waits for a new message. If there is no error, the message is stored in a memory called message memory.

 The number N2 of the received message is extracted from this memory. The number N1, of the message which has been received and authenticated previously, is read in a memory called memory of the previous message number. These two numbers are compared. If N2 \ N1: the message is not valid the system waits for another.

 If N2 i N1: the processing continues. The secret key number is taken from the memory and is used to address the secret key memory. The value of the secret key is read from this memory.

 The same algorithm as for Resignation, initialized by the secret key and the N2 number of the message, calculates the expected authentication sequence.

The received one is extracted from the message memory and compared to the sequence calculated by the decoder system. If they differ the system waits for a new message. If they are identical, the message is authentic, its number N2 is written to the memory of the previous message number.

 Keys with a number lower than that of the key of the received message are inhibited. There is no point in testing whether the key used is new because, by convention, the keys are used in ascending order.

 The number n, of the sentences composing the message, is extracted from the message memory. On the other hand, a counter, called a phrase counter, is initialized to zero.

 The content i of this counter is incremented by one. The sentence containing the rank command i (here i = 1) is read from the message memory. Each of the bytes of this sentence is decrypted by the inverse algorithm from the algorithm that was used on remission. These are initialized by the secret key, the number N2 of the message, and the rank i. The two groups of three bytes thus deciphered are compared. If they are identical, the command they contain is immediately executed. Otherwise the treatment continues.

 In both cases the content of the phrase counter is tested. If i: n, the last sentence of the message has been processed, the system waits for a new message. If i i (n, the processing of the other sentences takes place by repeating the operations starting from the incrementation of the sentence counter.

 This processing can be carried out by conventional circuits with wired logic or programmed logic, the realization of which is within the reach of those skilled in the art.

Claims (7)

 1. Method for protecting satellite remote controls against intrusion, in which the remote control message is composed of an identification preamble, followed by words or sentences containing commands, characterized in that the preamble comprises:  - a number designating a secret key stored on board the satellite,  - a message number, different for each message,  - the length of the message,  - an authentication sequence, calculated according to the secret key and the message number, and the number of bits of which is large enough for the systematic test of all the possible combinations to be longer than the duration of use of the satellite; in that the bytes containing a command are accompanied by a cryptogram containing the same command encrypted with an algorithm which depends in an unpredictable manner, on the value of the secret key, on the number of the message, and on the rank of the command in the message; and in that, on reception, a command is executed if and only if the following conditions are satisfied: the message number is valid, the authentication sequence is exact, the bytes containing the command can be identified by the cryptogram which accompanied, the rank of the command is not greater than the length of the message announced in the preamble.  2. Method according to claim 1, characterized in that the number of a message is always greater than the number of the immediately preceding message.  3. Method according to claim 2, characterized in that the message number is constituted by the time of issue of the message.  4. Method according to claim 3, characterized in that the time of transmission of the message is obtained from a time signal transmitted by the satellite to the earth station.  5. Method according to any one of claims 1 to 4 wherein the bytes containing a command are protected against interception by encryption, characterized in that the algorithm used to encrypt these bytes is distinct from that used to obtain the Paccompa cryptogram - gaining, at least by part of its initialization data.  6. Method according to any one of claims 1 to 5 wherein the messages are in the format of the ESA standard, characterized in that the message has a preamble consisting of a series of sentences in ESA format, and in that each sentence of command is accompanied by a cryptogram phrase, also in ESA format, the three useful bytes of which are a cryptogram of the three useful bytes of the command phrase.  7. Method according to any one of claims I to 5, characterized in that the message consists of sentences where the ESA standard is respected with the exception of the fact that the three useful bytes, and their bits of detector code errors, contained in each sentence are not each accompanied by their double but by a binary word composed of eight bits of a cryptogram of the three useful bytes, obtained by an algorithm depending unpredictably on the secret key, on the message number , and the rank of the sentence in the message; and in that this binary word is followed by four bits of error-detecting code.