Power Consumption Obfuscation

Design hardware circuits or perform obfuscation in general that mask the changes in power consumption to increase the cost/difficulty of a power analysis attack. This will increase the cost of manufacturing sensor nodes.

Sources

  • Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private circuits 2: Keeping secrets in tamperable circuits. In Proceedings of Eurocrypt, pages 308– 327, May 2006.
  • Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks. In Proceedings of CRYPTO, pages 463–481, 2003.
  • P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In CRYPTO, pages 388–397, 1999

Best Segment for Countermeasure Deployment

  • Space Segment

NIST Rev5 Controls

D3FEND

ISO 27001

ID: CM0059
D3FEND Artifacts:  N | o | n | e
Created: 2022/10/19
Last Modified: 2022/12/08

Techniques Addressed by Countermeasure

here here here here here here here here here
ID Name Description
EXF-0002 Side-Channel Attack Threat actors may use a side-channel attack attempts to gather information by measuring or exploiting indirect effects of the spacecraft. Information within the spacecraft can be extracted through these side-channels in which sensor data is analyzed in non-trivial ways to recover subtle, hidden or unexpected information. A series of measurements of a side-channel constitute an identifiable signature which can then be matched against a signature database to identify target information, without having to explicitly decode the side-channel.
.01 Power Analysis Attacks Threat actors can analyze power consumption on-board the spacecraft to exfiltrate information. In power analysis attacks, the threat actor studies the power consumption of devices, especially cryptographic modules. Power analysis attacks require close proximity to a sensor node, such that a threat actor can measure the power consumption of the sensor node. There are two types of power analysis, namely simple power analysis (SPA) and differential power analysis (DPA). In differential power analysis, the threat actor studies the power analysis and is able to apply mathematical and statistical principles to determine the intermediate values.

Space Threats Addressed by Countermeasure

ID Description
SV-CF-2 Eavesdropping (RF and proximity)  
SV-AC-5 Proximity operations (i.e., grappling satellite)  

Low-Level Requirements

Requirement Rationale/Additional Guidance/Notes
The [spacecraft] shall not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode).{SV-AC-1,SV-CF-1,SV-CF-2}{AC-3(10),SA-8(18),SA-8(19),SC-16(2),SC-16(3),SC-40(4)}
The [spacecraft] shall fail securely to a secondary device in the event of an operational failure of a primary boundary protection device (i.e., crypto solution).{SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2}{CP-13,SA-8(19),SA-8(24),SC-7(18),SI-13,SI-13(4)}
The [spacecraft] shall implement cryptography for the indicated uses using the indicated protocols, algorithms, and mechanisms, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: [NSA- certified or approved cryptography for protection of classified information, FIPS-validated cryptography for the provision of hashing].{SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2,SV-AC-3}{IA-7,SC-13}
The [spacecraft] shall protect system components, associated data communications, and communication buses in accordance with: (i) national emissions and TEMPEST policies and procedures, and (ii) the security category or sensitivity of the transmitted information.{SV-CF-2,SV-MA-2}{PE-14,PE-19,PE-19(1),RA-5(4),SA-8(18),SA-8(19),SC-8(1)} The measures taken to protect against compromising emanations must be in accordance with DODD S-5200.19, or superseding requirements. The concerns addressed by this control during operation are emanations leakage between multiple payloads within a single space platform, and between payloads and the bus.
The [organization] shall describe (a) the separation between RED and BLACK cables, (b) the filtering on RED power lines, (c) the grounding criteria for the RED safety grounds, (d) and the approach for dielectric separators on any potential fortuitous conductors.{SV-CF-2,SV-MA-2}{PE-19,PE-19(1)}
The [spacecraft] shall be designed such that it protects itself from information leakage due to electromagnetic signals emanations.{SV-CF-2,SV-MA-2}{PE-19,PE-19(1),RA-5(4),SA-8(19)} This requirement applies if system components are being designed to address EMSEC and the measures taken to protect against compromising emanations must be in accordance with DODD S-5200.19, or superseding requirements.
The [spacecraft] shall provide the capability for data connection ports or input/output devices to be disabled or removed prior to spacecraft operations.{SV-AC-5}{SA-9(2),SC-7(14),SC-41,SC-51} Intent is for external physical data ports to be disabled (logical or physical) while in operational orbit. Port disablement does not necessarily need to be irreversible.
The [spacecraft] shall protect the confidentiality and integrity of the [all information] using cryptography while it is at rest.{SV-IT-2,SV-CF-2}{SC-28,SC-28(1),SI-7(6)} * Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. This is often referred to as data-at-rest encryption.