Many systems require a master station to issue commands for critical control functions to a remotely located slave station. One context in which this occurs is in controlling an orbiting satellite, wherein a ground-based master control station issues commands, such as orbit correction commands, to a slave satellite station. However, critical control functions are also remotely issued in connection with financial and other industrial and governmental endeavors.
The commands are considered critical due to severe harmful consequences which might result from a slave station improperly acting upon such commands. In a satellite, improper action may cause the satellite to leave its orbit or to suffer other consequences which would greatly decrease the life-span or usefulness of the satellite. Due to the great costs involved in constructing and placing a satellite in orbit, potential losses are enormous. In financial situations, money may be credited to improper accounts, again potentially leading to great financial losses. And, in other situations improper action by a slave station may pose severe risks of harm to human life and health or to the environment.
Accordingly, steps are often taken to prevent such severely undesirable results from occurring in systems where critical commands are remotely issued. Such steps are typically directed to at least two different issues. The first issue deals with insuring that a slave station will respond only to commands issued by its assigned master station. In other words, authentication processes are employed so that the slave station may have a high degree of confidence that a command it has received actually came from its assigned master station and not from some other controller. The second issue deals with insuring that a slave station which receives a command from its assigned master station has in fact received the intended command and not some other command. In other words, confirmation processes are employed to insure that no error has occurred in communicating a command.
Numerous efficient, effective, and otherwise satisfactory confirmation processes are known to those skilled in the art. On the other hand, conventional authentication processes fail to provide satisfactory solutions to authentication needs of systems such as those described above. Conventional authentication processes are complicated to implement and to operate. Such conventional processes often include dedicated "secure" hardware for implementing encryption and decryption processes. While such conventional processes do achieve effective levels of authentication security, the secure hardware's weight, cost, and limited reliability, when compared to a process using no additional hardware, are undesirable features of the conventional processes.
In addition, many conventional processes utilize a symmetric encryption process. Symmetric encryption processes use a single key for encryption and decryption. This key is kept secret so that only the master and slave stations know it. However, the system must employ a re-keying scheme in case a breach of security causes the secret key to become known or some failure keeps authorized messages from being authenticated. Such re-keying schemes become extremely complicated and costly in order to maintain a high level of authentication security.
While the above problems plague all conventional authentication processes, the problems become especially troublesome in connection with the control of satellites. In a satellite control system, physical access to a satellite after the satellite is in orbit is extremely impractical. In addition, the penalties paid for increased weight needed for secure hardware and for reduced overall reliability from using secure hardware are amplified.