System configuration within a low earth orbiting satellite may be remotely controlled from an earth station using a command link. While it is usually not necessary to protect this command link against information disclosure, it is, however, vital that the satellite accept only those commands generated from its own earth station, and no other. Thus, some method of confirming the source of each command message must be implemented.
One message confirmation method involves appending to each command message a codeword which is a particular cryptographic function of the message data and a secret operating key. The satellite will then execute the command only if the appended codeword agrees with a second codeword generated within the satellite, the second codeword being based on the received message data and an identical secret operating key resident in the satellite.
The ability to generate a new secret operating key at both stations from a master key avoids several potential problems which may exist in systems which can not rekey. First, the master key does not have to be resident at the site of command generation. This allows a much higher level of security for the master key and a lower required level of security for the command site, except when the master key is present during the rekeying operation. Second, concern over the security of a single secret operating key for an entire mission, which may typically span seven to ten years, is relieved.
Some security requirements are imposed on such a rekeying system to ensure maximum protection for both the secret operating key and the master key. First, a transmitted message commanding a key change operation to a new secret operating key may not include a message authentication codeword encrypted under the current secret operating key. If it were, and the current operating key had been compromised, then the new secret operating key would be determinable. Second, for maximum protection of the master key, no information encrypted or decrypted under the master key is transmitted on the command link or transmitted from the satellite on its telemetry link.