Next-Generation Public Key Infrastructure for Space

In a significant achievement for space cybersecurity, SANCTUARY has been awarded a highly competitive tender by the European Space Agency (ESA) to develop a “Scalable Public Key Infrastructure for Large Constellation Secure Communications.” This project addresses the critical need for secure communication among spacecraft, a requirement that becomes increasingly complex as more satellites and spacecraft populate Earth’s orbit and beyond.

The focus of this ground-breaking project lies in the distribution of cryptographic certificates and their revocation status (to check if a certificate still valid), similar to what is done on the Internet to secure communications. These certificates are essential for verifying the identity of communication partners and ensuring that data remains private and unaltered during transmission. However, applying the learnings from the Internet to the space environment introduces significant challenges, particularly in the validation of these certificates.

On Earth, maintaining an up-to-date list of expired certificates is a straightforward task, supported by reliable and continuous high-bandwidth Internet connections. In space, however, the situation is markedly different. Spacecraft may experience network disruptions for various reasons, such as being temporarily hidden behind a planet, leading to potential delays or failures in certificate validation. These disruptions complicate the process of keeping communication secure and raise the stakes for developing a solution that is both reliable and resilient to the unique conditions of space.

Public Key Infrastructures (PKIs) are a fundamental technology for establishing secure networks. They enable secure communications between entities operated by different actors, even in the absence of prior secret exchanges. PKIs also lay the groundwork for mutual authentication, allowing entities, such as satellites, to verify each other’s identities directly. This is crucial in scenarios like satellite-to-satellite or ground-to-satellite communications, where trust must be established quickly and reliably. Despite its importance, there currently exists no PKI system tailored specifically to the challenges of space. SANCTUARY’s project aims to fill this critical gap by developing a PKI specifically for large constellations of spacecraft.

One of the primary challenges SANCTUARY must overcome is the need for the PKI to tolerate the delayed and disrupted connectivity typical of space operations. Spacecraft often operate with varying levels of computational power, from advanced systems to those with minimal processing capabilities. The PKI solution must be flexible and robust enough to support this wide range of computational environments, ensuring that even spacecraft with limited computing power can securely participate in the network.

Another essential aspect of the project is the efficient management of multiple independent certificate authorities. In space, different spacecraft and satellites may be operated by various entities, each with its own certificate authority. Managing these diverse authorities efficiently while maintaining the overall integrity and trustworthiness of the network is a complex but necessary task.

Picture of a satellite in space, embedded into a Public Key Infrastructure

Furthermore, as advancements in quantum computing continue to emerge, the PKI must integrate both traditional and post-quantum cryptography. This integration is vital to ensure that the infrastructure remains secure against both current and future cryptographic threats, providing a long-term solution for secure space communications.

Finally, the design of the PKI must incorporate redundancy to eliminate single points of failure. In a space network, the failure of a single node should not compromise the entire system’s security or functionality. By building redundancy into the PKI design, SANCTUARY aims to create a resilient and trustworthy infrastructure that can withstand the rigors of space while maintaining robust security guarantees.

SANCTUARY Systems GmbH is the exclusive contractor for this activity, which started in March 2024 and is expected to end in April 2025.

Contact us to learn more about how we can support your embedded projects!

Any Questions?

Contact us to learn more about how we can support your embedded projects!