European Space Agency

Cryptographic processor for control of telecom processing payloads


  • To analyse the security needs of the data on telecommunications satellite payload commanding and monitoring links and to develop a system security concept covering these needs.
  • To specify the requirements for a generic (potentially reusable in multiple missions) cryptographic processor for implementing the devised security concept in the space segment
  • To design, manufacture and test a Breadboard Model of the on-board cryptographic processor to secure the ground-space channel used to control and reconfigure advanced telecommunication payloads.
  • To design and manufacture test equipment to support the verification and validation of the cryptographic processor performance and functionality.
  • To define the security assurance process used to aid in fulfilling the security requirements related to the development lifecycle and functionality of such a cryptographic processor.




 On-board cryptographic processors (CP) are usually custom-developed with a full development life cycle for each mission. The main benefits of the developed CP are:

  • Dedicated hardware implementations of CCSDS transfer frame and cryptographic processing engines – with exchangeable FPGA IP cores enabling trade-off of throughput vs. chip area
  • Always-secure channel for operators to configure  and monitor the CP independently of the payload operations
  • Modular design enabling the exchange and customisation of cryptographic primitives and interfaces promoting much-reduced development lifecycle for a wide range of future space platforms
  • Versatile/reusable symmetric key management concept compatible with standard approaches of today
  • Robust operation, autonomous fault detection


  • Concurrent data encryption and authentication with connection integrity control on independent CCSDS-standard TM and TC channels
  • Additional control interface with its own cryptographic functions for independent protection of the CP commands and TM; provision of periodic HK TM for complete monitoring capability
  • Dedicated keys for each channel; standby and active key sets
  • Built-in self-tests for autonomous fault detection, built-in key tests to avoid common key management organisation errors
  • Separate FPGAs providing encapsulated cryptographic processing and control-and-data-processing, respectively
  • PROM-cartridge-based master key storage allowing the customer to take the system security into their own hands

System Architecture

The CP consists of: 

  • Crypto Processor Board (CPB) - Providing all processing functions/interfaces;
  • Mechanical Frame - Comprising the mechanical structure of the CP
  • Cryptographic FPGA and Control-and-data-processing FPGA
  • Dedicated TM, TC, CP control/monitoring interfaces and corresponding processing engines and pipelines in hardware
  • EEPROM and master key PROM cartridge interface for control functionality to provide keys to the cryptographic engines
  • Internal bus for control & monitoring the status of all processing stages
  • Two-command-selected cryptographic bypass path for emergency or debugging operations 

Click for larger image


The activities were divided into 6 Tasks:
  • Task 1: analysis of the security risks of generic telecom satellite configuration and monitoring links and devising of a corresponding security concept and on-board cryptographic processor (CP) requirements specification
  • Task 2: preliminary design of the CP including architecture, state machine and external interfaces
  • Task 3: detailed design and implementation of the CP and corresponding test equipment.
  • Task 4: manufacturing of CP breadboard model hardware and programming of FPGAs, plus manufacturing of the test equipment
  • Task 5: testing of the CP bread board model
  • Task 6: parallel task to define and implement a security assurance process based on a selected security standard (FIPS-140-3) for the CP

Current status

The study has successfully devised a generically applicable security concept for telecom satellite payload configuration and control links and defined requirements for a cryptographic processor (CP) to implement the space segment of this concept. A breadboard model of the CP has been designed, implemented, manufactured and tested/demonstrated using dedicated test equipment also developed in this project. The CP is a highly modular generic and reusable hardware cryptographic unit, ready for manufacture (after possible mission-specific minor modifications), qualification and deployment for TM/TC security in future missions.

Status date

Wednesday, September 24, 2014 - 09:46