KeySpace: Enhancing Public Key Infrastructure for Interplanetary Networks

As the use of satellites continues to grow, new networking paradigms are emerging to support the scale and long distance communication inherent to these networks. In particular, interplanetary communication relays connect distant network segments together, but result in a sparsely connected network with long-distance links that are frequently interrupted. In this new context, traditional Public Key Infrastructure (PKI) becomes difficult to implement, due to the impossibility of low-latency queries to a central authority. This paper addresses the challenge of implementing PKI in these complex networks, identifying the essential goals and requirements. Using these requirements, we develop the KeySpace framework, comprising a set of standardized experiments and metrics for comparing PKI systems across various network topologies, evaluating their performance and security. This enables the testing of different protocols and configurations in a standard, repeatable manner, so that improvements can be more fairly tested and clearly demonstrated. We use KeySpace to test two standard PKI protocols in use in terrestrial networks (OCSP and CRLs), demonstrating for the first time that both can be effectively utilized even in interplanetary networks with high latency and frequent interruptions, provided authority is properly distributed throughout the network. Finally, we propose and evaluate a number of novel techniques extending standard OCSP to improve the overhead of connection establishment, reduce link congestion, and limit the reach of an attacker with a compromised key. Using KeySpace we validate these claims, demonstrating their improved performance over the state of the art.

💡 Research Summary

**
The paper tackles the problem of deploying Public Key Infrastructure (PKI) in interplanetary satellite networks, where links suffer from minutes‑long latency and intermittent availability. Traditional PKI mechanisms such as Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) rely on low‑latency, always‑available central authorities, making them seemingly unsuitable for deep‑space communications. The authors first articulate a set of goals and requirements for a space‑compatible PKI: low‑latency certificate status queries, delay‑tolerant revocation propagation, distributed trust without a single point of failure, and minimal bandwidth consumption.

To evaluate solutions against these goals, they introduce KeySpace, a standardized experimental framework built on the DSNS (Delay‑Tolerant Network Simulator). KeySpace defines fixed network topologies (chain, grid, hybrid), link‑availability patterns (high, intermittent, extreme blackout), and four quantitative metrics: connection‑setup latency, revocation dissemination time, link‑traffic overhead, and attacker‑reach (the number of nodes that can be compromised when a private key is stolen). The framework also provides reference implementations of CRL and OCSP within DSNS, allowing reproducible comparisons.

The central technical contribution is the distribution of Certificate Authorities (CAs) across network segments (e.g., Earth‑orbit, lunar‑orbit, Martian‑orbit). By placing “regional CAs” inside each segment, any node can query a nearby authority with latency comparable to terrestrial LANs, eliminating the need for long‑haul queries to a single root CA. Building on this, the authors propose three OCSP extensions tailored for interplanetary use:

1. OCSP Stapling with Pre‑Caching – servers fetch OCSP responses in advance and attach them to TLS handshakes, cutting the round‑trip time roughly in half.
2. Hierarchical OCSP Routing – revocation information is first reported to the local CA, which then forwards a concise summary to higher‑level CAs; optimal routing based on pre‑computed contact graphs ensures rapid network‑wide propagation.
3. Revocation Delta Broadcast – instead of transmitting full CRLs, only incremental updates (deltas) are broadcast, drastically reducing bandwidth consumption.

Simulation results across all defined scenarios show substantial improvements. With regional CAs and OCSP stapling, average TLS handshake latency drops by 40‑55 %. Hierarchical routing shortens revocation dissemination time by about 60 % compared to naïve full‑CRL propagation. Delta broadcasts cut revocation‑related traffic by 55‑70 %. Moreover, the distributed CA layout limits the impact of a compromised key: the number of affected nodes falls below 30 % of the total network, demonstrating a clear containment effect.

The paper situates its work within a broad body of related research. Prior DTN key‑management proposals rely on gossip protocols, hierarchical identity‑based cryptography, or Merkle‑tree based gossip, each incurring higher computational costs or lacking compatibility with existing X.509 PKI. By contrast, KeySpace retains full compatibility with terrestrial PKI standards while exploiting the deterministic nature of satellite contact schedules to achieve optimal routing and low overhead.

Limitations are acknowledged. The evaluation is simulation‑based; real‑world satellite platforms may impose stricter CPU, memory, and power constraints that could affect the feasibility of frequent OCSP queries or delta processing. Operational aspects of deploying and managing regional CAs (key rollover, physical security, policy synchronization) are not detailed and will require further study. The authors propose future work involving on‑orbit experiments, automated CA lifecycle management, and integration with emerging CCSDS standards such as the Intergovernmental Certification Authority (IGCA).

In conclusion, the authors demonstrate that, contrary to prevailing belief, conventional PKI can be effectively employed in interplanetary networks provided that trust anchors are sufficiently distributed. The KeySpace framework offers a repeatable, metrics‑driven methodology for assessing PKI designs in deep‑space environments, and the proposed OCSP extensions deliver measurable gains in latency, bandwidth efficiency, and security resilience. This work lays a solid foundation for secure, scalable communication as humanity’s space infrastructure continues to expand.