[ronsor]

> So the remaining protection is a form of security by obscurity: "we invented this command protocol, so nobody knows how it works".

ChaCha20-Poly1305 authenticated encryption is cheap for low-resource systems and trivial to implement. There's no reason not to use some form of encryption, if at least to prevent forged commands. (Preventing replay attacks is left as an exercise to the reader.)

[jdiez17]

There are some reasons. As a satellite operator, the worst thing that can happen is getting locked out of the satellite for any reason. So the risk of implementing a “new” technology that has a high risk of locking you out if you lose the keys for some reason sometimes outweighs the benefit of increased security. So I think there’s some work to do in building generally applicable key management practices and backup ways of reestablishing a command link.

[numpad0]

Embedded guys don't like command authentications, I think because it's an SPoF with probability attached that are repeatedly tried. They know bits flip and program counter skips, and so they even avoid use of "or equals to" conditions for loops. But they're using signature enforcement in cars nowadays, so that particular fear should be slowly subsidizing.

[leoedin]

I would imagine the overriding reason people resist encryption is that it’s a pain in the ass.

You have to worry about long term key storage and security. You introduce a whole new class of failure mechanisms. It’s always going to lurk at the bottom of the todo list.