Data certification, satellite-based

Stardome is a digital certification system made of certification modules integrated within satellites and data signature modules that digitally sign the data at the source. The main functions that Stardome performs are:

• creation, allocation and validation of digital certificates using satellite CAs;
• certification of data at the source, through signing modules integrated with the satellite’s payloads and within the telemetry devices on the ground;
• recording of the certification data through Stardome services on a DLT, that is, the Stardome Chain of Custody.

The Stardome solution

Stardome risolve il problema del trust e della centralizzazione delle CA utilizzando due risorse diverse: il satellite e la blockchain. Stardome solves the problem of trust and CA centralization and eliminates the need for the intermediary role of subordinate CAs by using two different resources: satellite and the DLT.  To solve security issues, Stardome uses the inherent characteristics of satellites such as

• physical inaccessibility;
• reliability in contexts of political, social and commercial instability, security and conflict;
• controlled and secure communication;

and combines them with an algorithm generating security certificates unique to the satellite, considered as an orbiting celestial body, which cannot be reproduced on the ground or on another satellite with different space-time characteristics. Each satellite, equipped with a Stardome device, constitutes an autonomous certification authority. The certificates thus generated are associated with unique digital entities registered on the DLT, such as NFTs (Non-fungible tokens), which are uniquely identifiable and whose ownership is transferable between digital wallets registered on the DLT itself, by immutably tracking each transfer of ownership. The combination of these two resources establishes the Stardome system as a viable alternative to current PKI-based solutions for applications in the aerospace industry and, thus, in all applications that may benefit from it. Specifically, Stardome exploits key features of these components, as:

• the fact that satellite CAs are more secure than ground-based CAs, not only because they are placed on satellites but also because they consist of computing processes autonomous from the satellite itself and only reachable for limited periods via secure radio frequency links;
• digital certificates and their attribution to users are recorded on the DLT. Encryption systems can be used according to current standards, using the DLT as an immutable and secure reference register: the attribution and verification of certificates is publicly verifiable and without intermediaries. The functions of the Registration Authority (RA) systems, which attest to the registration and authentication of users requesting the certificate, and those of the Validation Authority (VA), which attest to the certificate-user/entity correspondence on behalf of the CA, are therefore performed at the DLT level, through the use of automated processes known as ‘smart contracts’, without validation and revocation systems managed by third parties, and in full transparency and security;
• the identity of Stardome devices and users, along with the certificates themselves, are in fact represented by digital identities registered in the blockchain in an immutable manner;
• the need to maintain logs of certificate creation, allocation and revocation is automatically absolved by the use of the blockchain.

In this sense, the need to use intermediate certificates is also eliminated, achievingr5t greater simplicity and transparency of the system.

How does it work

The creation and registration of Stardome digital certificates takes place through special services that enable the Stardome system to operate on the various DLT technologies implemented, including public blockchains, according to the following process:

1. collection of validation requests and creation of certificates and forwarding to the satellite equipped with the SNS module.
   A Stardome Edge server collects the list of requests, qualified by means of data according to the enforced certification standards and corresponding to digital identity certificates assigned to SSP and SGE modules, their users, or other stakeholders.
2. receiving and processing requests on the SNS module on board the satellite.
   A satellite equipped with the module SNS creates a digital certificate according to the enforced standard, e.g. X509 v3, consisting of an asymmetric key corresponding to the applicant’s digital identity, and adds its own digital signature to the certificate;
3. sending digital certificates ashore and recording them on the DLT.
   The SNS module sends the validated and/or created certificates to the Edge server. The Edge server registers them on the DLT unique digital entities such as NFTs corresponding to the validated certificate, and ascertains that they have been written by receiving and verifying the transaction ID. After successful registration, it transmits the certificate to the designated certificate holders, i.e. SSP (satellite), SGE (ground) modules, their users, or other stakeholders.
4. use of Stardome certificates for digital signatures
   • the SSP and SGE devices use the Stardome digital certificate for the attribution of the signature identity, and proceed to create the digital signatures based on the data to be certified received from the connected third-party device;
   • the digital signatures thus created are then recorded on the DLT by sending them from the SSP/SGE device to the Stardome Edge node.

The Stardome digital signature is created according to an enforced standard, such as X.509 v3:

• SHA-256 hash of the data to be certified;
• digital signature of the data to be certified (digest) encrypted with the digital certificate of the Stardome SSP or SGE module;
• the public key of the digital certificate of the Stardome SSP or SGE module;
• ancillary data established according to implementation agreements (e.g. timestamps).