Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
© istockphoto.com/franckreporter
Signals
• the level of trust in the range estima- Alice and Bob own the secret key to gen- protection from replay attacks, while
tion erate the MAC. others may not.
• the level of trust in satellite position In GNSS non-repudiation could be Finally, interoperability refers to the
and system time information a requirement worth considering. For capability of the authentication scheme
• the level of trust in the component example, as illustrated in Figure 1, a to be used by a number of different
equipment that calculates position, ship might be navigating in water from applications in various environmen-
time, and velocity from the forego- Country B, and Country A might chal- tal contexts, and to be transparent to
ing factors. lenge its position as being within Coun- legacy equipment. For example, pro-
Various branches of science and try A’s territorial boundary. The ship’s viding support to L1 frequency without
engineering help us address these three crew might reply that the ship position compromising other navigation service
problems, particularly, signal estimation only appears to be in Country A because performance represents an important
theory, information source authentica- of a spoofed signal, but it actually did not interoperability requirement.
tion and non-repudiation, and physical cross the borderline. Country C would
and software security. be the impartial third party that has the Authentication Domains
As physical and software security capability to verify if Country B used To date, GNSS authentication protocols
pertains to receiver design requirements, authentic signals. have been proposed in three domains:
we will focus on range estimation and We can summarize the requirements data level, signal level, and hybrid level
data authentication and trust for the for GNSS authentication in terms of the (data + signal).
system-level aspects. One complexity following factors: Data-level authentication schemes
in GNSS signal authentication design • navigation data integrity, source refer to the implementation of crypto-
is that the use of data-level authentica- authentication, non-repudiation graphic protocols in the navigation data.
tion does not necessarily fulfill the trust and/or position/velocity/time (PVT) In simple words, such approaches can be
requirement for range estimation, and authentication seen as “digitally signing” the navigation
trust in range estimation does not satisfy • performance, such as time to authen- data in order to authenticate the source
the trust requirement for the authentic- tication (TTA) and accuracy of of the data generator and ensure the
ity of satellite data. authentic position integrity of the received message.
Another crucial point to discuss in • probability of failure In a 2005 paper by C. Wullems et
requirements analysis is the need for • robustness alia (listed in the Additional Resources
source authentication or non-repudia- • interoperability. section near the end of this article), we
tion, the ability to ensure that a party Time to authentication refers to the introduced the concept of data-only
to a communication cannot deny its time required by the system to detect authentication, calling the technique
authenticity. For example, in cryptog- an anomaly and respond to it. In signal “navigation message authentication”
raphy source authentication can be authentication, TTA is an important (NMA). NMA has the advantage
achieved with a message authentication requirement, as the receiver time and of having a low system impact, as it
code (MAC). “Alice” sends information dynamics will be compromised from the requires only upgrades of the GNSS
with an attached MAC to “Bob,” and beginning of a spoofing attack until its satellites’ navigation data generation
Bob can verify the source authentica- detection. Therefore, these effects need subsystem along with a low-cost imple-
tion. However, MAC does not achieve to be minimized quickly and appropri- mentation on the receiver side. NMA
satisfy the need for non-repudiation, as ately, based on application requirements. can be implemented through various
an impartial third party cannot verify Probability of failure refers to the schemes that we will discuss later in
the origin of the message because both trust that one can give to the authentica- this article.
tion scheme. This includes the probabili- Disadvantages of NMA include TTA
ties of missed detection and false alarm, performance, which is limited to the
and is fundamental for the determina- specific implementation (e.g., digital
tion of the integrity risk in safety-critical signatures, block hashing, hash chain-
applications. For example, if we want to ing, etc.), as well as the required band-
use an authenticated signal in a safety- width to implement NMA. The prob-
of-life (SoL) application with an integrity ability of failure for an NMA scheme
risk requirement of 3.5 x 10 –7 over 150 depends on the number of bits included
seconds, these requirement constraints in the authentication function and on
are expected to represent the lower the size of the authentication payload.
FIGURE 1 Hypothetical GNSS application bound for the probability of failure of For instance, if 30 seconds of data are
scenario where non-repudiation may the authentication protocol. authenticated, a single bit error not
be required: a ship sailing in country B’s
territorial waters wants to prove, via an Robustness refers to the capability to detected by the channel-coding scheme
impartial third party C, that its position mitigate a number of known attacks. For would result in a false alarm. On the
claim is authentic. example, some application may require other hand, a missed detection in
10-3
common and effective code concatenation: the inner convo-
10-4 lutional code (already available in Galileo) is coupled with an
outer Reed-Solomon (RS) block code. These two codes respec-
10-5 tively combine good performance in the presence of random
and bursty errors. The second solution is based on the nested
10-6
use of convolutional encoding and interleaving, achieving a
30 32 34 36 38 40 42 44 double time diversity of the data broadcasting, while keeping
C/N0 [dBHz] the same end-to-end delay of a block interleaver.
Figure 3 shows the performance of the proposed schemes
FIGURE 3 Comparison of the bit error rate as a function of carrier-to-
noise density ratio (C/N0) between the Galileo Open Service (E1) and with various parameters in terms of bit error rate (BER) and
the Commercial Service (E6). carrier-to-noise density ratio (C/N0) when a second layer of
FEC is applied. The top panel (a) shows convolutional code and
against errors burst. Finally, the piggybacking scheme deals interleaving (CC) for various lengths of the input data stream,
with the case where data carried by different packet has more e.g., two seconds for a single E1 page. The bottom panel (b)
or less importance from the point of view of the application illustrates the performance of Reed-Solomon codes with rates
level. 1/2, 2/3, and 0.82 Note that the length of the input data stream
Various levels of priorities could be assigned to data packets, has little effect on the E6 BER.
so that the higher the priority of a packet, the more redun- Even though these schemes are proposed in order to com-
dant will be the hash chaining of packets belonging to that pensate the gap between the Galileo Open Service and the
class. This approach allows tailoring the robustness of packets Galileo Commercial Service in terms of bit error rate, their
against bursty losses as a function of their priority. In the con- use could be extended to an arbitrary data-level authentication
text of GNSS such a technique could be used for maximizing scenario. (Due to the E6 SIS design, however, the BER on the
the robustness of the authentication scheme for some selected CS navigation messages is considerably higher than the one
data (e.g., time of week (TOW), ephemerides, and so on) as measured on the E1 Open Service for the same signal-to-noise
compared with less critical types (e.g., the almanacs). ratio.)
MAC-based source authentication schemes are hybrid solu-
tions that jointly use MACs and digital signatures in order GNSS Signal-Level Authentication
to provide broadcast authentication. More precisely, these A known technique to provide signal authentication as well
schemes are based on four main ingredients: one-way hash as access control is the full encryption of the spreading code.
chains, (loose) time synchronization, MACs, and digital sig- This approach, however, lacks the interoperability property and
natures for the source verification of hash chain commitments. requires time knowledge (time fix) for the acquisition of the
A remarkable example of MAC-based source authentica- signal.
the signal carrying the secure code has the same chipping rate
as the open code.
The first step of the supersonic authentication scheme con- where is an authenticated encryption scheme indexed
sists of the generation of a fundamental crypto-code c0 that with a secret key k2, IV2(i) is a initialization vector, and d(i) is
is used as a baseline for a subsequent CSK modulation. This the input data bit to be modulated over the i-th CSK symbol.
secret code c0 is valid for a crypto-period Tcrypto >> Ts, and is then Given this offset, the shifted code is obtained by circu-
renewed; the time slots associated with each crypto-period are larly shifting c0 by chips. Then, the CSK-modulated wave-
denoted by j, so that the fundamental code for the j-th slot is form corresponding to can be written as
denoted by c0(j).
More precisely, the fundamental code is generated for each
crypto-period as follows:
45 100
10-1
10-2
40
C/N0 [dBHz]
BER
10-3
10-4
35
10-5
10-6
30 30 32 34 36 38 40 42 44
0 5 10 15 20 25 C/N0 [dBHz]
Ts [ms]
FIGURE 8 CSK symbol rate and symbol error rate with for code
FIGURE 7 Optimal (Ts, C/N0) curve duration Ts = 4 ms and Ts = 8 ms
graphic function that depends on a data ponent minimizing the multiplexing the spoofer is misaligned by a substan-
stream d(i) representing a data service to losses, and the intervoting method. The tial number of chips.
be broadcasted through the supersonic latter approach is considered the most The detector searches for peaks in the
code signal component. interesting as it outperforms the others absolute value of the ACF, i.e., applying
In Figure 8 the CSK symbol rate in terms of backward compatibility. a non-coherent detection. The first peak
for Ts = 4 milliseconds and Ts = 8 mil- can be associated with the presence of a
liseconds is shown as a function of C/ Robustness Against signal, while the presence of a second-
N0. Note that, with the proposed signal Known Attacks ary peak is an index indication of pos-
configuration, CSK modulation can To conclude our theoretical and signal sible misalignment caused by a spoofing
achieve a symbol rate between 1.5 kbps analysis, we performed a preliminary attack. The code cross-correlation terms
and 3 kbps, which is higher than any assessment of the robustness of the have also been considered as they have a
other GNSS signal data rate. supersonic authentication scheme in significant influence, especially for high
The symbol error rate is approximat- the presence of three types of known C/N0.
ed, using a union bound, with the fol- GNSS attacks: meaconing of the open A closed form analytical derivation of
lowing equation [20, 21]as discussed in and supersonic signal, spoofing of the the detection threshold is not trivial; so,
the papers by H. Sun et alia and A. Gar- open signal only, and replay of open we derived it by simulation, imposing a
cia-Peña et alia (Additional Resources): and supersonic signal with CSK chips low probability of false alarm, Pfa = 10-8.
The following discussion presents a estimation. After deriving the detection threshold,
hypothetical scenario on how to mul- In the meaconing case, the superson- the probability of detecting a secondary
tiplex the supersonic code signal with ic authentication scheme has the same peak is estimated. Figure 9 reports the
the other signals already transmitted by limitations as the other authentication results of a simulation obtained using a
Galileo in the E1 band. approaches, both at the data and signal Ts of four milliseconds for various C/N0
Galileo E1 employs an interplex levels: the attack cannot be mitigated levels. Clearly, only C/N0 levels above 45
scheme to multiplex the E1-A, E1-B, and unless the receiver embeds a trusted dBHz allow the detection of a second-
E1-C components within a composite clock with high accuracy. ary peak, when the displacement caused
constant-envelope signal. The task of In the second case, however, when by the spoofer is roughly of 2,000 chips.
adding a fourth component is not trivial the receiver is tracking a spoofed open Using higher C/N0 allows the detection
in terms of efficiency, especially consid- signal, the channels with the embedded scheme to shorten this delay, but Stage 1
ering the particular nature of the com- supersonic codes can detect the attack at alone has limitations for synchronized
posite binary offset carrier (CBOC) sig- Stage 1 and block signals from entering attacks if low Pfa is required.
nal. However, under the assumption that into the correlator. One limitation of the However, as previously discussed, the
the supersonic code signal can be trans- Stage 1 authentication verification is that detection protocol also includes a second
mitted with a sharing loss three decibels sophisticated spoofers (aligned in power stage that improves the robustness of
lower than the open service, at least two and frequency) can be detected only if at authentication and enables verification
multiplexing schemes could be adopted: least two peaks appear in the autocor- of the authenticity of the open signal.
the interplex itself, which would allow relation function (ACF). These peaks are Given the chip period Tc, in fact, the
the integration of the additional com- detectable if the error τ imposed due to spoofing is detected as soon as it induces
38
10-1
34
10-3
32
10-4 30
200 400 600 800 1000 1200 1400 1600 1800 0 0.1 0.2 0.3 0.4 0.5
Offset [chip] Delay [μs]
FIGURE 9 Probability of Stage 1 spoofing detection on various spoofer FIGURE 10 Antenna gain and delay introduced in a replay attack for a
code-phase and with low probability of false alarm Pfa. fixed chip error rate
a wrong code phase offset (i.e., pseudo- can be exploited for providing efficient discussions on signal design, Ignacio
range offset) higher than TcM/2Lc. This navigation data authentication. Fernándex Hernández from the Euro-
condition produces an incorrect esti- In particular, we presented a novel pean Commission for the important
mation of the CSK shift, triggering the scheme for open signal authentication considerations on data schemes, and
detector of the Stage 2. using supersonic codes. This scheme Prof. Vincent Rijmen from KU Leuven
The third type of attack that we ana- achieves a very fast time-to-authentica- University for his insightful support on
lyzed is the replay attack of both the tion and provides additional bandwidth cryptographic features.
open and the supersonic signals. In for GNSS services (such as navigation
this case, the attacker attempts to esti- data authentication) at a high data rate. Additional Resources
mate the unknown code and to replay Being at an early stage of design, and [1] Bellare, M., and R. Canetti, and H. Krawczyk,
it with the smallest delay. This process given their innovative approach, super- “Keying Hash Functions for Message Authenti-
introduces errors in the chip estimation sonic codes present interesting oppor- cation,” Advances in Cryptology, CRYPTO ’96 (Vol.
and a time drift that can be detected by tunities for future development for 1109), Springer-Verlag, 1996
the receiver as explained in the article this purpose. Enhancements to Stage 1 [2] Canale, M., and S. Fantinato, and O. Pozzobon,
by T. Humphreys listed in Additional authentication, which is still limited in Qascom S.r.l, “Performance Comparison of Differ-
Resources. fine code-phase tuning attacks, should ent Data Authentication Solutions for the Galileo
Figure 10 shows, for different target be investigated. CS”, in NAVITEC 2014 Conference Proceedings,
Noordwijk, Netherlands
chip estimation error rate (10-6 , 10-5 and A more detailed cryptographic design
10-4), the antenna gain that the attacker (key distribution and renewal) and a [3] Dworkin, M. J., Recommendation for Block
needs and the delay that it introduces thorough security analysis (including Cipher Modes of Operation: the CMAC Mode for
Authentication, Special Publication 800-38B,
in replaying the signal. For example, side-channel attacks) in the data channel
National Institute of Standards and Technology,
an attack performed with a three-meter would consolidate the solution presented 2005
dish antenna that can achieve 30 deci- here in order to allow its implementa-
[4] Fernández-Hernández, I., “GNSS Authentica-
bels of gain would introduce at least tion in real-world applications. Finally,
tion: Design Parameters and Service Concepts,”
0.3μs of delay, which could be detected further performance assessments with Proceedings of European Navigation Conference
by a receiver with a high-quality clock. various channel propagation models, as GNSS 2014
well as the analysis of the impact of noise
[5] Garcia-Peña, A., “Analysis of Different CSK
Conclusions and interference on the failure probabil- Configurations in a Urban Environment When
This article has reviewed the problem ity, could further strengthen (and pos- Using Non-coherent Demodulation,” Proceed-
of GNSS signal authentication, begin- sibly demonstrate) their applicability to ings of Navitec 2014
ning with the definition and classifica- multiple realistic scenarios. [6] Garcia-Pena, A., and D. Salos, O. Julien, L.
tion of requirements and leading to the Ries, and T. Grelier, “Analysis of the Use of CSK for
categorization of applicable schemes. Acknowledgments Future GNSS Signals, 26th International Technical
It provided an extensive summary on The authors wish to thank Dr. José Angel Meeting of the Institute of Navigation Satellite
state-of-the-art, data-level authentica- Ávila Rodriguez, Dr. Massimo Crisci, Division, (ION GNSS+ 2013), Nashville, Tennes-
tion schemes, based on well-established and Dr. Rigas T. Ioannides from the see USA
broadcast authentication protocols that European Space Agency for the fruitful
[7] Gennaro, R., and P. Rohatgi (1997), “How to Satellite Division of the Institute of Navigation and mitigation algorithms for different GNSS proj-
Sign Digital Streams,” Advances in Cryptology, (ION GNSS+ 2014), Tampa, Florida USA ects and products.
CRYPTO’97, 1997 [21] Scott, L., “Anti-Spoofing and Authenti- Matteo Canale is a cryptogra-
[8] Gennaro, R., and P. Rohatgi (2001), “How to cated Signal Architectures for Civil Navigation phy and cyber-security
Sign Digital Streams,” Information and Computa- Systems,” Proceeding of ION GPS/GNSS 2003, engineer at Qascom. He
tion, 165(1):100–116, February 2001 Institute of Navigation, Portland, Oregon, 2003, obtained an M.Sc. degree in
[9] Golle, P., and N. Modadugu, “Authenticating pp. 1542–1552 communications engineer-
Streamed Data in the Presence of Random Packet [22] Sun, and G. Bi, Y. Guan, and Y. Shi, “Perfor- ing and a Ph.D. in informa-
Loss,” NDSS’01: The Network and Distributed Sys- mance analysis of M-ary CSK Based Transform tion engineering from the University of Padova.
tem Security Symposium, 2001 Domain Communication System,” Proceedings His main interests include network security, cryp-
of the 2nd International Conference on Circuits, tography, and GNSS security. He is currently work-
[10] Humphreys, T., “Detection Strategy for Cryp-
Systems, Control, Signals (CSCS 2011) ing on the definition, specification, and imple-
tographic GNSS Anti-Spoofing,” IEEE Transactions
mentation of authentication services for the
on Aerospace and Electronics Systems, vol. 49, [23] Wullems, C., and O.Pozzobon, and K.Kubik,
Commercial Service Demonstrator in the frame-
no. 2, pp. 1073–1090, April 2013 “Signal Authentication and Integrity Schemes for
work of the AALECS project.
[11] Kuhn, M. G., “An Asymmetric Security Mecha- Next Generation Global Navigation Satellite Sys-
tems,” Proceedings of the European Navigation Samuele Fantinato is a radio-
nism for Navigation Signals”, in 6th Information
Conference GNSS 2005, Munich, Germany navigation system engineer
Hiding Workshop. LNCS 3200, Springer-Verlag, pp.
at Qascom, Italy. He received
239-252, 2004
a master’s degree in tele-
[12] Merkle, R. C. “Advances in Cryptology —
Authors communication engineering
CRYPTO ‘87,” Lecture Notes in Computer Science Oscar Pozzobon is the found- from the University of Pado-
293, p. 369, 1988 er and technical director of va and is currently involved in ESA and European
Qascom. He received a Commission projects related to development of
[13] Miner, S., and J. Staddon, “Graph-Based
degree in information tech- GNSS test beds for interference and spoofing
Authentication of Digital Streams,” IEEE Sympo-
nology engineering from the mitigation and for implementation of authentica-
sium on Security and Privacy, 2001
University of Padova, Italy, tion schemes in the Galileo Commercial Service.
[14] Paonni, M., and M. Bavaro, M. Anghileri, and and a master degree from the University of Fantinato previously worked for Thales Alenia
B. Eissfeller, “On the Design of a GNSS Acquisition Queensland, Australia, in telecommunication Space in the navigation technologies and products
Aiding Signal, Proceedings of ION GNSS+ 2013,” engineering. He has coordinated various projects department with a focus on signal processing and
Nashville, Tennessee USA addressing interference and signal authentication performance assessment of Galileo and EGNOS
[15] Park, J-M., and E. KP. Chong, and H. Siegel, with the European Space Agency (ESA), the Euro- ground reference station receivers. In 2008 he was
“Efficient Multicast Packet Authentication Using pean GNSS Agency (GSA), and the European Com- a Young Graduate Trainee at the European Space
Signature Amortization,” Proceedings of the 2002 mission. Currently, Pozzobon is involved in the Agency.
IEEE Symposium on Security and Privacy design of the ESA advanced multi-constellation Prof.-Dr. Günter Hein serves
[16] Perrig, A., and R. Canetti, J. D. Tygar, and D. simulator and in the design of the Galileo Com- as the editor of the Working
Song “The TESLA broadcast authentication pro- mercial Service (CS) demonstrator authentication Papers column. Until the end
tocol,” CryptoBytes” Volume 5, No. 2 (Summer/ schemes. He has worked for Thales Alenia Space of 2014, he was the head of
Fall 2002), RSA Laboratories, EMC Corporation, on Galileo in-orbit validation and full operational the EGNOS and GNSS Evolu-
Hopkinton Massachusetts USA capability (FOC) validation and verification. He tion Program Department of
has been involved in the area of GNSS authentica- the European Space Agency. He continues to sup-
[17] Perrig, A., and R. Canetti, D. Song, and J. D.
tion since 2001 and has been one of pioneers of port all scientific aspects of the ESA Navigation
Tygar, “Efficient and secure source authentication
the concepts of trusted GNSS receivers, maviga- Directorate as well as now serving as a member the
for multicast.” Network and Distributed System
tion message authentication (NMA), signal ESA Overall High Level Science Advisory Board
Security Symposium, NDSS. Vol. 1. 2001.
authentication sequences (SAS), remote process- Previously, he was a full professor and director of
[18] Perrig, A., “The BiBa One-Time Signature and ing authentication (RPA) and supersonic GNSS the Institute of Geodesy and Navigation at the
Broadcast Authentication Protocol,” Proceedings authentication codes. His main interests are GNSS Universität der Bundeswehr München. In 2002, he
of the 8th ACM conference on Computer and Com- and cryptography, where he has published more received the Johannes Kepler Award from the U.S.
munications Security, 2001 than 30 publications and holds 3 patents. Institute of Navigation (ION) for “sustained and
[19] Pozzobon, O. (2010), and L. Canzian, M. Dan- Giovanni Gamba received his significant contributions” to satellite navigation.
ieletto, and A. D. Chiara, “Anti-spoofing and open Ph.D. degree in information He is one of the inventors of the CBOC signal.
GNSS signal authentication with signal authenti- engineering from the Uni-
cation sequences,” 5th ESA Workshop on Satellite versity of Padova, Italy. He
Navigation Technologies and European Workshop worked for the Italian
on GNSS Signals and Signal Processing (NAVITEC), National Research Council
Noordwijk, Netherlands, 2010 (IEIIT-CNR) on interference detection and mitiga-
[20] Pozzobon, O. (2014), and G. Gamba, M. tion for industrial applications operating in the
Canale, and S. Fantinato, Qascom S.r.l., “Super- 2.4-GHz band. Since 2010, he has been an R&D
sonic GNSS Authentication Codes, Proceedings of engineer at Qascom, and is involved in theoretical
the 27th International Technical Meeting of The design and development of interference detection