Civilian GPS Signal In Space Enhancements for AntiSpoofing...Level 1 Signature Several Minutes In...

transcript

Civilian GPS Signal In Space Enhancements for AntiSpoofing

Logan Scott

My Papers on the Subject

1. “Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems” ION GNSS 2003

2. “L1C Should Incorporate Cryptographic Authentication Features” May 2006 Comments on ICD-GPS-800

3. “Expert Advice - Location Assurance” GPS World 2007

Applicable to Galileo and Other GNSS Signals

9/22/2010LS Consulting / loganscott53@gmail.com1

The Threat

Unless GPS is hardened, it is likely to be targeted by sophisticated GPS signal spoofers. There are three primary driving forces behind this:

1. GPS is being proposed for road tax collection systems, cargo monitoring systems, location based computer security systems, fisheries monitoring, Digital Rights Management (DRM) etc. An ability to spoof the GPS receiver as to its actual location and time can lead to substantial financial gains using a variety of exploits. In many exploits, the “victim” will be the spoofer and so gaining “close in” or “on vehicle” access to the victim receiver will not be a problem. Terrorists are not the most likely first wave threat; criminals are.

2. The sophisticated signal generation capabilities needed to spoof GPS receivers can be performed in an all software implementation. This opens the process up to relatively unsophisticated “script kiddies” who would need to purchase or build only a front-end transmitter/antenna combination to complete the spoofer. The low associated cost & complexity would encourage development for relatively minor exploits such as “beating the road congestion tax”. This in turn would accelerate the ready availability of spoofers.

3. The plethora of navigations systems types and signals makes constructing Relative Position (RP) spoofers much easer.The objective of an RP spoofer is to convince the victim receiver that it is at some specified (and controllable) offset relative to the true position. This opens up numerous exploits but requires knowledge of the victim’s true position. Someone looking to spoof an L1 set might use L5 or L2C signals to obtain true position. Or they might use Galileo. Or they might use WiFi access point mapping. This is much easier than constructing limpet using look through modes.

Why Is Location Assurance Important?

1. Software Code Spoofing Download fraudulent software into victim receiver

2. Differential Corrections Spoofing Provide Substitute Corrections to Create Small but Important Errors Vulnerability is Link Dependent

Non-Authenticated, Non Ranging Links Highly Vulnerable Coast Guard Beacon, LAAS, RTCM-SC-104

Can Only Create Small Errors

3. GPS Signal Constellation Spoofing Requires Generating Navigationally Consistent Signal Set Relative & Absolute Position Variants

Three Approaches To Civil Spoofing

Accurately Spoofing Time (< 10 msec) Is Harder Requires More Advanced GPS Receiver with Timing Outputs or Integrated PVT

Reference Approach9/22/2010LS Consulting /

loganscott53@gmail.com5

On Vessel Constellation Spoofer Capable of Absolute or Relative Spoofing ModesBuildable Using Off the Shelf Subsystems for ~$20,000 NRE + $1,000 Unit Cost

•Position•Velocity•50 bps data•Time

GPS Receiver

Real GPS Signals

Victim GPS

Receiver

Software Defined Signal Generator

D/A & L-BandUpconverter

Navigationally Consistent Signal Set

~ 1 foot

Very Low PowerSpoofing SignalOperator Defined Offsets

Secure Ship’s Log / Reporting

System

Physical Security

Perimeter

FrequencyReference

1 November, 2006GeoCodex LLC / LS Consulting6

If Fishing Vessel Can Cover Activity for 30 Minutes, Might Land an Additional $60,000 of Fish

Many Highly Regulated, High Value Fisheries

Chilean Seabass Cod Fishing Scalloping Shrimping King Crabs Rockfish Whaling

Cover Can Include Hiding Stops to Pick Up Crab Cages Hiding Additional Time In Restricted Area Hiding Trawl Pattern

Restricted Area

Creating Authenticatable Signals

Encryption Hides The Message Content

Authentication Validates The Message Often By Appending Cryptographic Fields to:

Identify the Source of the Message Timestamp The Message Detect Message Alterations

Message Itself Can Be Sent In the Clear

AuthenticationIs Not The Same As Encryption

15 February, 2003LSC Inc. All Rights Reserved9

Comparing “Internal Watch Time” to “External Signal’s Time” Can Provide A Very Powerful AntiSpoofing Mechanism

If “Signal’s Time” Is Not Within “X” Seconds of “Internal Time” Do Not Accept Signals As Valid.

Keeps Spoofer From Using Unsynchronized “Canned Scenarios” Spoofer Must Synchronize with GPS Time Off the Shelf Equipments Generally Do Not Sync to GPS Time

Spirent Does Offer at Least One Model that Does

Core Objectives of Proposal Make It Hard for A Spoofer to Generate Valid Signals Synchronized

With GPS Time Prevent Replay Attacks

Four Levels of AuthenticationAvailable To Users

0: No Enhancement, Receivers Can Ignore Signal Authentication Features

1: Data Message Authentication

2: Public Spreading Code Authentication Requires Precorrelation Sample Storage Does NOT Require User Segment to Hold Secret Keys

3: Private Spreading Code Authentication Requires Tamper Resistant Hardware and Secure Key Distribution

Specific Proposals for L2C, L5, L1C, L1WAAS L1 WAAS Requires Only Ground Based Modifications

DoD Retains Ability To Spoof Since They Hold Private Keys

Proposed Civil Signal Authentication Architecture

TMBOC(6,1,4/33) Format Time Multiplex BOC (TMBOC) Selected for GPS Composite BOC (CBOC) Selected for Galileo

Pilot & Data Channel Transmitted in Phase Quadrature or with Same Phase Pilot

-158.25 dBW L1CP: 10,230 chip PRN / 10 msec period Xored with length 1800 L1CO for effective code period of 18 seconds

Data -163 dBW L1CD: 10,230 chip PRN / 10 msec period Nominal 50 bps, Rate ½ FEC with Interleaving

Multiplex BOC (MBOC) Format on Pilot Channel for Improved Anti Multipath Pilot Channel only 29/33 of the time transmits BOC(1,1) 4/33 of the time transmits BOC(6,1)

L1C Features in IS-GPS-800A

Level 1

Data Message Authentication

Key Pair Encrypting Key ≠ Decrypting Key

Examples: RSA (Large Primes) NTRU (Ring Polynomials)

Orders of Magnitude Slower Than Symmetric Algorithms ≈1,000 time slower

Asymmetric Encryption & Decryption

Encrypt

Decrypt

Plaintext

Ciphertext

Message Authentication Using an Asymmetric Encryption AlgorithmPrivate Key ≠ Public Key

At the Satellite At the Receiver

One Way Function

Hard to Forge without

Private Key

Message

Secure Hash Algorithm

Encrypt Message Digest

PrivateKey

Message Digest~160 bits

Digital Signature

Message

Secure Hash Algorithm

Decrypt Message Digest

Decrypted Message Digest

PublicKey

Compare & Authenticate If

Message Digest

L1C CNAV-2 Message Structure

Currently defined Subframe 3 page types include: Page 1: UTC & IONO (12 reserved bits) Page 2: GGTO & EOP (GPS/GNSS Time Offset & Earth Orientation Parameters) (30

reserved bits) Page 3: Reduced Almanac (17 reserved bits) Page 4: Midi Almanac (85 reserved bits) Page 5: Differential Correction (87 reserved bits) Page 6: Text (232 bit message) Page 7: Reserved

New Subframe 3, Page 8 Data Authentication Message Page 8: Authentication Sent Once Every 6 minutes (1 in 20 of Subframe 3 Pages)

Alternatively, Use Reserved Bits to Convey Authentication

Level 1 Adds New Authentication Message Type to Current CNAV-2 Data Structure

Level 1: Data Stream Authentication Using A Public Key Digital Signature Algorithm

User Segment

Frame 1 Frame 2

Private Algorithm(Could also be Public)

Private Key (Known Only to CS & SS)

Frame N(Signature in Subframe 3, Page 8

Or Spares)

Public AlgorithmAuthentication

Public Key (Known to Everyone)

Digital Signature

Space Segment

Spoofer Doesn’t Have Private Key to Sign Data Stream Spoofer Has to Use Off the Air Data Streams In a Replay Attack Difficult for Spoofer to Synchronize with GPS Time

If Victim Has An Accurate Knowledge of Time, Can Detect Spoofing ±2ppm XO Can Hold Time to:

±8 msec Over a 1 Hour Outage ±173 msec Over a 1 Day Outage ±63 sec Over a 1 Year Outage

Spoofer Has to Have Replay Turnaround Time Shorter Than Acceptance Window

Does not protect “intermittent track” receivers (e.g. A-GPS, Snapshot and RD Map Reporters) They Don’t Read Data Most Likely Victims

Why Level 1 Makes Spoofing Harder

Spoofer Must Sync ToReal Time to This Accuracy

Comments on Level 1

Should have Unique Key Pair for Each Satellite

Public Key Used By User Segment Should Be Signed by Certificate Authority (CA) Gives User Segment A Mechanism to Validate Public Key ala. PKI Have Expiration Date Probably Want Certificate Revocation Mechanism Too

Receiver Software & All Patches Should Be Signed by CA Malicious Software: “Add 100’ to Altitude After March 15, 2004” Integrate with Level 1 Infrastructure

Signal Authentication Delay Is An Issue Can’t Authenticate Until Signature Is Received (Up to 6 minutes)

Level 2

Public Spreading Code Authentication

Battery Life Considerations Paramount GPS Is Often Just a Range/Doppler

Measurement Device Does Not Read Data Net centric A-GPS

Satcom Links Usually Don’t Have Ranging Capability MSV (L-Band Transponder) Inmarsat Orbcomm Iridium

Often Tied In with Tamper Monitoring Systems Electronic Seals Light Sensors Radiation Detectors

Vessel Monitoring Systems, Asset Tracking Systems & A-GPS Use Similar Approaches

Easy To Spoof & With High Payoff: Most Likely Victims

Figure from: SkyBitz website

Federal Motor Carrier Safety Administration (FMCSA) investigating methods to improve carrier security, particularly in the area of hazardous materials security

Lost Signal Will Raise Alarm

Geofencing Used to Raise Alarms

GPS Used to Monitor Location History of In-Bond1 Cargo

For Example Containerized Cargo Landed in Vancouver but Destined for USA

Asset Tracking & Monitoring Is Rapidly Moving Towards A Security Paradigm

US DoT Asset Monitoring/Security Initiatives Using GPS

Figure from: The Freight Technology Story, Intelligent Freight Technologies and Their Benefits, U.S. Department of Transportation Federal Highway Administration Office of Freight Management and Operations

1: IN BOND - A term applied to the status of merchandise admitted provisionally to a country without payment of duties -- either for storage in a bonded warehouse or for trans-shipment to another point, where duties will eventually by imposed.

Space Segment Knows Level 1 Signature Several Minutes In Advance SSSC Transmitted on L1CD Data Channel At 1.023 Mchip/second PN Code Rate Pilot Channel Is Not Modified

At the Satellite; Generate Spread Spectrum Security Code (SSSC) Using The As Yet Un-Transmitted Level

1 Digital Signature as A Seed

As Yet Un-Transmitted

Level 1 Digital Signature

Cipher Stream Generator

Spread Spectrum Security Code

(SSSC)Seed Value

Normal L1CDi Signal Flow per ICD-800 SSSCBa

0.5 second

1 msec (1/10 symbol)

Normal L1CDi Signal Flow per ICD-800 SSSCBb

0.5 second

1 msec (1/10 symbol)

User Segment Doesn’t Know How to Demodulate SSSC Until Digital Signature Is Received

A/D Convert

CarrierNCO

Sin/CosROM

CodeNCO

CodeGenerator

)sin( nθ

)cos( nθ

Perform at Each Code Phase Offset

To Later Code Phase Offsets

To OtherChannels

nθ Code Clock

ReferenceCode

SSSC Memory To SSSC CheckingStart/Stop Triggers

1. Collect Precorrelation A/D Samples

2. Receive Digital Signature (up to 6 minutes later)

3. Generate Security Spreading Code Reference Signal and Despread Previously Collected A/D Samples

4. If Don’t Detect Security Spreading Code at Correct Power Level, Don’t Validate Signal

To Authenticate The Signal

How Does This Make Spoofing Harder? SSSC Segments are Spread Spectrum

Hard to Read, Buried Below Thermal Noise

Spoofer Needs Multiple High Gain Antennas or Digital Beamformer to Successfully Receive & Repeat SSSC Prior to Receipt of Digital Signature

Receiver Doesn’t Have to Know Time to a few milliseconds, Minutes of Error OK

User Segment Receiver Can Look Back In Time Several Minutes Looking For Valid SSSC

A-GPS Systems can be Authenticated By forwarding raw SSSC A/D samples to Network (Large) or By Sending Cipher Seed for SSSC to Receiver (Small)

Comments On Level 2

Signal

MinimumSpoofer Antenna

Gain†

AssociatedAntennaDiameter

Associated 2-sided 3dB

Beamwidth

L1CDL2CM

L5IL1WAAS

21 dBiC21 dBiC26 dBiC26 dBiC

26”34”63”47”

18 degrees18 degrees10 degrees10 degrees

Spoofer Antenna Requirements for Various Hardened GPS Signal Types

† Gain Required for Spoofer to Generate False SSSC Bursts With Correlation within 1 dB of True SSSC Bursts

Number of Bits/Sample (I+Q): 4 4 4 4Sample Rate (MHz): 2.00 2.00 2.00 2.00

SSSC Collection Interval (sec): 36.0 36.0 36.0 36.0SSSC Duty Factor 0.2% 2% 10% 100%

Total Memory Requirements (Mbytes): 0.072 0.720 3.600 36.000

L1CD SSSC Storage Requirements are ModestAssumes BOC to PSK Conversion

Number of Bits/Sample (I+Q): 2 2 2 2Sample Rate (MHz): 2.00 2.00 2.00 2.00

SSSC Collection Interval (sec): 36.0 36.0 36.0 36.0SSSC Duty Factor 0.2% 2% 10% 100%

Total Memory Requirements (Mbytes): 0.036 0.360 1.800 18.000

Coherent Receiver

Non Coherent Receiver

It Is Important PVT Systems Are A Critical Element of Civil Infrastructure Threat Is Growing & User Community is Largely Unawares GPS will be Locked out of European Markets

It Is Doable Minor Impact On Receivers Create National Authentication Infrastructure Strong Signal In Space Authentication for L5I, L2CM, L1CD, L1

Benefit Is Immediate Do Not Need Full Constellation, Even One SV Can Provide

Significant Anti Spoofing Gain WAAS/EGNOS Is A Good Short Term Candidate

Civil Spoofing Resistance Can and Should Be Improved

Backup

•SSSC Duty Factor Considerations•Spoofer Antenna Gain Requirements

SSSC Duty Factor Considerations

•Coherent vs. Non Coherent Receivers•Authentication C/No Thresholds

SSSC C/No Estimation Accuracywith Coherent ProcessingRequires Phase Lock

Nominal L1CDC/No with 0dBiC Gain

Towards SV is ~ 40 dB-Hz

SSSC C/No Estimation Accuracywith NonCoherent ProcessingDoes Not Require Phase Lock

Higher Duty Factor:

Better Supports Low C/No A-GPS Through Improved SSSC C/No Estimation Accuracy

Improves Ability to Guarantee SSSC Collection with Poor Absolute Time Accuracy Receivers

Impacts Data Stream BUT: 10% Duty Factor Causes Only 0.45 dB Degradation

SSSC Duty Factor Tradeoffs

SSSC C/No Estimation Accuracywith NonCoherent Processing and 0.2% Duty FactorDoes Not Require Phase Lock

SSSC C/No Estimation Accuracywith NonCoherent Processing and 2% Duty FactorDoes Not Require Phase Lock

SSSC C/No Estimation Accuracywith NonCoherent Processing and 10% Duty FactorDoes Not Require Phase Lock

Erasure of 1 msec per 10 msec symbol yields Data Channel Loss of 0.45 dB

This Variation Is Also Good Because SSSC Bursts Occur Frequently So Receiver May

Not Have to Turn On for Long

L1CD Spoofer Analysis

Spoofer’s Probability of Reading an L1CDi SSSC Chip in Error as a Function of Receive Antenna Gain

High Gain Antenna Is Needed to Read L1CDi SSC Directly

1.E-06

1.E-05

1.E-04

1.E-03

1.E-02

1.E-01

1.E+00

10 15 20 25 30 35 40Antenna Gain Towards SV (dBiC)

Probability of ReadingA Chip In Error

S = -163.0 dBW / NF = 2.0 dB / Loss = 1.0 dB, 1.02 Mch/sec

Spoofing Is Detectable By Looking at SSC Correlation Power

10 12 14 16 18 20 22 24 26 28 30

Spoofer Receive Antenna Gain Towards SV (dBiC)

S = -163.0 dBW / NF = 2.0 dB / Loss = 1.0 dB,1.02 Mch/sec

)21(log20)(log20)(

PPPdBPowerMedianSSSC

−=−=

Spoofer MedianSSSC Correlation

Power(dB wrt True)

Spoofing Is Detectable By Low L1CDiSSSC Correlation Power

High Gain Antennas Are Big and Impractical for Spoofers

10 12 14 16 18 20 22 24 26 28 30

CircularApertureDiameter(inches)

Two Sided 3 dB Beamwidth (degrees)

Peak Gain (dBiC)

L1 Antenna Characteristics (80% Aperture Efficiency)

Two Sided 3 dB Beamwidth (Degrees)Aperture Width(inches)

Windows Operating Systems Didn’t Foresee the Threat of Widespread Internet Use in 1985 “It's very difficult to renovate your house when the structure is on fire! In

Microsoft's case, the house was built without any regard for fire safety.” from “Three Reasons Why Microsoft Can't Ship (and Apple can)”

Cellular Telephony (AMPS) “Security Not Needed Since System Is So Complicated” Annual Losses to Over The Air Cloning in US were greater than $1 billion

Supervisory Control And Data Acquisition (SCADA) “SCADA Systems Will Operate In Isolation” Stuxnet has infected between 90,000 and 100,000 systems, according to

Symantec. Allows a hacker to control industrial systems and it hides using a number of

rootkits. It spreads via USB sticks using a vulnerability in Microsoft Windows.

GPS Community Largely Doesn’t Understand Role of Location Assurance In

Security Paradigms

A Few Systems That Didn’t Pay Adequate Attention to Security Early On

Civilian GPS Signal In Space Enhancements for AntiSpoofing...Level 1 Signature Several Minutes In...

Documents