Civilian GPS Signal In Space Enhancements for AntiSpoofing
Logan Scott
My Papers on the Subject
1. “Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems” ION GNSS 2003
2. “L1C Should Incorporate Cryptographic Authentication Features” May 2006 Comments on ICD-GPS-800
3. “Expert Advice - Location Assurance” GPS World 2007
Applicable to Galileo and Other GNSS Signals
9/22/2010LS Consulting / [email protected]
Unless GPS is hardened, it is likely to be targeted by sophisticated GPS signal spoofers. There are three primary driving forces behind this:
1. GPS is being proposed for road tax collection systems, cargo monitoring systems, location based computer security systems, fisheries monitoring, Digital Rights Management (DRM) etc. An ability to spoof the GPS receiver as to its actual location and time can lead to substantial financial gains using a variety of exploits. In many exploits, the “victim” will be the spoofer and so gaining “close in” or “on vehicle” access to the victim receiver will not be a problem. Terrorists are not the most likely first wave threat; criminals are.
2. The sophisticated signal generation capabilities needed to spoof GPS receivers can be performed in an all software implementation. This opens the process up to relatively unsophisticated “script kiddies” who would need to purchase or build only a front-end transmitter/antenna combination to complete the spoofer. The low associated cost & complexity would encourage development for relatively minor exploits such as “beating the road congestion tax”. This in turn would accelerate the ready availability of spoofers.
3. The plethora of navigations systems types and signals makes constructing Relative Position (RP) spoofers much easer.The objective of an RP spoofer is to convince the victim receiver that it is at some specified (and controllable) offset relative to the true position. This opens up numerous exploits but requires knowledge of the victim’s true position. Someone looking to spoof an L1 set might use L5 or L2C signals to obtain true position. Or they might use Galileo. Or they might use WiFi access point mapping. This is much easier than constructing limpet using look through modes.
9/22/2010LS Consulting / [email protected]
Why Is Location Assurance Important?
1. Software Code Spoofing Download fraudulent software into victim receiver
2. Differential Corrections Spoofing Provide Substitute Corrections to Create Small but Important Errors Vulnerability is Link Dependent
Non-Authenticated, Non Ranging Links Highly Vulnerable Coast Guard Beacon, LAAS, RTCM-SC-104
Can Only Create Small Errors
3. GPS Signal Constellation Spoofing Requires Generating Navigationally Consistent Signal Set Relative & Absolute Position Variants
9/22/2010LS Consulting / [email protected]
Three Approaches To Civil Spoofing
Accurately Spoofing Time (< 10 msec) Is Harder Requires More Advanced GPS Receiver with Timing Outputs or Integrated PVT
Reference Approach9/22/2010LS Consulting /
On Vessel Constellation Spoofer Capable of Absolute or Relative Spoofing ModesBuildable Using Off the Shelf Subsystems for ~$20,000 NRE + $1,000 Unit Cost
•Position•Velocity•50 bps data•Time
GPS Receiver
Real GPS Signals
Victim GPS
Receiver
Software Defined Signal Generator
D/A & L-BandUpconverter
Navigationally Consistent Signal Set
~ 1 foot
Very Low PowerSpoofing SignalOperator Defined Offsets
Secure Ship’s Log / Reporting
System
Physical Security
Perimeter
FrequencyReference
1 November, 2006GeoCodex LLC / LS Consulting6
If Fishing Vessel Can Cover Activity for 30 Minutes, Might Land an Additional $60,000 of Fish
Many Highly Regulated, High Value Fisheries
Chilean Seabass Cod Fishing Scalloping Shrimping King Crabs Rockfish Whaling
Cover Can Include Hiding Stops to Pick Up Crab Cages Hiding Additional Time In Restricted Area Hiding Trawl Pattern
Restricted Area
Encryption Hides The Message Content
Authentication Validates The Message Often By Appending Cryptographic Fields to:
Identify the Source of the Message Timestamp The Message Detect Message Alterations
Message Itself Can Be Sent In the Clear
9/22/2010LS Consulting / [email protected]
AuthenticationIs Not The Same As Encryption
15 February, 2003LSC Inc. All Rights Reserved9
Comparing “Internal Watch Time” to “External Signal’s Time” Can Provide A Very Powerful AntiSpoofing Mechanism
If “Signal’s Time” Is Not Within “X” Seconds of “Internal Time” Do Not Accept Signals As Valid.
Keeps Spoofer From Using Unsynchronized “Canned Scenarios” Spoofer Must Synchronize with GPS Time Off the Shelf Equipments Generally Do Not Sync to GPS Time
Spirent Does Offer at Least One Model that Does
Core Objectives of Proposal Make It Hard for A Spoofer to Generate Valid Signals Synchronized
With GPS Time Prevent Replay Attacks
Four Levels of AuthenticationAvailable To Users
0: No Enhancement, Receivers Can Ignore Signal Authentication Features
1: Data Message Authentication
2: Public Spreading Code Authentication Requires Precorrelation Sample Storage Does NOT Require User Segment to Hold Secret Keys
3: Private Spreading Code Authentication Requires Tamper Resistant Hardware and Secure Key Distribution
Specific Proposals for L2C, L5, L1C, L1WAAS L1 WAAS Requires Only Ground Based Modifications
DoD Retains Ability To Spoof Since They Hold Private Keys
9/22/2010LS Consulting / [email protected]
Proposed Civil Signal Authentication Architecture
TMBOC(6,1,4/33) Format Time Multiplex BOC (TMBOC) Selected for GPS Composite BOC (CBOC) Selected for Galileo
Pilot & Data Channel Transmitted in Phase Quadrature or with Same Phase Pilot
-158.25 dBW L1CP: 10,230 chip PRN / 10 msec period Xored with length 1800 L1CO for effective code period of 18 seconds
Data -163 dBW L1CD: 10,230 chip PRN / 10 msec period Nominal 50 bps, Rate ½ FEC with Interleaving
Multiplex BOC (MBOC) Format on Pilot Channel for Improved Anti Multipath Pilot Channel only 29/33 of the time transmits BOC(1,1) 4/33 of the time transmits BOC(6,1)
9/22/2010LS Consulting / [email protected]
L1C Features in IS-GPS-800A
Key Pair Encrypting Key ≠ Decrypting Key
Examples: RSA (Large Primes) NTRU (Ring Polynomials)
Orders of Magnitude Slower Than Symmetric Algorithms ≈1,000 time slower
9/22/2010LS Consulting / [email protected]
Asymmetric Encryption & Decryption
Encrypt
Decrypt
Plaintext
Plaintext
Ciphertext
Key_E
Key_D
9/22/2010LS Consulting / [email protected]
Message Authentication Using an Asymmetric Encryption AlgorithmPrivate Key ≠ Public Key
At the Satellite At the Receiver
One Way Function
Hard to Forge without
Private Key
Message
Secure Hash Algorithm
Encrypt Message Digest
PrivateKey
Message Digest~160 bits
Digital Signature
Message
Secure Hash Algorithm
Decrypt Message Digest
Decrypted Message Digest
PublicKey
Compare & Authenticate If
Equal
Message Digest
Currently defined Subframe 3 page types include: Page 1: UTC & IONO (12 reserved bits) Page 2: GGTO & EOP (GPS/GNSS Time Offset & Earth Orientation Parameters) (30
reserved bits) Page 3: Reduced Almanac (17 reserved bits) Page 4: Midi Almanac (85 reserved bits) Page 5: Differential Correction (87 reserved bits) Page 6: Text (232 bit message) Page 7: Reserved
New Subframe 3, Page 8 Data Authentication Message Page 8: Authentication Sent Once Every 6 minutes (1 in 20 of Subframe 3 Pages)
Alternatively, Use Reserved Bits to Convey Authentication
9/22/2010LS Consulting / [email protected]
Level 1 Adds New Authentication Message Type to Current CNAV-2 Data Structure
9/22/2010LS Consulting / [email protected]
Level 1: Data Stream Authentication Using A Public Key Digital Signature Algorithm
User Segment
Time
Frame 1 Frame 2
Private Algorithm(Could also be Public)
Private Key (Known Only to CS & SS)
Frame N(Signature in Subframe 3, Page 8
Or Spares)
Public AlgorithmAuthentication
Flag
Public Key (Known to Everyone)
Digital Signature
Space Segment
Spoofer Doesn’t Have Private Key to Sign Data Stream Spoofer Has to Use Off the Air Data Streams In a Replay Attack Difficult for Spoofer to Synchronize with GPS Time
If Victim Has An Accurate Knowledge of Time, Can Detect Spoofing ±2ppm XO Can Hold Time to:
±8 msec Over a 1 Hour Outage ±173 msec Over a 1 Day Outage ±63 sec Over a 1 Year Outage
Spoofer Has to Have Replay Turnaround Time Shorter Than Acceptance Window
Does not protect “intermittent track” receivers (e.g. A-GPS, Snapshot and RD Map Reporters) They Don’t Read Data Most Likely Victims
9/22/2010LS Consulting / [email protected]
Why Level 1 Makes Spoofing Harder
Spoofer Must Sync ToReal Time to This Accuracy
9/22/2010LS Consulting / [email protected]
Comments on Level 1
Should have Unique Key Pair for Each Satellite
Public Key Used By User Segment Should Be Signed by Certificate Authority (CA) Gives User Segment A Mechanism to Validate Public Key ala. PKI Have Expiration Date Probably Want Certificate Revocation Mechanism Too
Receiver Software & All Patches Should Be Signed by CA Malicious Software: “Add 100’ to Altitude After March 15, 2004” Integrate with Level 1 Infrastructure
Signal Authentication Delay Is An Issue Can’t Authenticate Until Signature Is Received (Up to 6 minutes)
Battery Life Considerations Paramount GPS Is Often Just a Range/Doppler
Measurement Device Does Not Read Data Net centric A-GPS
Satcom Links Usually Don’t Have Ranging Capability MSV (L-Band Transponder) Inmarsat Orbcomm Iridium
Often Tied In with Tamper Monitoring Systems Electronic Seals Light Sensors Radiation Detectors
9/22/2010LS Consulting / [email protected]
Vessel Monitoring Systems, Asset Tracking Systems & A-GPS Use Similar Approaches
Easy To Spoof & With High Payoff: Most Likely Victims
Figure from: SkyBitz website
Federal Motor Carrier Safety Administration (FMCSA) investigating methods to improve carrier security, particularly in the area of hazardous materials security
Lost Signal Will Raise Alarm
Geofencing Used to Raise Alarms
GPS Used to Monitor Location History of In-Bond1 Cargo
For Example Containerized Cargo Landed in Vancouver but Destined for USA
Asset Tracking & Monitoring Is Rapidly Moving Towards A Security Paradigm
9/22/2010LS Consulting / [email protected]
US DoT Asset Monitoring/Security Initiatives Using GPS
Figure from: The Freight Technology Story, Intelligent Freight Technologies and Their Benefits, U.S. Department of Transportation Federal Highway Administration Office of Freight Management and Operations
1: IN BOND - A term applied to the status of merchandise admitted provisionally to a country without payment of duties -- either for storage in a bonded warehouse or for trans-shipment to another point, where duties will eventually by imposed.
Space Segment Knows Level 1 Signature Several Minutes In Advance SSSC Transmitted on L1CD Data Channel At 1.023 Mchip/second PN Code Rate Pilot Channel Is Not Modified
9/22/2010LS Consulting / [email protected]
At the Satellite; Generate Spread Spectrum Security Code (SSSC) Using The As Yet Un-Transmitted Level
1 Digital Signature as A Seed
As Yet Un-Transmitted
Level 1 Digital Signature
Cipher Stream Generator
Spread Spectrum Security Code
(SSSC)Seed Value
Normal L1CDi Signal Flow per ICD-800 SSSCBa
0.5 second
1 msec (1/10 symbol)
Normal L1CDi Signal Flow per ICD-800 SSSCBb
0.5 second
1 msec (1/10 symbol)
9/22/2010LS Consulting / [email protected]
User Segment Doesn’t Know How to Demodulate SSSC Until Digital Signature Is Received
A/D Convert
∑N
CarrierNCO
Sin/CosROM
CodeNCO
CodeGenerator
∑N
)sin( nθ
)cos( nθ
Perform at Each Code Phase Offset
To Later Code Phase Offsets
To OtherChannels
nθ Code Clock
ReferenceCode
In
Qn
SSSC Memory To SSSC CheckingStart/Stop Triggers
1. Collect Precorrelation A/D Samples
2. Receive Digital Signature (up to 6 minutes later)
3. Generate Security Spreading Code Reference Signal and Despread Previously Collected A/D Samples
4. If Don’t Detect Security Spreading Code at Correct Power Level, Don’t Validate Signal
9/22/2010LS Consulting / [email protected]
To Authenticate The Signal
How Does This Make Spoofing Harder? SSSC Segments are Spread Spectrum
Hard to Read, Buried Below Thermal Noise
Spoofer Needs Multiple High Gain Antennas or Digital Beamformer to Successfully Receive & Repeat SSSC Prior to Receipt of Digital Signature
Receiver Doesn’t Have to Know Time to a few milliseconds, Minutes of Error OK
User Segment Receiver Can Look Back In Time Several Minutes Looking For Valid SSSC
A-GPS Systems can be Authenticated By forwarding raw SSSC A/D samples to Network (Large) or By Sending Cipher Seed for SSSC to Receiver (Small)
9/22/2010LS Consulting / [email protected]
Comments On Level 2
Signal
MinimumSpoofer Antenna
Gain†
AssociatedAntennaDiameter
Associated 2-sided 3dB
Beamwidth
L1CDL2CM
L5IL1WAAS
21 dBiC21 dBiC26 dBiC26 dBiC
26”34”63”47”
18 degrees18 degrees10 degrees10 degrees
9/22/2010LS Consulting / [email protected]
Spoofer Antenna Requirements for Various Hardened GPS Signal Types
† Gain Required for Spoofer to Generate False SSSC Bursts With Correlation within 1 dB of True SSSC Bursts
Number of Bits/Sample (I+Q): 4 4 4 4Sample Rate (MHz): 2.00 2.00 2.00 2.00
SSSC Collection Interval (sec): 36.0 36.0 36.0 36.0SSSC Duty Factor 0.2% 2% 10% 100%
Total Memory Requirements (Mbytes): 0.072 0.720 3.600 36.000
9/22/2010LS Consulting / [email protected]
L1CD SSSC Storage Requirements are ModestAssumes BOC to PSK Conversion
Number of Bits/Sample (I+Q): 2 2 2 2Sample Rate (MHz): 2.00 2.00 2.00 2.00
SSSC Collection Interval (sec): 36.0 36.0 36.0 36.0SSSC Duty Factor 0.2% 2% 10% 100%
Total Memory Requirements (Mbytes): 0.036 0.360 1.800 18.000
Coherent Receiver
Non Coherent Receiver
It Is Important PVT Systems Are A Critical Element of Civil Infrastructure Threat Is Growing & User Community is Largely Unawares GPS will be Locked out of European Markets
It Is Doable Minor Impact On Receivers Create National Authentication Infrastructure Strong Signal In Space Authentication for L5I, L2CM, L1CD, L1
WAAS
Benefit Is Immediate Do Not Need Full Constellation, Even One SV Can Provide
Significant Anti Spoofing Gain WAAS/EGNOS Is A Good Short Term Candidate
9/22/2010LS Consulting / [email protected]
Civil Spoofing Resistance Can and Should Be Improved
Backup
•SSSC Duty Factor Considerations•Spoofer Antenna Gain Requirements
9/22/2010LS Consulting / [email protected]
SSSC Duty Factor Considerations
9/22/2010LS Consulting / [email protected]
•Coherent vs. Non Coherent Receivers•Authentication C/No Thresholds
9/22/2010LS Consulting / [email protected]
SSSC C/No Estimation Accuracywith Coherent ProcessingRequires Phase Lock
Nominal L1CDC/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
9/22/2010LS Consulting / [email protected]
SSSC C/No Estimation Accuracywith NonCoherent ProcessingDoes Not Require Phase Lock
Nominal L1CDC/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
Higher Duty Factor:
Better Supports Low C/No A-GPS Through Improved SSSC C/No Estimation Accuracy
Improves Ability to Guarantee SSSC Collection with Poor Absolute Time Accuracy Receivers
Impacts Data Stream BUT: 10% Duty Factor Causes Only 0.45 dB Degradation
9/22/2010LS Consulting / [email protected]
SSSC Duty Factor Tradeoffs
9/22/2010LS Consulting / [email protected]
SSSC C/No Estimation Accuracywith NonCoherent Processing and 0.2% Duty FactorDoes Not Require Phase Lock
Nominal L1CDC/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
9/22/2010LS Consulting / [email protected]
SSSC C/No Estimation Accuracywith NonCoherent Processing and 2% Duty FactorDoes Not Require Phase Lock
Nominal L1CDC/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
9/22/2010LS Consulting / [email protected]
SSSC C/No Estimation Accuracywith NonCoherent Processing and 10% Duty FactorDoes Not Require Phase Lock
Nominal L1CDC/No with 0dBiC Gain
Towards SV is ~ 40 dB-Hz
Erasure of 1 msec per 10 msec symbol yields Data Channel Loss of 0.45 dB
This Variation Is Also Good Because SSSC Bursts Occur Frequently So Receiver May
Not Have to Turn On for Long
9/22/2010LS Consulting / [email protected]
Spoofer’s Probability of Reading an L1CDi SSSC Chip in Error as a Function of Receive Antenna Gain
High Gain Antenna Is Needed to Read L1CDi SSC Directly
1.E-06
1.E-05
1.E-04
1.E-03
1.E-02
1.E-01
1.E+00
10 15 20 25 30 35 40Antenna Gain Towards SV (dBiC)
Probability of ReadingA Chip In Error
S = -163.0 dBW / NF = 2.0 dB / Loss = 1.0 dB, 1.02 Mch/sec
Spoofing Is Detectable By Looking at SSC Correlation Power
-10.0
-8.0
-6.0
-4.0
-2.0
0.0
10 12 14 16 18 20 22 24 26 28 30
Spoofer Receive Antenna Gain Towards SV (dBiC)
Spoo
fer M
edia
n SS
C C
orre
latio
n Po
wer
(dB
wrt
T
S = -163.0 dBW / NF = 2.0 dB / Loss = 1.0 dB,1.02 Mch/sec
)21(log20)(log20)(
10
10
e
ec
PPPdBPowerMedianSSSC
−=−=
Spoofer MedianSSSC Correlation
Power(dB wrt True)
9/22/2010LS Consulting / [email protected]
Spoofing Is Detectable By Low L1CDiSSSC Correlation Power
9/22/2010LS Consulting / [email protected]
High Gain Antennas Are Big and Impractical for Spoofers
0
5
10
15
20
25
30
35
40
45
50
0
10
20
30
40
50
60
10 12 14 16 18 20 22 24 26 28 30
CircularApertureDiameter(inches)
Two Sided 3 dB Beamwidth (degrees)
Peak Gain (dBiC)
L1 Antenna Characteristics (80% Aperture Efficiency)
Two Sided 3 dB Beamwidth (Degrees)Aperture Width(inches)
Windows Operating Systems Didn’t Foresee the Threat of Widespread Internet Use in 1985 “It's very difficult to renovate your house when the structure is on fire! In
Microsoft's case, the house was built without any regard for fire safety.” from “Three Reasons Why Microsoft Can't Ship (and Apple can)”
Cellular Telephony (AMPS) “Security Not Needed Since System Is So Complicated” Annual Losses to Over The Air Cloning in US were greater than $1 billion
Supervisory Control And Data Acquisition (SCADA) “SCADA Systems Will Operate In Isolation” Stuxnet has infected between 90,000 and 100,000 systems, according to
Symantec. Allows a hacker to control industrial systems and it hides using a number of
rootkits. It spreads via USB sticks using a vulnerability in Microsoft Windows.
GPS Community Largely Doesn’t Understand Role of Location Assurance In
Security Paradigms
9/22/2010LS Consulting / [email protected]
A Few Systems That Didn’t Pay Adequate Attention to Security Early On