Folie 1 - University of Texas at Austin

Download Report

Transcript Folie 1 - University of Texas at Austin

Improving Security of GNSS Receivers

Felix Kneissl University FAF Munich

ION GNSS 2011, September 23 rd , Portland, Oregon

Means of User and Signal Authentication

• User Authentication (restrictive)    Spreading code encryption Navigation data encryption Send time randomization • Signal Authentication   Non-cryptographic: sensor integration, multiple signal instances test, signal strength test, RAIM, group antenna processing, … Cryptographic: navigation message authentication, private- and public spreading code authentication • Transitive Signal authentication   Non-cryptographic techniques with fully secured hardware Cryptographic techniques with partially secured hardware ION GNSS 2011, September 23 rd , Portland, Oregon 2

Transitive Signal Authentication

• • • Definition of “Transitive Signal Authentication” • A third party is interested in reading authentic position and time information from a person using GNSS for positioning Applications for “Transitive Signal Authentication” • Ankle monitor / electronic tagging, road tolling, pay-as-you-drive insurance, … Influence on Threat Models • Receiver chain must not be seen as a trustworthy entity  Implementation of hardware-security of entire equipment or sub components aided by cryptographic security at its interfaces AGC A/D DSP NDP • Assumptions on (complicit-) spoofers capabilities  E.g. security code estimation or sample stream variation techniques ION GNSS 2011, September 23 rd , Portland, Oregon

Signal Authentication

• • • Definition of “Signal Authentication” • A GNSS user is interested itself in receiving authentic signals to gain security on the derived time and position information Applications for “Signal Authentication” • Aviation applications, personal navigation, precise farming (additional detection possibilities given by differential techniques), … Influence on Threat Models • Receiver chain is considered as a trustworthy entity  User access to AGC, multilevel ADC must be available for the defender AGC A/D DSP NDP • Assumptions on spoofers capabilities for cryptographic spoofing detection  E.g. security code estimation or sample stream variation techniques ION GNSS 2011, September 23 rd , Portland, Oregon

Non-Cryptographic Spoofer Detection

• • Both the counterfeit and authentic signal will be received by the defender’s antenna / receiver • Complicit-spoofing has not to be considered and thus the counterfeit signal has to be transmitted via radio link • Signal cancellation is assumed to be very unlikely (although possible) • • Antenna phase center position uncertainty Oscillator frequency error prediction (spoofer & satellite) • Orbit error and ionospheric error prediction • Test for multiple signal instances (MSIs, Vestigial Signal Defense) Masking of the authentic signal will be detectable by the defender • Monitoring both the signal power and noise power either gives proof of an insecure environment or guarantees a minimum C/N authentic signal within the user’s IF-stream 0 of the ION GNSS 2011, September 23 rd , Portland, Oregon

Monitoring of Signal- and Noise Power

• Signal power for spoofing detection • Calibration process elevation dependent for the expected C/N 0  Account for AGC-factor  Independent estimation of the IF-Sample’s signal and noise power • Distinctness to elemental variations of the signal power is not canonical / impractical • Monitoring signal power to assess efficiency of spoofing detection via multiple signal instances test • • Coarse bounds provide thresholds for the main detection routines  Low false alarm rate If certain remaining authentic signal power can not be guaranteed spoofing has to be assumed C/N 0 AGC ION GNSS 2011, September 23 rd , Portland, Oregon

Acquisition Techniques detecting MSIs

• • Parameter estimation for code delay and Doppler offset

R

  

L

 1    0

s

D

c

t

f c

 

i

t

 Block acquisition techniques using FFT

R

  

F

 1

F

 

conj

F

c

  exp

i

    

• • • Sensitivity and granularity tunable by different sample rates and integration times False alarm probability can be reduced by handing detected signals to a tracking channel verifying the detection Weaker detection capabilities in the vicinity of the momentarily tracked signal ION GNSS 2011, September 23 rd , Portland, Oregon

Multicorrelator Techniques detecting MSIs

C sig

• • • • Direct computation of the correlation power in the vicinity of the tracking point for several code delays 

n coh

   1

ac

t

    

rec t

   0  exp 

i

 

t

      0

t

   0   Frequency analysis on subsequent I&D values approximates 2-D correlator

C m

  1

N

n

 0

C sig

 Re   ,

n

 exp  

i

2 

nm N

Elimination of the tracked signal’s correlation peak Small monitoring domain for reasonable computational effort Excellent detection capabilities in the vicinity of the momentarily tracked signal ION GNSS 2011, September 23 rd , Portland, Oregon

Cryptographic Spoofer Detection

• • • Testing for MSIs of encrypted ranging code signals barely practical   Parameter space for acquisition test only bounded by receiver clock uncertainty 2-D multicorrelators not obtainable by simple frequency analysis Regenerated secured signals with low / zero / negative latency are detectable via statistical hypothesis testing   Humphreys, T.E, "Detection Strategy for Cryptographic GNSS Anti Spoofing“, IEEE Transactions on Aerospace and Electronic Systems, 2011, submitted for review Regenerated secured signals with higher latency induce detectable receiver clock errors respectively are not able to displace a SCE type signal in track Additional proper acquisition strategies (search earliest signals first) guarantee authentic signals ION GNSS 2011, September 23 rd , Portland, Oregon

Spoofing Detection vs. Spoofing Mitigation

• • • Non-cryptographic signal based spoofing detection just detects spoofed environments but not spoofing signals • Spoofing – when monitored – acts as a denial of service attack • Spoofing influences availability and continuity of service budget Cryptographic spoofing detection allows for detecting spoofing signals • Spoofing can securely be mitigated, but • • Any spoofing device can easily act as jamming device and Navigation message authentication schemes suffer a certain authentication delay Sensor integration could provide signal source distinction even for unsecured signals ION GNSS 2011, September 23 rd , Portland, Oregon

Acknowledgments

Parts of the work have been elaborated within the UniTaS IV project funded by the Bundesministerium für Wirtschaft und Technologie administered by the Deutsches Zentrum für Luft- und Raumfahrt FKZ 50 NA 0734 Travel grant provided by the Satellite Navigation University Network Project in cooperation with the G-TRAIN consortium ION GNSS 2011, September 23 rd , Portland, Oregon