Presentation is loading. Please wait.

Presentation is loading. Please wait.

Todd Humphreys | Aerospace Engineering

Published byอารง เคนเนะดิ Modified over 5 years ago

Similar presentations

Presentation on theme: "Todd Humphreys | Aerospace Engineering"— Presentation transcript:

1 Toughening Techniques for GPS Receivers: Navigation Message Authentication
Todd Humphreys | Aerospace Engineering The University of Texas at Austin PNT Advisory Board 15th Meeting | June 11, 2015

2 TechDemoSat-1, launched July, 2014 (SSTL, University of Surrey)

3 Delay-Doppler map used to measure sea state, detect ice edge, possibly measure soil moisture

4 From Martin Unwin (SSTL)
Autumn 2014: DDMs over eastern Europe exhibit striping corruption. Cause: structured interference in GPS L1 band with structure similar to C/A code. Similar patterns manifest elsewhere around globe.

5 Civil GPS spoofing has been demonstrated in the laboratory and in controlled field tests; deliberate hostile spoofing has been detected in the wild. At present, civil GPS spoofing is a rare, minor nuisance. But experiments demonstrate that spoofing effects can be serious, especially for critical infrastructure.

6 Is the threat of civil GPS spoofing serious enough to warrant a change to the GPS signal-in-space?

7 Q1: How effective are receiver-side spoofing defenses?
Q2: How effective are SIS-side spoofing defenses? Q3: By how much would such defenses increase receiver cost?

8

9 Increasing cost of attack
Increasing receiver-side cost of defense

10 requires SIS modification
requires platform motion

11 requires SIS modification
Inexpensive (< $5k) COTS signal simulator/record-and-replay devices enable low-cost unsynchronized spoofing and meaconing requires platform motion

12 requires SIS modification
Synchronized (d < 100 ns) meaconing possible with a simple setup: rx antenna  amplifier  tx antenna Variable delay requires: downconversion  A2D  FPGA  D2A  upconversion requires platform motion

13 requires SIS modification
Synchronized (d < 100 ns) meaconing possible with a simple setup: rx antenna  amplifier  tx antenna Variable delay requires: downconversion  A2D  FPGA  D2A  upconversion requires platform motion

14 requires SIS modification
<10 ns code phase alignment data bit prediction carrier frequency locking 31 dB output power range C/N0 matching requires platform motion

15 requires SIS modification
on-the-fly estimation of an unpredictable security code requires platform motion

16 requires SIS modification
Each antenna’s RF signal is independently digitized. The resulting complex digital streams are weighted and summed to achieve simultaneous beam steering toward any number of SVs. The SV-specific signals are time-shifted and summed to create the false signal ensemble. requires platform motion

17 requires SIS modification
A nulling attack annihilates the authentic signal with an antipodal spoofing signal. Thereafter, no vestige of the authentic signal remains to interact with further spoofing. The attack can begin instantaneously at a data bit boundary or emerge gradually as shown by the phasor interaction in the video. requires platform motion

18 requires SIS modification
Standard GNSS pseudorange, Doppler, carrier phase, and signal strength observables can be analyzed to detect a spoofing attack. Detection is more powerful for static receivers. requires platform motion

19 requires SIS modification
Signatures interleaved within navigation data stream. Authenticates origin of data. No need for secret keys to be stored in the receiver. requires platform motion

20 requires SIS modification
Received power monitoring: continuous measurement of the total in-band received power. Requires access to automatic gain control instantaneous setpoint. requires platform motion

21 requires SIS modification
requires platform motion The Pincer defense: Exploit the attacker’s difficulty in preventing distortion when spoofing signals are approximately power-matched to authentic signals; amounts to trapping the spoofer between (1) a received power monitor, and (2) a distortion monitor.

22 requires SIS modification
NMA + SCER detection exploits the attacker’s inability to accurately estimate the security code chip values during the first few microseconds after an unpredictable transition. requires platform motion

23 requires SIS modification
nominal nominal spoofed requires platform motion Power spectrum analysis is valuable diagnostic for all types of RFI

24 requires SIS modification
Psiaki et al., 2014 requires platform motion Spoofing signal arriving from a single spatial direction are easily distinguished from spatially diverse authentic GNSS signals.

25 requires SIS modification
requires platform motion

26 NMA + SCER detection offers substantial PNT security at low cost
NMA has been advocated for over a decade: Scott (2003) [10] Internal MITRE memoranda Wesson (2012) [5] Kerns (2014) [6] No surprise that Europe is moving forward with NMA on Galileo [7]

27 NMA on Galileo Basic Design To be included on E1B open service High rate: 20 security bits per second avg. Based on TESLA (keys successively revealed after use period) Status Draft blueprint complete Over-the-air testing took place in summer 2014 Journal paper forthcoming

28 Targeted to CNAV on L2C and L5
NMA on GPS May 2015: The University of Texas completed a 2-year contract with the GPSD to develop a blueprint for NMA on GPS. Basic Design Targeted to CNAV on L2C and L5 Low rate: <1 security bit per second avg. Hybrid of TESLA and digital signature scheme (e.g., ECDSA, BLS) Status Draft blueprint complete Optimized scheduling across constellation Receiver demonstrates NMA + SCER det. Journal paper forthcoming

29 NMA on GPS L2C and L5 Case For Low cost to user (software update) Substantial improvement in PNT security for GPS users worldwide; patches a serious vulnerability in civil GPS Case Against Narrow uplink pipe leads to long time between authentication (9 minutes; compare Galileo at seconds) Response from industry: “If it’s not on L1, it’s not much use.” Bad time to be adding requirements to OCX

30 Recommendations Implement NMA on WAAS quadrature channel; provide example for other SBAS. Much higher SBAS data rate (250 bps) will support short time between authentication. Digitally sign GPS LNAV data, then broadcast signatures over WAAS quadrature channel: cross authentication. Encourage GNSS mfrs. to adopt simple receiver-autonomous defenses such as Pincer. Plan for NMA on L1C.

31

32 radionavlab.ae.utexas.edu

Download ppt "Todd Humphreys | Aerospace Engineering"

Similar presentations

GSC: Standardization Advancing Global Communications Evolution of TD-SCDMA China Communications Standards Association (CCSA) Chicago, May 29th to 2nd June,

GSC: Standardization Advancing Global Communications Evolution of TD-SCDMA China Communications Standards Association (CCSA) Chicago, May 29th to 2nd June,
Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.
Spread Spectrum Chapter 7.

Spread Spectrum Chapter 7.
Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.

Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Protecting Civil GPS Receivers

Protecting Civil GPS Receivers
GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.

GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.
Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.

Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.
Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.

Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.
Workshop EGNOS KRAKÓW 2004 1 GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.
14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.
APPLICATION OF SPACE-TIME CODING TECHNIQUES IN THIRD GENERATION SYSTEMS - A. G. BURR ADAPTIVE SPACE-TIME SIGNAL PROCESSING AND CODING – A. G. BURR.

APPLICATION OF SPACE-TIME CODING TECHNIQUES IN THIRD GENERATION SYSTEMS - A. G. BURR ADAPTIVE SPACE-TIME SIGNAL PROCESSING AND CODING – A. G. BURR.
GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis

GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis
CDMA 2000 1X RTT Overview. Global 3G Evolution.

CDMA X RTT Overview. Global 3G Evolution.
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
1 Lecture 9: Diversity Chapter 7 – Equalization, Diversity, and Coding.

1 Lecture 9: Diversity Chapter 7 – Equalization, Diversity, and Coding.
Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.

Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.
Why to Apply Digital Transmission?

Why to Apply Digital Transmission?
Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys
For 3-G Systems Tara Larzelere EE 497A Semester Project.

For 3-G Systems Tara Larzelere EE 497A Semester Project.

Similar presentations

Ads by Google