Luca Canzian, Luciano Tosato, Andrea Dalla Chiara, Oscar Pozzobon, Qascom, Italy; Mikael Mabilleau, GSA

View Abstract Sign in for premium content

Abstract:

The Satellite Based Augmentation System (SBAS) service is used to improve the navigation reliability and accuracy when GNSS (Global Navigation Satellite Systems) service does not comply with stringent requirements, such as during aircraft approach phase, management of on-road vehicle or precision farming. As for GNSS, the SBAS signals are received on ground with low power and therefore they are prone to interference, potential malicious alteration, or forging. In particular, the broadcast of non-authentic SBAS data messages can have a detrimental impact on the receiver operations, because the navigation solution could be affected even if the tracked GNSS signals are authentic. The European Commission is exploring the possibility of improving the security of the SBAS service in order to allow a trusted and verified augmentation. With this objective, the EC is financing the SPARC (Simulation Platform for Authentication Reliable Concept) project to identify a viable solution for the authentication of SBAS data. The security of an authentication technique, independently on the considered technique, strongly depends on the security of the mechanism used to generate, distribute, renew and revoke the keys exploited by the authentication technique. Such a mechanism is known as Key Management (KM). This paper presents the KM schemes considered and assessed within the SPARC project. In this paper asymmetric authentication techniques are considered, exploiting a key that is referred to as level 1 public key. The objective of the KM scheme is to disseminate and authenticate these level 1 public keys. The following two schemes have been considered: • KM scheme with signed KM messages: this is a standard KM scheme in which the level 1 public key is transmitted in clear in a KM message, along with its key activation timestamp, the validity time interval, and the signature used to authenticate the content of the KM message. The signature must be generated with a higher-level private key, providing more security and lasting longer than the level 1 private key. In other side, the signature must be authenticated with a higher-level public key,(providing more security and lasting longer than the level 1 public key). A two-layer KM structure is considered, in which the KM message is signed with a Certificate Authority (CA) private ley and authenticated with the associated CA public key. The CA public key is pre-installed in the receiver memory and lasts for the whole lifetime of the receiver, such that no additional KM message type is require to update higher-level keys. • KM scheme with pre-installed encrypted information: this scheme is still based on a two-layer structure, but it exploits the concept proposed in [1] to reduce the length of the KM message, hence reducing the require bandwidth and/or improving the time to retrieve the KM message. In the solution described in [1] a certain number of level 1 public keys are pre-installed in the memory of the receiver in an encrypted format, using a symmetric encryption scheme whose encryption key K_enc is transmitted within the KM message, in place of a longer level 1 public key. However, to further reduce the required KM message bandwidth, the current paper proposes to pre-install in the receiver memory also the key activation timestamp, the validity time interval (this could be fixed for all the level 1 public keys), and the CA signature. This allows to significantly reduce the length of the KM message, at the cost of increased receiver memory requirements and less KM flexibility (the level 1 keys and the associated activation times must be pre-computed). It is remarked that the short KM message, containing only K_enc, can support only nominal / planned operations, in case of unplanned operations, such as the revocation of a compromised level 1 key, the same KM message type of the previous KM scheme can be exploited. Figure 1 illustrates the concept behind the proposed scheme. For both schemes, the KM message is longer than a single SBAS message, hence it must be partitioned into several blocks that are sent within different SBAS messages. Four different dissemination options are explored in the current work: • Transmission of KM blocks in the I-channel, using the spare bits at the end of an authentication frame; • Transmission of KM blocks in the Q-channel (new component), using the spare bits at the end of an authentication frame; • Transmission of KM blocks in the I-channel, using dedicated SBAS messages; • Transmission of KM blocks in the Q-channel (new component), using dedicated SBAS messages. The paper investigates the performance using an analytical formulation for the computation of the time to retrieve the whole KM message. The formulation models the reception of SBAS messages as an independent and identically distributed process with probability 1-WER, where WER denotes the Word Error Rate (i.e., the probability that and SBAS message is not correctly received). The following considerations are derived from the achieved results: • KM schemes with signed KM messages o Pros - Flexibility, the level 1 public key and their activation and validity time intervals do not need to be pre-defined. - Memory requirements, only the CA public key and the current level 1 public key need to be kept in memory. o Cons - Long KM message, which leads to a long time required to retrieve the level 1 public key, ranging from 28 s to 1430 s, depending on the dissemination mode and the WER value. • KM schemes with pre-installed encrypted information o Pros - Short KM message, which leads to a short time required to retrieve the level 1 public key, ranging from 8 s to 264 s, depending on the dissemination mode and WER value. o Cons - Memory requirements, several encrypted level 1 public keys with their key activation timestamp, key validity time interval, and encrypted CA signature must be stores. This results in tens of Kbits of memory requirements. • Dissemination in the I Channel, KM bits after the signature o Pros - No additional signal component must be introduced. - No impact on the bandwidth of the underlying authentication scheme, spare bits are used. o Cons - Long time required to retrieve the level 1 public key, for the best channel scenario (low WER) it is equal to 286 s and 66 s for the first and second KM schemes, respectively. • Dissemination in the Q Channel, KM bits after the signature o Pros - Short time required to retrieve the level 1 public key, for the best channel scenario (low WER), it is equal to 36 s and 9 s for the first and second KM schemes, respectively. - No impact on the bandwidth of the underlying authentication scheme, spare bits are used. o Cons - Additional signal component must be introduced. • Dissemination in the I Channel, dedicated KM messages o Pros - No additional signal component must be introduced. o Cons - Long time required to retrieve the level 1 public key, for the best channel scenario (low WER), it is equal to 210 s and 60 s for the first and second KM schemes, respectively. - Impact on the bandwidth of the underlying authentication scheme. • Dissemination in the Q Channel, dedicated KM messages o Pros - Short time required to retrieve the level 1 public key, for the best channel scenario (low WER), it is equal to 28 s and 8 s for the first and second KM schemes, respectively. o Cons - Additional signal component must be introduced. - Impact on the bandwidth of the underlying authentication scheme. In conclusion, the paper investigates the performance achievable for each dissemination options, in terms of memory requirements, bandwidth impact, and time to retrieve the whole KM message. An analytical formulation is used for the computation of the time to retrieve the whole KM message, modeling the reception of SBAS messages as an independent and identically distributed process with probability 1-WER. The performances are evaluated for both a single satellite scenario and for a scenario in which multiple visible satellites are sharing the key and transmitting the same KM message. The detailed results will be reported in the final paper. See Figure in attached PDF file on your right side of the screen. REFERENCES [1] G. Caparra, S. Ceccato, S. Sturaro and N. Laurenti, "A key management architecture for GNSS open service Navigation Message Authentication," 2017 European Navigation Conference (ENC), Lausanne, 2017, pp. 287-297.