Proving Location Using GPS Location Signatures: Why it is Needed and A Way to Do It

L. Scott

Abstract:	Most discussion on GPS antispoofing has focused on how to keep a GPS receiver from buying into spoofing signals and reporting a false position and/or time. Less discussed is the question of how to prove a first party’s location to remotely located second parties. If a device reports that it is at such and such coordinates, how can you be assured that this is true? Such proofs are important in air traffic reporting & control, Industrial Control System /SCADA command authentication, anti spear phishing, and in numerous other security sensitive applications where validating the origin of a command, report or e-mail is important. As an example, spear phishing is often part of the initial penetration attack used to introduce Advanced Persistent Threats (APT) into sensitive critical infrastructure. In other applications, users may be denied access to sensitive information such as design documents and business plans, military base maps, and intelligence feeds unless they are at an appropriate location. The entire communications chain must be considered in a vulnerability assessment. Man in the middle attacks can overcome even highly sophisticated receiver antispoofing techniques, often using trivially simple approaches. As an example, mobile apps are currently available for a nominal cost to spoof a cell phone or tablet’s location either in an absolute position mode or a relative position offset mode. The approach used is simple—become the device’s position object and lie. After discussion of the use case, this paper explores how cryptographic GPS signal-in-space antispoofing methods can be used to create hard-to-forge and ephemeral cryptographic location signatures. Specifically, at the satellite, low duty cycle, time hopped, spread spectrum security code bursts are substituted into the normal code sequence of the modernized signal data channel to create hidden watermark features that are used to establish the signal’s provenance. Because only the data channel is affected, pilot channel tracking and thus navigation performance is not impacted. With the described method, a compromised receiver has no easy way of generating valid watermarked signals as it does not possess real-time generating keys. Authenticating keys are published to the user segment with a nominal 5 minute delay and user equipments are not required to provide secure key storage, thus overcoming a major use case limitation of symmetric keyed systems. The only way a spoofer/forger can gain access to the security codes, a priori, is to listen for them off the air, a daunting task requiring multiple high gain directional antennas. This paper examines specific requirements to do this and describe further anti forging techniques based on secure time stamping techniques. The need for cryptographic signal authentication in antispoofing will also be noted in the context of civil equipments. Finally, this paper explores how civil signal authentication can be structured to generate significant revenue by charging for keys needed to authenticate signals. The proposed key distribution method would employ commercial distribution channels such as iTunes, Google Play and Amazon. Users not wanting to authenticate signals would not be required to do so and can continue to operate as they currently do.
Published in:	Proceedings of the 26th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2013) September 16 - 20, 2013 Nashville Convention Center, Nashville, Tennessee Nashville, TN
Pages:	2880 - 2892
Cite this article:	Scott, L., "Proving Location Using GPS Location Signatures: Why it is Needed and A Way to Do It," Proceedings of the 26th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2013), Nashville, TN, September 2013, pp. 2880-2892.
Full Paper:	ION Members/Non-Members: 1 Download Credit Sign In