SECURITY IN NAVIGATION SYSTEM GALILEO

Presented By : MAZLOUM Taghrid BADRA Imane Presented For: Dr BAKHACH Bacem

Navigation Message Authentication. i. Public Key Infrastructure . ii. Security protection afforded by NMA iii. Security Limitation iv. NMA schemes.............. i. NMA using EC-DSA Signature Scheme...... a. Security of the Scheme.......... b. An adversary can forge signatures??........................... 2. NMA using TESLA Protocol.......... a. TESLA. b. Advantages of MAC.......... c. Scheme Setup and Broadcast d. Scheme Setup.. e. Authentication and Integrity Verification Process f. Security of the scheme 3. Conclusion.. II. Public Spreading Code Authentication. i. Spoofing pubSCA III. Private Spreading Code Authentication... i. Update Kpsca IV. Navigation Message Encryption V. Spreading Code Encryption.
2

I.

Navigation Message Authentication

Navigation Message Authentication (NMA)

4

 A mechanism designed to overcome spoofing and to provide increased safety and service guarantees

 Based on a digital signature or a message authentication code (MAC) to authenticate the source and verify the integrity of the navigation data

Ks

Kv

Ks

Kv

 For each satellite, valid signing/validation key pairs (Ks,Kv)  Secret Ks  Public Kv
5

How to publish the validation key ???

6

on the Internet merged in a certificate signed by a trustworthy entity

packed in a certificate and transferred via the modulated data on the ranging signal itself

SigA(Ks)

CertA

CertOP

Message Type 61

Authentication And Integrity

7

Public Key Infrastructure

Public Key Infrastructure

9

 A framework for distribution of public keys in a trusted way

How it works ???

Asymmetric encryption technique with a PKI

10

verification of the public key certificate of the Galileo operator subordinate CA

11

The public key certificate for each satellite is issued by the Galileo operator CA, certifying the satellites public key.
12

A certified receiver vs. a simple receiver

13

 A simple receiver : Any guarantee of service Full accuracy  A certified receiver: Full service guarantee Authentication of messages Integrity

PKI Architecture

14

PKI Architecture

Periodic re-keying Revocation Issue of new operator CA certificates

15

X.509 binary certificates

Binary satellite certificate

Binary operator CA certificate

16

Security protection afforded by NMA

17

 Data-level anti-spoofing functionality, which provide origin

authentication and cryptographic integrity of the navigation message stream.

 Increasing the complexity of spoofing signals through simulation

Security Limitation
18

 The messages could theoretically be acquired by a receiver and modulated over a simulated signal in order to spoof the Galileo signal. Requirements: a. Functionality that is not commonly found in commercial signal simulators

b. The operation to be performed within a very small time window c. Significant cost in terms of engineering skills and equipment

Delayed authentication with NMA

19

No immediate authentication

NMA schemes

20

NMA schemes
21

1. NMA using EC-DSA Signature Scheme 2. NMA using TESLA Protocol

NMA using EC-DSA Signature Scheme

22

NMA using EC-DSA Signature Scheme

23

 Broadcast of digital signatures  EC-DSA was chosen due to the small key and digital signature sizes.
Symmetric Key Size (bits) RSA and DiffieHellman Key Size (bits) Elliptic Curve Key Size (bits)

80 112 128 192 256

1024 2048 3072 7680 15360

160 224 256 384 521

NMA using EC-DSA Signature Scheme

24

MSEQ

MSEQ

M11

M12 M30

M61

M11

M12

M31

M60

EC-DSA Block

SigA(MSEQ)

NMA using EC-DSA Signature Scheme

25

 The signature, SigA(MSEQ), and public key certificates of A and

the operator, are broadcast in type 60 and 61 messages.

 These messages are broadcast alternately in each message

sequence, such that in a given timeslot, both message types 60 and 61 are received.

 The receiver must only accept SigA(MSEQ) if it is able to verify

the public key of A and SigA (MSEQ) is successfully verified.

Security of the Scheme

26

 Requirements: Selection of key sizes Selection of elliptic curve domain parameters

 Curves considered safe by the National Institute for Standards and Technology (NIST)

An adversary can forge signatures??

27

Given enough messages and corresponding signatures

Possibility to deduce a pattern

Possibility to forge a signature of choice

Solutions
28

 The shortness of the validity of the operators public key certificate  Periodic generation of new keys for each satellite  Recertification of the satellites public keys by the operator CA

NMA using TESLA Protocol

29

TESLA
30

Timed Efficient Stream Loss-Tolerant Authentication

Uses symmetric key cryptography Asymmetric key cryptography via time Based on initial loose time synchronization A MAC for each packet Delayed-disclosure of keys

Advantages of MAC
31

 The reduction in computation and communications overhead  The scalability to a large number of receivers

Sender Setup and Broadcast

32

Break time in intervals(timeslots) of same duration(96s)

Setup a hash chain, such that there is a hash value Kn for every 96 seconds for 300 timeslots.

Sender Setup
33

A: a satellite PRN ID n B : a GPS receiver Step 1 : A computes K300 = F(s)

s is a random secret number chosen by A F(x): a SHA-1 secure hash function

Sender Setup
Step 2 : A computes K0 by hashing K300 300 times, such that K299=F(K300) K298=F(K299) . . . Kn = F(Kn+1) . . K0=F(K1) The values K299K0 are kept secret.
Kn F Kn+1 F Kn+2 Kn+3 F
34

Sender Setup
35

Use F' to derive the key to compute MAC Ki= F(Ki) F (x) : a secure key generation function

Key generation

Ki-1
F

Ki
F

Ki+1
F F

KN

Ki-1
interval i -1

Ki
interval i

Ki+1
interval i +1

KN
interval N

time

Key disclosure

Sender Broadcast
36

Step 3 : A

B: SigA(K0),K0,CertA

Receiver setup
37

 The receiver must only accept K0 if it is able to verify the public key of A and SigA(K0) is successfully verified.

Message Generator

38

Receiver Authentication

39

Msg type 61 Msg type 60

Timeslot i
40

Authentication and Integrity Verification Process

41

TIMESLOT i+2 Received Messages: {M11,M12,M30,M60,M11,M12,M33,M61} 1. Obtain Kn+1 from M60 2. Receiver calculates Kvn = F(Kn+1). If receiver does not have Kn, must verify chain back to K0 such that Kv0 = F(F(..(F(Kn+1))) 3. Kn+1 is authenticated if Kvn= Kn 4. No verification as key Kn+2 has not yet been released MAC(K n+2){M11,M12,M30,M11, M12,M33 } cannot be calculated.

Authentication and Integrity Verification Process

42

TIMESLOT i+3 Received Messages: {M11,M12,M35,M60,M11,M12,M32,M61} 1. Obtain Kn+2 from M60 2. Receiver calculates Kvn+1 = F(Kn+2) 3. Kn+2 is authenticated if Kvn+1= Kn+1

Authentication and Integrity Verification Process

43

TIMESLOT i+3 4. Receiver generates key K n+2 from Kn+2 using key generation algorithm F (x) such that K = F ( Kn+2) 5. Obtain MAC(K n+2) from M60 6. Receiver calculates MACv(K n+2){M11,M12,M30,M11,M12,M33 } 7.Integrity of messages in TIMESLOT i+2 is verified if MACv(K n+2) = MAC(K n+2)

TESLA Advantages
44

 Reduction of the message overhead

 Reduction of the computation on the GNSS receiver

Security of the scheme

45

MAC : a SHA-1 HMAC, a MAC based on a keyed hash function

 The EC-DSA public key algorithm can be used for distribution and certification of K0.

 A truncated version of the MAC is transmitted, in which the 78 MSBs of the SHA-1 HMAC computation are transmitted in authentication message type 60.

MAC truncation
46

Advantage

Disadvantage

Less information available to an attacker

Fewer bits for an attacker to predict

MAC truncation
47

It is recommended that a truncated value be at least half the number of bits of the MAC result , as this is the bound of the birthday attack, and it is a suitably high lower bound for the number of bits an attacker must predict.

MAC truncation
48

The truncated value used in the authentication message is 78 bits which is sufficient given that a new hash value is used to key the MAC of a given sequence of messages every timeslot (48/96 seconds). In addition, the validity of the MAC is only one timeslot due to the key being released in the subsequent timeslot, making it computationally infeasible to forge a MAC within this short period.

Conclusion
49

The more advantageous : TESLA protocol Efficiency Flexibility Security Time-to-alert

Signal Authentication through Spread Spectrum Security Code

50

Whats a SSSC???
51

 Synchronous cipher streams seeded by a digital signature from an NAM, interleaved with normal spreading sequences

Advantage & Disadvantage

52

Advantage The authentication in an open signal without the difficulties of key distribution

Disadvantage The proportionality of the spoofing detection to the antenna gain

Types
53

1) Public Spreading Code Authentication

2) Private Spreading Code Authentication

Public Spreading Code Authentication

54

Satellite Setup
55

 Besides the digital signature of the navigation data, SSSCs are inserted into the ranging code in fixed time windows.

 SSSCs are generated as an enlargement of the digital signature of the present navigation message in the form of pseudorandom bit sequences.

Receiver Reception
56

1) Store the SSSCs in a data storage device 2) After the reception of the complete navigation message and the complete digital signature , the SSSCs are generated using the received digital signature as initialization seed of the pseudorandom bit generator . 3) The correlation power of the replicated and the received SSSC provides a measure for the authenticity of the received signal.

Spoofing pubSCA
57

 The Not capability to read out the SSSCs, which are buried under the noise floor.  The Not capability to add or induce user-defined spreading codes in real time.

 A spoofer cannot feasibly send a cryptographically correct signal until the reception of the digital signature.

Spoofing pubSCA
58

 The induced time delay of the forged, but cryptographically correct signal is about as large as the transmission time for a complete navigation message including the digital signature.  Consequently, the receiver clock jump arising from this delay should be recognized even by receivers that have not been tracking GNSS signals for as long as two days.

Spoofing pubSCA
59

With the right equipment, the possibility of spoofing without creating a substantial and detectable time delay Ex. Using a directional antennas Using a beam-forming phased array antennas

Private Spreading Code Authentication

60

Sender Setup
61

 The digital signature of the last navigation message, encrypted with a symmetrical encryption system, is used as the seed for the spreading code sequence generation.

Digital signature SSSCs E

kpsca

Spreading code

Advantages
62

 The knowing of SSSCs by the receiver after the reception of a complete NM

 Immediate authenticity (in every time window)

Private Spreading Code Authentication

63

Under the assumption that the secret key kpsca is indeed confidential and secure, the previously described measures for breaking PubSCA would also have to be implemented to break private spreading code authentication.

Requirements
64

The availability of the key Kpsca to the receiver

The non availability of the key Kpsca to the outside world

How to fulfill the requirements???

65

 Encapsulating , in a tamper-resistant hardware, the key and the last received signature

 In the tamper-resistant hardware : The seed of the SC is recaptured using the encryption key The correlation of the replicated and the received SSSC takes place

 Emitting the output of the correlation process to the receiver to provide the indicator of signal authenticity

Update Kpsca
66

1) Assign to each receiver unit an additional symmetric key kidR, according to a unit number idR. 2) The key updates are distributed by a trusted entity, which sends to each receiver EkidR(Kpsca). 3) The receiver decrypts this information within the security module and gains the new key Kpsca= DkidR(EkidR(Kpsca)).

Navigation Message Encryption

67

Navigation Message Encryption

68

 A navigation data access control mechanism

 Restriction of access to parts or all of a navigation data stream modulated over a given signal

Navigation Message Encryption (NME)

69

 Encrypting, using symmetric systems, the data modulated on satellite ranging signals  Providing user authentication, if either the user community is trustworthy (that is, the secret key used for encryption/decryption of the navigation data is not relayed by the entities) or the use of the transmitted data demands the publishing of the data. In the latter case, an unauthorized person could not use the information, even if he is able to decrypt it, because the unauthorized use could then be detected. In this context, NME does not restrict users from the service itself, but from the benefit of the service.

Navigation Message Encryption (NME)

70

A further possibility for using NME as a method of user authentication is to encapsulate the symmetric encryption/decryption key in tamper-resistant hardware. The receiver inputs the encrypted data to the additional module, where the cipher text is decrypted. The plaintext message is returned to the receiver.

Spreading Code Encryption

71

Spreading Code Encryption

72

 Providing user and signal authentication

 Encrypting the spreading code by modulo 2 addition of a pseudorandom bit sequence

 The pseudorandom bit sequence is an application of stream ciphers.

A keyed symmetric block cipher such as DES or AES

Receiver

73

Spreading Code Encryption

74

 If the chip rate of the encryption stream is identical to that of the unencrypted spreading code, the modulo 2 addition results in true (pseudo-) random sequences.

 If the chip rate of the encryption stream is considerably slower than the chip rate of the spreading code, more or less long code sequences result that are known except for the sign.

<

Spreading Code Encryption

75

Protect the PRBG key

Tamper-resistant hardware

Necessity of re-keying

Spreading Code Encryption

76

 More complicated than navigation message encryption modules

and PrivSCA modules.

 With NME: Decryption only a few bits  With PrivSCA: Decryption and correlation only short code

sequences  For SCE: Need to embed and secure the whole digital signal processing unit.

Spreading Code Encryption

77

Key distribution : Similar means as PrivSCA and NME

Requirements to break SCE : As the discussion of PubSCA

THE END

78