Presentation is loading. Please wait.

Presentation is loading. Please wait.

GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014.

Published byStacy Bissell Modified over 9 years ago

Similar presentations

Presentation on theme: "GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014."— Presentation transcript:

1 GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014

2 University of Texas Radionavigation Lab graduate students Jahshan Bhatti, Kyle Wesson, Ken Pesyna, Zak Kassas, Daniel Shepard, Andrew Kerns, and Nathan Green Acknowledgements

3 Interest: There were about 25 presentations on GNSS security, principally from two panel sessions and two regular sessions devoted to the topic—all well attended. Galileo Authentication: F. Diani (European GNSS Agency) reported on a trade study conducted for the EGA that revealed substantial interest in signal-side open-service Galileo authentication via NMA, especially for transport regulation and mobile payments. I. Fernandez-Hernandez (European Commission DG ENTR) presented the current Galileo blueprint for NMA-based signal-side authentication and revealed that they have already conducted initial SIS tests. Security Highlights from ION GNSS+ 2014 (1/2)

4 GPS Authentication: GPSD, Aerospace Corp., BAH, and University of Texas engaged in a feasibility study for NMA on GPS L2 and L5. No SIS testing yet. Antennas: Stanford, DLR, and Cornell introduced clever antenna-based signal authentication techniques. One Stanford/DLR technique switches polarization in a single element to detect spoofing from below. Others: L. Scott considered “social” approaches to interference deterrence. O. Pozzobon proposed a far- term spreading code authentication for Galileo. G. Gao: Distribute risk of authentication across unreliable peers. J. Curran agreed that NMA on Galileo open service is worthwhile and feasible. Security Highlights from ION GNSS+ 2014 (2/2)

5 GNSS Security Scenarios Full trust and physical security

6 GNSS Security Scenarios Public communication channel (with uncontrolled latency) 2

7 GNSS Security Scenarios Tamper-proof receiver 3a

8 GNSS Security Scenarios Tamper-proof receiver with an internal antenna array 3b

9 GNSS Security Scenarios Tamper-proof private key storage 4

10 GNSS Security Scenarios Untrusted receiver 5

11 A Rough View of the Secure GNSS Market mobile payment regulated transport

12 A Rough View of the Secure GNSS Market mobile payment regulated transport The largest market segments are the hardest to secure

13 Perspective: Don't expect cryptographic GNSS signal authentication to be anywhere near as secure as, say, message authentication across the Internet. It's not even close. The problem is that we're trying to secure not only data content but also signal arrival time. Replay: All crypto schemes remain vulnerable to replay attacks, no matter how long their keys or how short their security chips. Dependency: One still needs a good clock and a received power monitor to properly exploit crypto-enhanced GNSS signals; PPDs are a nuisance for security. Signal-side GNSS crypto authentication is a good start, but is not sufficient for secure GNSS (1/2)

14 Overlap: PPDs are also a nuisance for authentication. Proof of location: Where are you? Convince me.

15 Cryptographic Non-Cryptographic Stand-Alone Networked J/N Sensing (Scott, Ward, UC Boulder, Calgary) SSSC or NMA on WAAS (Scott, UT) Single-Antenna Spatial Correlation (Cornell, Calgary) Correlation Anomaly Defense (UT, TENCAP, Ledvina, Torino) Sensor Diversity Defense (DLR, Stanford, MITRE, DARPA, BAE, UT) NMA on L2C, L5, or L1C (UT, MITRE, Scott, GPSD) P(Y) Cross-Correlation (Stanford, Cornell) Multi-Element Antenna Defense (DLR, MITRE, Cornell, Stanford) Mobility Trace Analysis (UT) SSSC on L1C (Scott) GNSS Authentication Without Local Storage of Secret Keys

16 Cryptographic Non-Cryptographic Stand-Alone Networked J/N Sensing (Scott, Ward, UC Boulder, Calgary) SSSC or NMA on WAAS (Scott, UT) Single-Antenna Spatial Correlation (Cornell, Calgary) Correlation Anomaly Defense (UT, TENCAP, Ledvina, Torino) Sensor Diversity Defense (DLR, Stanford, MITRE, DARPA, BAE, UT) NMA on L2C, L5, or L1C (UT, MITRE, Scott, GPSD) P(Y) Cross-Correlation (Stanford, Cornell) Multi-Element Antenna Defense (DLR, MITRE, Cornell, Stanford) Mobility Trace Analysis (UT) SSSC on L1C (Scott) GNSS Authentication Without Local Storage of Secret Keys GNSS signal authentication is fundamentally a problem of statistical decision theory

17 Starting Point: An Informed Perspective on the Relative Strength of GNSS Security Cost of Successful Attack (Million-Dollar Years) Security Protocol One-Time Pad NIST-approved symmetric-key data encryption NIST-approved public-key data encryption Symmetric-key GNSS security Public-key GNSS security Non-cryptographic GNSS security

18 “[The received power defense] has low computational complexity and is an extremely powerful means to detect spoofing, making spoofing no more of a threat than the much less sophisticated radio frequency interference/jamming.” Received Power Defense Akos, D, “Who’s afraid of the spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC),” NAVIGATION, 2012.

19 The Received Power Defense: Two Weaknesses The received power defense is not sufficient for GNSS signal authentication because the variations in received power due to non-spoofing phenomena are not small compared to the increase in power due to spoofing -- PPDs and SRBs can cause false alarms. Solar Radio Bursts Personal Privacy Devices (Jammers)

20 The Pincer Defense Wesson, Humphreys, and Evans, “Receiver-Autonomous GPS Signal Authentication based on Joint Detection of Correlation Profile Distortion and Anomalous Received Power,” in preparation. Observation 1: Autocorrelation distortion a function of spoofer power advantage. Observation 2: A low-power attack (~ 0 dB advantage) can be effective. Strategy: Leave spoofer no place to hide by trapping it between a received power monitor and an autocorrelation distortion monitor.

21 The Pincer Defense received power decision regions symmetric distortion statistic empirical distributions spoofing jamming multipath

22 The Pincer Defense received power decision regions symmetric distortion statistic empirical distributions spoofing jamming multipath GNSS Security is fundamentally a problem of statistical decision theory

23 Code Origin Authentication Code Timing Authentication Cryptographic GNSS Signal Authentication (The Crypto Defense)

24 Inside the Spoofer: Security Code Chip Estimation Cryptographic PNT signal authentication should be viewed from Bayesian perspective: The attacker need not crack the code, only estimate it Security Code Estimation and Replay (SCER) Attack unpredictable security code

25 Generation of detection statistic is readily implementable as a specialized correlation SCER Attack Defense: Inside the Defender

26 SCER Attack Defense: Demonstration via Testbed The SCER attack defense is promising but has weaknesses: 1.Struggles during initial stage of attack 2.Fails in the face of a full signal replay attack

27 A looming challenge in PNT security will be providing proof of location or time to a skeptical second party. This problem scales differently than attacks against non- complicit PNT sensing: A single rogue actor with an inexpensive receiver network (“Dr. No”) could sell forged GNSS-based proofs of location and time to thousands of subscribers.

28 radionavlab.ae.utexas.edu

Download ppt "GNSS Security Todd Humphreys | Aerospace Engineering The University of Texas at Austin GPS World Webinar | September 18, 2014."

Similar presentations

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.

Probabilistic Secure Time Transfer: Challenges and Opportunities for a Sub-Millisecond World Kyle D. Wesson, Prof. Todd E. Humphreys, Prof. Brian L. Evans.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Internet of Things Security Architecture

Internet of Things Security Architecture
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Protecting Civil GPS Receivers

Protecting Civil GPS Receivers
GPS Spoofing & Implications for Telecom Kyle Wesson The University of Texas at Austin Sprint Synchronization Conference | September 18, 2013.

GPS Spoofing & Implications for Telecom Kyle Wesson The University of Texas at Austin Sprint Synchronization Conference | September 18, 2013.
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.

Secure Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin LAAFB GPS Directorate | December 5, 2012.
Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.

Thursday, 3:55pm, room 24 This session will discuss techniques for enhancing the ability of receivers to detect, disregard, and operate through intentional.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.

14/03/2005 CGSIC Meeting, Prague, Czech Republic Oscar Pozzobon Chris Wullems Prof. Kurt Kubik Security issues in next generation satellite systems.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
Cryptography1 CPSC 3730 Cryptography Chapter 7 Confidentiality Using Symmetric Encryption.

Cryptography1 CPSC 3730 Cryptography Chapter 7 Confidentiality Using Symmetric Encryption.
Wireless Sensor Network Security Anuj Nagar CS 590.

Wireless Sensor Network Security Anuj Nagar CS 590.
Xiaohua (Edward) Li1 and E. Paul Ratazzi2

Xiaohua (Edward) Li1 and E. Paul Ratazzi2

Similar presentations

Ads by Google