Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems

While jamming has been covered extensively in the technical literature, spoofing, a potentially much more damaging type of interference has received scant coverage. The much greater complexity associated with constructing such an attack has led many analysts to believe such an attack is unlikely. This situation is rapidly evolving as advances in computing power are altering the threat landscape to the point where soon, such an attack may be carried out by script kiddies' using software downloaded from the Internet. Such software, when combined with a relatively simple front-end design, can be used to launch highly effective attacks against civil components of satellite based navigation systems such as GPS & Galileo. Early on, military planners recognized the spoofing threat and sought to obtain protection against such attacks through the use of encrypted spreading codes. The technique is effective but current (L1 C/A) and planned (L2C & L5) GPS civil signal architectures offer no such protections. There are no explicit authentication mechanisms contained within the signal structure and instead, the civil community is left to rely on various consistency checks; for example Receiver Autonomous Integrity Monitoring (RAIM). While quite good at detecting a failed satellite, these techniques may fall short in detecting a spoofer. In this paper, we first examine the nature of spoofing vs. jamming and discuss how a spoofer might be constructed, at a very abstracted level. We also discuss who might carry out such an attack and conclude that terrorists are not the only ones; criminal enterprises stand to gain as well. Then, we discuss some of the antispoofing mechanisms available to the civil user segment within the context of current civil signal architectures. Both signals based and navigation based spoofing detection approaches are described. Although quite powerful, these techniques can fall short for a variety of reasons; either they are not implemented at all, the associated hardware requirements are too costly, or else a clever spoofer can get by them. We then go on to describe modified GPS signal structures incorporating explicit authentication features that maintain backwards compatibility with current signals. At its most basic level, these modifications force the spoofer to rely on live, over the air satellite signals to generate spoofing signals that will pass authentication tests. The attendant self-jamming issues make spoofing more difficult as it requires transmitting and receiving simultaneously on the victim signal's frequency. Introducing Public Key Infrastructure (PKI) authentication elements into the low rate (25 bps or 50 bps) data streams, we describe a mechanism whereby users can verify whether the data actually originated from a satellite. Extending the concept, we show how spread spectrum authentication components can be introduced into the WAAS L1 C/A, L5I & L2CM signals while maintaining backwards compatibility. These authenticating components, buried below thermal noise, are highly resistant to playback attacks and force the adversary to employ multiple, high gain receive antennas with upwards of 20-dBiC gain if he is to be successful. This is not easy. Finally, we describe how, with an extension to these signal modifications, an independent, civil version of SAASM might be supported to provide spoofing detection capabilities on order with those obtained by military users.