Professional Documents
Culture Documents
Galileo
Galileo
Galileo
Navigation Message Authentication. i. Public Key Infrastructure . ii. Security protection afforded by NMA iii. Security Limitation iv. NMA schemes.............. i. NMA using EC-DSA Signature Scheme...... a. Security of the Scheme.......... b. An adversary can forge signatures??........................... 2. NMA using TESLA Protocol.......... a. TESLA. b. Advantages of MAC.......... c. Scheme Setup and Broadcast d. Scheme Setup.. e. Authentication and Integrity Verification Process f. Security of the scheme 3. Conclusion.. II. Public Spreading Code Authentication. i. Spoofing pubSCA III. Private Spreading Code Authentication... i. Update Kpsca IV. Navigation Message Encryption V. Spreading Code Encryption.
2
I.
A mechanism designed to overcome spoofing and to provide increased safety and service guarantees
Based on a digital signature or a message authentication code (MAC) to authenticate the source and verify the integrity of the navigation data
Ks
Kv
Ks
Kv
For each satellite, valid signing/validation key pairs (Ks,Kv) Secret Ks Public Kv
5
packed in a certificate and transferred via the modulated data on the ranging signal itself
SigA(Ks)
CertA
CertOP
Message Type 61
The public key certificate for each satellite is issued by the Galileo operator CA, certifying the satellites public key.
12
A simple receiver : Any guarantee of service Full accuracy A certified receiver: Full service guarantee Authentication of messages Integrity
PKI Architecture
14
PKI Architecture
15
16
Security Limitation
18
The messages could theoretically be acquired by a receiver and modulated over a simulated signal in order to spoof the Galileo signal. Requirements: a. Functionality that is not commonly found in commercial signal simulators
b. The operation to be performed within a very small time window c. Significant cost in terms of engineering skills and equipment
No immediate authentication
NMA schemes
20
NMA schemes
21
22
Broadcast of digital signatures EC-DSA was chosen due to the small key and digital signature sizes.
Symmetric Key Size (bits) RSA and DiffieHellman Key Size (bits) Elliptic Curve Key Size (bits)
MSEQ
MSEQ
M11
M12 M30
M61
M11
M12
M31
M60
EC-DSA Block
SigA(MSEQ)
sequence, such that in a given timeslot, both message types 60 and 61 are received.
Curves considered safe by the National Institute for Standards and Technology (NIST)
Solutions
28
The shortness of the validity of the operators public key certificate Periodic generation of new keys for each satellite Recertification of the satellites public keys by the operator CA
29
TESLA
30
Uses symmetric key cryptography Asymmetric key cryptography via time Based on initial loose time synchronization A MAC for each packet Delayed-disclosure of keys
Advantages of MAC
31
The reduction in computation and communications overhead The scalability to a large number of receivers
Sender Setup
33
Sender Setup
Step 2 : A computes K0 by hashing K300 300 times, such that K299=F(K300) K298=F(K299) . . . Kn = F(Kn+1) . . K0=F(K1) The values K299K0 are kept secret.
Kn F Kn+1 F Kn+2 Kn+3 F
34
Sender Setup
35
Use F' to derive the key to compute MAC Ki= F(Ki) F (x) : a secure key generation function
Key generation
Ki-1
F
Ki
F
Ki+1
F F
KN
Ki-1
interval i -1
Ki
interval i
Ki+1
interval i +1
KN
interval N
time
Key disclosure
Sender Broadcast
36
Step 3 : A
B: SigA(K0),K0,CertA
Receiver setup
37
The receiver must only accept K0 if it is able to verify the public key of A and SigA(K0) is successfully verified.
Message Generator
38
Receiver Authentication
39
Timeslot i
40
TIMESLOT i+2 Received Messages: {M11,M12,M30,M60,M11,M12,M33,M61} 1. Obtain Kn+1 from M60 2. Receiver calculates Kvn = F(Kn+1). If receiver does not have Kn, must verify chain back to K0 such that Kv0 = F(F(..(F(Kn+1))) 3. Kn+1 is authenticated if Kvn= Kn 4. No verification as key Kn+2 has not yet been released MAC(K n+2){M11,M12,M30,M11, M12,M33 } cannot be calculated.
TIMESLOT i+3 Received Messages: {M11,M12,M35,M60,M11,M12,M32,M61} 1. Obtain Kn+2 from M60 2. Receiver calculates Kvn+1 = F(Kn+2) 3. Kn+2 is authenticated if Kvn+1= Kn+1
TIMESLOT i+3 4. Receiver generates key K n+2 from Kn+2 using key generation algorithm F (x) such that K = F ( Kn+2) 5. Obtain MAC(K n+2) from M60 6. Receiver calculates MACv(K n+2){M11,M12,M30,M11,M12,M33 } 7.Integrity of messages in TIMESLOT i+2 is verified if MACv(K n+2) = MAC(K n+2)
TESLA Advantages
44
The EC-DSA public key algorithm can be used for distribution and certification of K0.
A truncated version of the MAC is transmitted, in which the 78 MSBs of the SHA-1 HMAC computation are transmitted in authentication message type 60.
MAC truncation
46
Advantage
Disadvantage
MAC truncation
47
It is recommended that a truncated value be at least half the number of bits of the MAC result , as this is the bound of the birthday attack, and it is a suitably high lower bound for the number of bits an attacker must predict.
MAC truncation
48
The truncated value used in the authentication message is 78 bits which is sufficient given that a new hash value is used to key the MAC of a given sequence of messages every timeslot (48/96 seconds). In addition, the validity of the MAC is only one timeslot due to the key being released in the subsequent timeslot, making it computationally infeasible to forge a MAC within this short period.
Conclusion
49
50
Whats a SSSC???
51
Synchronous cipher streams seeded by a digital signature from an NAM, interleaved with normal spreading sequences
Advantage The authentication in an open signal without the difficulties of key distribution
Types
53
54
Satellite Setup
55
Besides the digital signature of the navigation data, SSSCs are inserted into the ranging code in fixed time windows.
SSSCs are generated as an enlargement of the digital signature of the present navigation message in the form of pseudorandom bit sequences.
Receiver Reception
56
1) Store the SSSCs in a data storage device 2) After the reception of the complete navigation message and the complete digital signature , the SSSCs are generated using the received digital signature as initialization seed of the pseudorandom bit generator . 3) The correlation power of the replicated and the received SSSC provides a measure for the authenticity of the received signal.
Spoofing pubSCA
57
The Not capability to read out the SSSCs, which are buried under the noise floor. The Not capability to add or induce user-defined spreading codes in real time.
A spoofer cannot feasibly send a cryptographically correct signal until the reception of the digital signature.
Spoofing pubSCA
58
The induced time delay of the forged, but cryptographically correct signal is about as large as the transmission time for a complete navigation message including the digital signature. Consequently, the receiver clock jump arising from this delay should be recognized even by receivers that have not been tracking GNSS signals for as long as two days.
Spoofing pubSCA
59
With the right equipment, the possibility of spoofing without creating a substantial and detectable time delay Ex. Using a directional antennas Using a beam-forming phased array antennas
60
Sender Setup
61
The digital signature of the last navigation message, encrypted with a symmetrical encryption system, is used as the seed for the spreading code sequence generation.
kpsca
Spreading code
Advantages
62
Under the assumption that the secret key kpsca is indeed confidential and secure, the previously described measures for breaking PubSCA would also have to be implemented to break private spreading code authentication.
Requirements
64
Encapsulating , in a tamper-resistant hardware, the key and the last received signature
In the tamper-resistant hardware : The seed of the SC is recaptured using the encryption key The correlation of the replicated and the received SSSC takes place
Emitting the output of the correlation process to the receiver to provide the indicator of signal authenticity
Update Kpsca
66
1) Assign to each receiver unit an additional symmetric key kidR, according to a unit number idR. 2) The key updates are distributed by a trusted entity, which sends to each receiver EkidR(Kpsca). 3) The receiver decrypts this information within the security module and gains the new key Kpsca= DkidR(EkidR(Kpsca)).
67
Restriction of access to parts or all of a navigation data stream modulated over a given signal
Encrypting, using symmetric systems, the data modulated on satellite ranging signals Providing user authentication, if either the user community is trustworthy (that is, the secret key used for encryption/decryption of the navigation data is not relayed by the entities) or the use of the transmitted data demands the publishing of the data. In the latter case, an unauthorized person could not use the information, even if he is able to decrypt it, because the unauthorized use could then be detected. In this context, NME does not restrict users from the service itself, but from the benefit of the service.
A further possibility for using NME as a method of user authentication is to encapsulate the symmetric encryption/decryption key in tamper-resistant hardware. The receiver inputs the encrypted data to the additional module, where the cipher text is decrypted. The plaintext message is returned to the receiver.
71
Receiver
73
If the chip rate of the encryption stream is identical to that of the unencrypted spreading code, the modulo 2 addition results in true (pseudo-) random sequences.
If the chip rate of the encryption stream is considerably slower than the chip rate of the spreading code, more or less long code sequences result that are known except for the sign.
<
Tamper-resistant hardware
Necessity of re-keying
sequences For SCE: Need to embed and secure the whole digital signal processing unit.
THE END
78