Authenticating Aviation Augmentation System Broadcasts

Transcription

1 Autheticatig Aviatio Augmetatio System Broadcasts Sherma C. Lo, Staford Uiversity Per K. Ege, Staford Uiversity BIOGRAPHY Sherma C. Lo is curretly a seior research egieer at the Staford Uiversity Global Positioig System (GPS) Laboratory. He is the Associate Ivestigator for the Staford Uiversity efforts o the Departmet of Trasportatios techical evaluatio of alterate avigatio. Per Ege is a professor i the Departmet of Aeroautics ad Astroautics at Staford Uiversity. He is the director of the Staford GPS Laboratory ad the Ceter for Positio, Navigatio ad Time. INTRODUCTION A importat fuctio of augmetatio systems for Global Navigatio Satellite Systems (GNSS) is providig iformatio eed to guaratee the itegrity of GNSS derived positio, avigatio ad time (PNT) outputs. This missio is the primary purpose of spaced based ad groud based augmetatio system - SBAS ad GBAS, respectively. These systems are desiged to serve aviatio avigatio ad ladig by providig iformatio eeded to assure safe use of GNSS. Thus, iformatio itegrity is fudametal to these augmetatio systems. Oe compoet of iformatio itegrity is the ability to autheticate the source of the data. While this assurace is curretly ot built ito these systems, it may be possible to overlay autheticatio capability. Traditioal data autheticatio techiques ca be used to provide source assurace. However, augmetatio systems have requiremets that differ from the chaels for which these techiques were desiged. I particular, the data is more time sesitive ad the badwidth is much more limited. Additioally, user ad system equipmet are desiged for decades of service with little to o upgrades. As a result, aviatio seeks data autheticatio that is 1) fast, 2) robust to message loss, 3) ot resource itesive 4) self cotaied ad 5) robust to future attacks. Traditioal data autheticatio techiques must be adapted to achieve these targets with limited badwidth ad limited two way commuicatios. Meetig these desired qualities may be difficult give desig costraits imposed by low badwidth, avioics, ad airspace ifrastructure. However, the characteristics of augmetatio systems ad its operatios may also aid the desig. These attributes limit the types of attacks that are feasible agaist the system as well as provide meas to cross check iformatio. The paper starts by examiig the reasos for ad desirable features of autheticatio o aviatio augmetatio systems. Next, it cosiders basic cryptography ad traditioal data autheticatio techiques suitable for the aviatio broadcast eviromet. Protocols based o asymmetric ad symmetric key are discussed. Additioally, key stregth ad related issues are looked at. It the examies the importat cosideratio of key distributio as this may be a major hurdle to adoptio. This paper presets a key distributio protocol that utilizes the operatio of the aircraft ad air traffic to aid i key verificatio. The last sectio of the paper presets some case study desigs for SBAS ad GBAS. These desigs are ot meat to be proposal but rather to give some idea about feasibility ad data requiremet. MOTIVATION & GOALS Commuicatio avigatio ad surveillace (CNS) i civil aviatio is movig towards predomiatly digital data cetric architectures. Aviatio augmetatio systems such as SBAS ad GBAS are tasked with providig avigatio itegrity. It follows that data itegrity, perhaps i the form of autheticatio, is a useful ad logical developmet for these systems. I fact, data or source autheticatio was proposed whe the SBAS cocept was beig developed. Data autheticatio of augmetatio systems is a useful first case study for developig ad implemetig ehaced iformatio security for the atioal airspace (NAS). Assessig ad developig security for these

2 systems ca provide useful isights, uderstadig ad familiarity. At the same time, it is a closed system with a limited scope i terms of problems ad possible attacks. With augmetatio systems, the goal is solely data autheticatio rather tha more complicated tasks such as locatio autheticatio. Security i other systems may rely o multiple systems or systems beyod the cotrol of aviatio. Additioally, the characteristics ad operatios of augmetatio system limit the scope of possible attacks. The purpose of this paper is to re-examie these areas ad determie how to ameliorate these objectios. SBAS does esure data accuracy agaist errors (ot spoofig) through parity check ad error correctio. Additioally, SBAS has a redudacy of sources with a goal of coverage by at least two geostatioary satellites over its service volume. AUTHENTICATION ON AUGMENTATION SYSTEMS Providig data autheticatio for augmetatio system is a timely cocept. A form of autheticatio is beig cosidered i the GBAS VHF data broadcast (VDB) proposal for Category II/III approach ad ladig [1]. The idea, show i Figure 1 uses huma i the loop verificatio to esure that the VDB data time slot used for receivig GBAS iformatio correspods with that listed o the approach plate. The VDB uses oe of eight available time slots i a frame as see i Figure 2, leavig the rest potetially uused. A spoofer could broadcast o a uused slot. As broadcast iforms the avioics which slot to receive, a receivig a spoofed broadcast will cause the avioics lock o to a icorrect slot ad cotiue usig its trasmissios. The proposal thus prevets this deliberate deceptio of the GBAS avioics. While the proposal addresses a specific data spoofig vulerability, it does ot prevet other meas of data spoofig such as overpowerig or disablig ad replacig the legitimate VDB broadcast. Cryptographic data autheticatio provides a more geeral method that ca prevet this form of attack. Figure 2. LAAS Frame ad Data Structure [2] DESIRABLE QUALITIES We start by developig a uderstadig of features that are desirable for autheticatio o aviatio augmetatio systems. These features are drive by the characteristics of the systems. First, data o these systems is very time critical ad eeds to be used o the order of secods. Furthermore, the data chael is geerally very badwidth costraied. Secod, equipmet is also limited. User avioics is ot etworked ad, oce istalled, is expected to operate for may years with few major chages. Additioally, icreased complexity ca greatly icrease certificatio costs. Service provider equipmet is also very slow to chage. Give the life cycle of aviatio systems ad equipmet, ay system chages typically eeds to be backwards compatible. Aviatio augmetatio systems thus seeks data autheticatio that is 1) fast, 2) message loss tolerat, 3) ot resource itesive 4) self cotaied ad 5) robust to attacks 20 or more years i the future. Traditioal data autheticatio techiques must be adapted to perform to these specificatios uder limited badwidth coditios. Figure 1. Proposed Autheticatio for CAT II/III GBAS [1] Source or data autheticatio o SBAS was studied as the system was beig coceptualized. Oe objectio is it takes a sigificat amout of data that it would require. Aother is the ifrastructure eeds for autheticatio. DATA AUTHENTICATION TECHNIQUES This paper examies basic, traditioal cryptographic techiques for data autheticatio. Detailed descriptios are foud i security books such as [3][4]. More recetly developed techiques may also prove useful ad ehace performace. However, this is beyod the scope of the paper.

3 BASIC CRYPTOGRAPHIC KEY DESIGNS Cryptographic autheticatio ca be achieved usig either public (asymmetric) or symmetric key. I public key cryptography, a public ad private key pair is used. The private key is kept by the seder ad ca be used to digitally sig a message hash for the purpose of autheticatio. The public key is freely available ad ca be used to verify the sigature ad derive the hash. Oly a holder of the private key ca produce a valid sigature. The hash the verifies that the message has ot bee tampered with. Hece public key ca verify the message ad its seder. With symmetric key, the same key is used by both the seder ad the receiver. With specific protocol desigs such as timed efficiet stream losstolerat autheticatio (TESLA), properties similar to asymmetric autheticatio ca be achieved though with additioal requiremets. The advatage i usig symmetric keys is that they are much more data efficiet (at least 2 times but ca be much more) ad computatioally faster (100 or more times) tha asymmetric protocols. These beefits are particularly relevat for aviatio. Aviatio typically has low badwidth chaels (100s of bps) while its data is highly time sesitive. A compariso of the required key sizes for differet security levels for symmetric ad some forms of asymmetric keys is give i Table 1. Symmetric Key size (bits) Asymmetric (RSA & Diffie Hellma) Key Size (bits) Asymmetic (Elliptic Curve) Key Size (bits) Table 1. NIST Recommeded Key Sizes (Each row has roughly the same security level) [5] hash usig the public key. As oly the holder of the private key ca geerate the hash, the message cotet caot be repudiated. Use of public key ecryptio typically requires a trusted third party or certificate authority (CA) to provide a certificate attestig to the autheticity of the public key. Typically, this certificate cotais iformatio to determie autheticity icludig the key origiator ad the sigature of the authority. As a result, it ca require tes or hudreds of bytes of data. Additioally, there should be a meas of revokig a key that has expired or bee compromised. The CA ofte plays a major part i key revocatio. Figure 3. Autheticatio usig Public Key Cryptography TRADITIONAL DATA AUTHENTICATION Digital sigatures ad digitally siged hash are public key based methods for verifyig for data autheticatio. A geeralized cocept is show i Figure 3. The basic idea is for the seder to use a cryptographic hash fuctio to take covert the message bits ito a fixed legth value. The hash fuctio should have certai properties such as ease of calculatio, oe-wayess, ad beig collisio resistat. Oe-wayess meas that the hash ca be calculated from the message but ot vice versa. Collisio resistat meas two messages are very ulikely to result i the same hash. The seder uses their private key to sig or ecrypt the hash. The receiver uses the public key to recover the hash ad compares it to the hash geerated usig the received message. If the two hashes match, the the message itegrity ad source is verified. This is because oly the holder of the private key ca geerate a siged hash that is decodable ito the message Figure 4. Autheticatio usig Symmetric Key Cryptography A stadard for public key autheticatio is digital sigature algorithm (DSA) ad its extesio kow as elliptic curve DSA (ECDSA). ECDSA improves upo DSA performace by usig elliptic curve cryptography (ECC). ECDSA reduces the data requiremet ad improves computatioal efficiecy for a give security level. The improvemet ca be see i Table 1. Oe cocer with the adoptio of elliptic curve based cryptography is patet issues. However, the use of ECC for applicatios such as safety ad security of the NAS,

4 may be covered by the Natioal Security Agecy itellectual property licese. The traditioal meas of autheticatio usig symmetric ecryptio is with message autheticatio code (MAC) or keyed hash fuctio. The MAC is a set of data derived from a message for the purpose of autheticatig that message. Figure 4 shows the basic idea where the source trasmits the message with a MAC geerated usig a MAC algorithm, the message ad a symmetric key. The MAC algorithm may be hash based or otherwise. The recipiet verifies the message by performig the same algorithm with the same key o the received message. The recipiet the compares the resultat MAC with the received oe. Agai, this provides simultaeous verificatio of the data itegrity ad source autheticity to holders to the symmetric key at the time of trasmissio. However, this techique suffers from usig the same key for seder ad recipiet (ad thus potetial spoofers). So, ulike a public key, the symmetric key must remai secret. This is ot very suitable i a broadcast eviromet whe ay oe ca have access to the key. TESLA So to use symmetric ecryptio for autheticatig augmetatio systems, oe must create asymmetry so that spoofers caot geerate messages that may be accepted as valid. TESLA developed for packetized data [6], is oe protocol that has bee suggested by umerous parties for avigatio autheticatio [7][8][9]. Figure 5 illustrates the cocept of TESLA. Basically, it works o the priciple of delayed release of the autheticatio key. TESLA is set up by havig the seder geerate a secret key K N ad creatig a chai of keys from it usig oe way hashes (F) as follows, where K N- is a itermediate TESLA key: K F K N N with F () is the operatio of the fuctio F, cosecutive times. The last key i the chai is K o which we will term the base TESLA key. This key is distributed via a trusted ad preferably secure meas to the user some time prior to usig autheticatio. The autheticity of K o eeds to be assured, perhaps with by a CA. Oe ca thik of trasmissios are beig segmeted i multiple itervals. I each iterval, the message or messages, M, a message autheticatio code (MAC), MAC, ad a key i K (valid for a prior iterval) are trasmitted. I TESLA, the MAC is geerated from the message(s) ad a secret key. Oe meas is to use a keyed hash MAC (HMAC) where a key ad a hash fuctio are used to geerate the MAC. I the figure, the MAC geeratio key for iterval is deoted by K. The MAC geeratio key K is geerated from a oe way hash (F, a differet hash fuctio tha F) of the curret itermediate TESLA key K. Note that prior to broadcast of K, the both K ad K are oly kow to the seder. Thus, oly the seder ca geerate the MAC. K is later broadcast at time t i a later iterval +i. I the figure, i =1. Verificatio comes i two steps. After receivig K, the receiver ca derive the MAC geeratio key, K F K, ad verify that the MAC was geerated from the message ad the derived MAC geeratio key. Assume that the user is loosely sychroized with maximum error, e ad kows the key trasmissio schedule. The messages ad MACs (based o key K ) received prior time t-e (as measured by the user) ca oly be geerated by the authetic seder. Ay message with MAC based o K received afterwards is cosidered suspect. The seder will have already started usig the ext keys i the chai K +j, j > 0 ad eablig the verificatio cotiues uiterrupted Figure 5. TESLA with key released delayed by 1 iterval The step above provides verificatio that the message was ualtered ad derived from the holder of K. The ext step is to validate that the key is from the legitimate source. I TESLA, the validatio is doe usig the base TESLA key from our legitimate source, K o. It ca be verified that both K o ad K are derived from K N provide the followig are the same: 0 F K K Sice we kow K o is from the trusted source, it follows that K is from the legitimate source. K o thus is used to tie our the key used for geeratig the MACs to the trusted source. Give it creatio, it caot be used to geerate those keys but ca be used to verify them. As log as the proveace of K o is good, the whole chai ca be verified. The secure distributio requiremet is more reasoable

5 because, ulike the previous keys, base TESLA key does ot eed to be updated as frequetly. However, the stadard implemetatio of TESLA may ot be for a low badwidth chael such as SBAS. First, we eed to solve the key distributio issue for the base key. Secod, we eed to be badwidth efficiet. KEY DISTRIBUTION Cryptography based data autheticatio will require key distributio. For siged hash, the public key eeds to be provided ad its source guarateed. This typically requires some sort of certificatio or public key ifrastructure (PKI). For the avioics, the key may be loaded ad validated prior to istallatio via a etwork coectio or preloaded whe built. This is ecessary as the receiver may ever be etworked oce it has bee istalled i a aircraft. However, this does ot accommodate key revocatio or the eed to chage public/private keys. For TESLA, a ew base TESLA key eeds to be provided o a regular basis as a result ad its proveace too eeds to be assured. Key maagemet issues such distributio ad revocatio will be discussed a later sectio. MODIFYING TESLA KEY USE Icorporatig TESLA ito a costraied data chael such as SBAS may ecessitate modifyig the algorithm to reduce its badwidth requiremets. We propose modifyig the TESLA algorithm whereby hashed keys are set less frequetly the MAC. That is, we hash multiple messages with the same key, extedig the use of the key. This is usually ot recommeded as icreases vulerability. However, give the short amout of time ad limited umber of messages that the key will be used, the choice seems acceptable. The SBAS case study will illustrate a implemetatio of this cocept. REASONABLE THREATS & ATTACKS I addressig data security for aviatio augmetatio system, it is importat to uderstad what the vulerabilities are ad which we are addressig. I this paper, the primary threat of cocer is o-air spoofig from remote spoofers. Other threats ca ad should be maaged by other meas. Data security issues related to the upload ad broadcast of message withi the augmetatio system are matters of physical security ad beyod our scope. Similarly, security agaist oboard local spoofig ad ijectio spoofig/simulatio should also be solved through physical security. The former, termed a limpet spoofer by Scott, is a device is placed aboard the vehicle of iterest to broadcast sigals that oly affect that vehicle. The later is the itroductio of a ijected sigal ito the RF iput of a receiver, thus bypassig the atea. The cryptographic stregth of the autheticatio depeds o the type of attack that ca be made o it. Data autheticatio systems i cryptography have to be robust agaist a variety of differet attacks. A basic attack is the brute force attack whereby the attacker tries to determie the autheticatio key by tryig all possibilities. More sophisticated attacks are possible. I uderstadig the autheticatio stregth eeded, we eed to be able to determie both the attacks that ca be made ad how log it would take a attacker to defeat the autheticatio such that they ca geerate messages that will be accepted by the user. Start by examiig the possible attacks. This is where the simplicity of the augmetatio system works i our favor. First, these are broadcast systems whose iputs are ot iflueced by forces outside the system (besides GNSS measuremets). This meas a attacker, uless there is a isider, caot perform a chose message attack where they get to ask the system to sed some umber of selected messages to be autheticated. Secod, the collisio attacks where the attacker oly has to fid differet messages with the same hash are ot useful. This is because the attacker does ot have the key used to geerate the hash ad thus caot create their ow messages. Istead, they must liste to the broadcast for messages. For a 80 bit hash, oe eeds to get 2 40 messages (due to the birthday problem [4]) to expect fid a repeated hash. This is reasoably trivial if the attacker ca geerate the message but if the attacker has to liste to SBAS or GBAS, assumig oe message hash a secod, they would have to liste for years. Aother factor i our favor is that ot all possible messages are valid or useful for spoofig. A limited umber of messages are valid because the iteral data eed to be cosistet with possible message types, cyclic redudacy code (CRC), etc. Time to break depeds o the algorithm used ad several other factors. As a illustrative example, we examie HMAC as they are employed for TESLA. I HMAC, a key (K), the desired message (M) ad a cryptographic hash fuctio (F) are used to geerate the MAC [10]. MAC F M, K The stregth of the MAC depeds o both the hash fuctio ad the key size. Commo MAC fuctios used ad their output hash legths are see i Table 2. Some of these hash fuctios have kow vulerabilities which weake them to certai attacks. However, these vulerabilities are ot ecessarily applicable whe usig them for HMAC. Bellare, et. al. states that key used

6 should be at about the legth of the hash output with loger keys ot beig sigificatly more secure ad shorter keys beig less secure [10]. Additioally, the full output may ot be ecessary though it is suggested that oe should ot use less tha half of the output bits. The attacker will fid it useful to attack oe of two mechaisms. First, it ca try to determie K before it is revealed so that fraudulet messages ca be made. To do this, it kows the previous K -i, (i <= ), the hash fuctios F, F, ad messages with MAC geerated from K F K. Beig able to determie K allows the spoofer to trasmit false messages util the true K is revealed. As it is expected that a ew K is used every 20 to 60 secods, this oly provides a short widow of time to break the key ad spoof. The secod, more valuable attack is to try to determie K N give same kowledge above. As K N is used to geerate the etire chai of keys, it is more valuable ad has a loger utility (N times that of each key i the sequece). Hece, the key legth is drive by the security requiremets ad life time of K N. Hash Fuctio Output Legth (bits) MD4 128 MD5 128 SHA1 160 SHA2 (SHA-256/224) 256/224 Table 2. Commo cryptographic hash fuctios ad bits required Give a attack, we ca estimate how log it will take a attacker with to discover the key. The results are see i Table 3 assumig brute force attack. The time to break values ad equipmet assumptios are based o [3]. [3] gives the time to break for $1 M ad $1 B of hardware (i 1995). Assumig the Moore s Law rule of thumb whereby trasistors o a average itegrated circuit (the iverse of computatio cost) doubles every 18 moths, this is roughly equivalet to $1000 ad $1 M of 2010 hardware, respectively. Symmetric key legth Time to break ($1 Time to break ($1 (bits) K i 2010) M i 2010) years 7 years years years 160 4x10 27 years 4x10 24 years 192 2x years 2x10 34 years 256 3x10 56 years 3x10 53 years Table 3. Hash Effective Stregth i bits ad time to break for Brute Force Attacks usig o $1 K ad $1 M Hardware i 2010 [3] Give the log life cycle of avioics ad aviatio systems, uderstadig how time to break will be affected i the future is a critical elemet. I desigig the autheticatio scheme, we must choose oe that has adequate stregth towards the ed of life which may be years i the future. Oe ca estimate the effect of gradual icreases i computatioal capability. Agai, we ca use Moore s Law to approximate the effect. Table 4 shows the result for a doublig every 18 moths. Without other vulerabilities, somewhere betwee 80 to 128 bits is adequate. However, vulerabilities which ca sigificatly reduce the stregth of the hash algorithms have bee foud. Though some of these vulerabilities may ot be applicable to HMAC, oe should be midful of the possibility of future discoveries ad pla accordigly. Hece, havig the equivalet of a symmetric key of at least 160 bits seems prudet. Years from 80 bit 128 bit 160 bit years years 4x10 24 years days 4x10 12 years 1.6x10 22 years 24 1 hour 1.6x10 10 years 6.3x10 19 years secods 6.3x10 7 years 2.5x10 17 years Table 4. Table of symmetric key stregth vs. time to break with $1 M equipmet & Moore s Law KEY DISTRIBUTION Key distributio is a sigificat issue for augmetatio systems because of several costraits. Oe costrait is the limited badwidth. Public keys require more badwidth to distribute. While shorter keys may be used, these eed to be updated more frequetly as they ca be cracked i less time. Badwidth costraits affect symmetric key based algorithms such as TESLA as well. I TESLA, the time to autheticate depeds o the time betwee the broadcast a message ad the curret TESLA key (i.e., K ) eeded to validate the MAC of the message. The more frequet broadcast of the itermediate TESLA key requires more badwidth. The badwidth thus costrais our ability to distribute key of the desired stregth i a acceptable time frame. Aother costrait is that there is o aircraft to groud etwork that allows for verificatio the distributed key. This costrais the ability of the aircraft to securely verify received keys with a trusted certificate authority. We offer a couple of key update strategies address these limitatios that leverage some of the characteristics of aviatio Oe way is to use FAA chart update schedule (56 days) ad distribute keys alog with these publicatios. For commercial aviatio, this may be reasoable as these electroic updates of charts are routie. It overcomes badwidth issues ad some trust issues sice you have to trust the source of your aviatio charts. However, it is vulerable to social egieerig ad isider attacks. Aother drawback is that there is o high itegrity mechaism to directly iput such iformatio to the avigatio system.

7 Aother idea is to use the otio that most flights traverse a large geographic distace which will be discussed i greater detail ext. This cocept to coduct key distributio ad revocatio builds trust by gettig the same key from multiple geographic locatios. GEOGRAPHY AIDED KEY DISTRIBUTION & VALIDATION Aircraft operatios ca be used to aid i robust key distributio. Aircraft, by ature of their operatios, traverse over large distaces. As such it ca gather keys from geographically distributed sources ad these keys from these various sources ca be used to verify autheticity. The cross check ca just verifyig that all keys received are the same. For example, the aircraft gathers ad stores a key from its iitial airport ad perhaps ay receivable source e route. As it approaches its destiatio airport or ay locatio where it may eed to autheticated, it gathers the key at that locatio. It the checks the curretly received key agaist its stored keys. If the key is the same, the it is likely to be valid ad ca be used. Figure 6 sketches how the techique operates. This method ca be applied to both GBAS ad SBAS. It helps build trust i the received key ad it ca also be used to distribute ew keys (thus revokig older oes). However, it does ot solve the badwidth issue. Figure 6. Aidig Key Distributio ad Validatio with Geographically Distributed Sources. The proposed method has a couple of beefits. First, a spoofig ay give user, requires spoofig the multiple geographically distributed locatios that the user will gather keys from. This icreases the cost ad difficulty for the spoofer. A additioal challege for the spoofer is the fact that there will likely be other aircraft that have the true key sice they come from locatios that were ot spoofed. These aircraft will be able to detect the presece of the spoofed key. This verificatio is applicable eve if the spoofig target is at its iitial airport. As a result, a spoofig must cover the etire coverage area of the augmetatio system to have udetected spoofig. For a SBAS system, such a techique makes sese as oly a geostatioary satellite ca match its geographic rage. However, as SBAS is used for almost all phases of aircraft operatio, the method may ot provide adequate cofidece to keys for taxig ad take off operatios. This is because the aircraft will oly have received keys i oe regio. This depeds o the level of autheticatio security desired for such these operatios as there are other factors (such as other aircraft which do have keys from multiple regios which ca war of local spoofig). For GBAS, the stregth or cofidece that we ca have icreases as more airports adopt GBAS ad the protocol. The more geographically separated locatios that the key ca be received, the more difficult it will be to spoof. However, there are two cocers. The first is a problem with iitial implemetatio whe there are oly a few istalled GBAS. Cross verificatio is ot very effective if there are a few geographically distributed sources. The secod is how to securely sed the same keys to all GBAS statios which will be addressed ext. KEY DISTRIBUTION WITHIN AUGMENTATION SYSTEM Aother facet is distributig the proper keys to augmetatio system segmet resposible for broadcast. If the broadcast is distributed ad ot etworked as may be the case with GBAS, oe way would be to store the key ad the mechaism to geerate future keys withi each groud statio. Each GBAS statio eeds kows the curret key as well as how to geerate future keys ad whe they are to be applied for the lifetime of the istalled statio. Physical security such as havig a tamper proof compoet or secure facility would be eeded to prevet theft of the key. Key chages ad revocatio may be achieved with maual updates. For SBAS, the keys ca resided withi the master statio as it is already resposible for geeratig ad queuig messages. CASE STUDIES I the case studies, we examie how oe may feasibly overlay a autheticatio capability o each augmetatio system. As metioed previously, key cosideratios to the desig are badwidth use, time to autheticate, key distributio/revocatio ad key legth. The first two are related. Sice the overhead eeded to support autheticatio is the same regardless of the message size, more badwidth available allows for more frequet autheticatio. I the studies, we will costrai the amout of badwidth available as the desigs should ot sigificatly impact the distributio of itegrity data. Give time to first fix for SBAS of two miutes, the time to autheticate should be o more tha roughly 60 secods. Eve lower values is desirable as the typical

8 time to alerts these SBAS ad GBAS are eve lower (2-10 secods). The last two cosideratios revolve aroud the key. The cosideratio is the eed for key distributio ad revocatio. I these desig studies, we will presume key distributio ad verificatio ca be achieved with miimal to o commuicatios to a certificate authority. This may be achieved usig meas such as the proposed meas to distributio usig geographically diverse source to verify distributed keys. A mechaism also may also be eeded for the revocatio of broadcast keys. Oe meas may be to provide keys (updated ifrequetly ad perhaps offlie) solely for the purpose of revokig a broadcast key. The secod issue is key legth. A key stregths equivalet to a symmetric key of 160 bits or more is likely ecessary to support the system for roughly the ext 20 years. Agai these desigs are ot meat to be suggestio but rather a first cut at seeig the reasoableess ad cost of addig a autheticatio capability. The autheticatio is meat to be legacy compatible i the sese that curret users ca igore the additio iformatio. SBAS The additio of autheticatio o SBAS is challegig due to the badwidth issues. First, much of its badwidth is already used. While it may be possible to utilize the uused bits i some commo messages, this amout of data is iadequate give the limited overall badwidth. Likely, a desig will have to be allocated some dedicated messages ad badwidth. The SBAS message format is see i Figure 7. A maximum of 212 bits per message (with oe message per secod) is available. I the SBAS case studies, we limit the available badwidth for autheticatio to roughly 10% of the total (6 messages per miute). Also, a key update (public key or base symmetric key) is performed at least every five miutes. These assumptios will help us quatify the trade offs i addig autheticatio. Figure 7. SBAS Message structure [11] For a case study usig public key, we examie implemetig DSA or ECDSA. For either algorithm, domai parameters eed to be shared betwee the user ad the seder. These parameters ca form part of the public key. These parameters require o the order of kilobits of data but they should ot eed to be chaged. So ideally, they ca be shared with the user a priori or through some other chael (i.e. regular update of electroic charts). This distributio eeds be assured of validity. However, a public key still eeds to be distributed securely to the user. As see i Table 5, the legth of the public key for DSA is recommeded to be 2048 (use up to 2030) or 3072 bits (use beyod 2030). For ECDSA, the key legth is 224 ad 256 bits for the two time frames, respectively. Give this, ECDSA is preferred. It will allow SBAS to sed the public keys every few miutes usig two messages ad sigatures usig three messages. Give the badwidth assumptios, this allows for a sigature every 30 secods with the public key broadcast every 5 miutes (10.7% or 32 out of 300 messages). If oe miute time to autheticatio is acceptable, oly 5.7% (17 out of 300 messages) of the SBAS badwidth is required. Time DSA public ECDSA public Sigature legth frame key legth key legth (bits) (mi, bits) (mi, bits) To (2 at 224 bits) Beyod (2 at 256 bits) Table 5. Recommeded Key ad Sigature Legth for DSA ad ECDSA [12] For the case study usig symmetric key based autheticatio, we use the TESLA protocol. There are three thigs that eed to be distributed to support TESLA: 1) Curret base TESLA key, 2) MAC, 3) curret TESLA key. The key legth should be sized such that the time to break the TESLA private key is less its exposure time. From Table 3, a key legth of 160 bits or more seems acceptable. As a result, the key ca fit i oe message. The MAC itself ca be the same legth as the key though it ca be trucated to half the key legth. Trucatig MACs to 106 bits, allows two MACs to be trasmitted i oe WAAS message. This helps maximize badwidth usage. It ca also mitigate the impact of message loss as each MAC is geerated from a distict subset of the messages. Figure 8 shows a implemetatio where a message ca cotai oe or two MACs which are geerated from the same MAC geeratio key, K si. If the message cotais two MACs, oe MAC is derived from the messages from the half of the time period ad the other is derived from the messages from the later half. A implemetatio may be achieved as follows. Sed MAC message every m messages (for example, m = 6) with each message cotaiig two MACs. This allows for better tolerace to lost messages. For m = 6, the user oly eeds 3 cosecutive to autheticate rather tha 6. The MAC update rate drives the badwidth ad the umber of cosecutive messages required for autheticatio. The curret TESLA key every k MAC so

9 that it is used to geerate MACs for several message sets. This results i a time to autheticatio of (m+1)*k+1 secods, provided the curret TESLA key is set immediately after the last MAC usig the key. I Figure 8, the time to autheticatio is 2*(m+1)*k+1 as the key release is delayed by oe util after the MACs geerated usig the ext key are trasmitted. If the goal is roughly 20 secod autheticatio, the k = 3 for m = 6. For 60 secods, k = 9. Te percet badwidth usage is achievable with approximately 30 secod time to autheticatio. This is doe if MACs are set every 15 messages ad the curret TESLA key is set every two MAC message. It also meas that time should be idepedetly sychroized withi 1 secod sice the key is set i the message immediately after the MAC message. So there is oly a oe secod gap betwee the release of the key ad the fial MAC geerated usig the key. Note that additioal badwidth is eeded to sed the base key. The autheticatio may be stregtheed by usig old but active data (OBAD) or other previously verified iformatio to aid i verificatio. Figure 8. Example sequece for proposed scheme From the study, it seems both ECDSA ad TESLA offer viable with similar data rates as log as a certificate is ot eeded or requires miimal data. Some meas of verifyig the autheticity of the public key i ECDSA or the base TESLA key i TESLA is eeded. The certificate is a importat cosideratio if validatig keys usig geographically diverse sources is ot adequate. GBAS Implemetatio of the autheticatio ideas o GBAS is simpler as it is less data costraied. The basic data compoets of the GBAS message are see i Table 6. Two optios are possible. First, uused bits from existig messages ca be used. For example, GBAS Message Type 1 which provides correctios for up to 18 correctios (11 bytes each) has 7 byte uused. Roughly seve bytes every half secod is ot a lot of iformatio but it is more tha available i the SBAS case study (10% badwidth equals 21.2 bits/secod). As such the implemetatios discussed i SBAS ca be used i GBAS provided the message structure is defied The secod optio is to dedicate oe message type ad oe message every secods for autheticatio. For ECDSA, a message ca cotai the sigature, the public key ad perhaps the certificate. Sedig the message every five secods uses te percet of the badwidth ad allows for five secod time to autheticatio. For TESLA, a message ca easily cotai multiple MACs as well as the base ad a ear curret TESLA keys. Sedig a message every five secods will allow for a te secod time to autheticatio. The icreased delay is because the key geeratig the MAC should be set i a later message. Message Block Segmet Bits Bytes Message Block Header 48 6 Message Up to 1696 Up to 212 Message CRC 32 4 Total 1776 (max) 222 (max) Table 6. Format of GBAS Message Block [2] CONCLUSIONS This paper studies the feasibility ad meas by which autheticatio ca be overlaid upo the existig SBAS ad GBAS desigs. It cosiders how to achieve the autheticatio that is compatible with the curret augmetatio system ad its users. It also cosiders how to perform the security ecessary to support autheticatio withi the curret NAS framework. Oe importat issue is secure key distributio ad the paper presets some optios desiged to be reasoable for aviatio ifrastructure ad operatios. Oe meas is a key distributio protocol that utilizes the operatio of the aircraft ad air traffic to aid i key verificatio. This provides to distribute keys ad provide some ability to validate them without sigificat additios to the NAS. Aother issue is badwidth. The paper presets ways of modifyig protocols such as TESLA to reduce badwidth use while maitaiig a acceptable level of security. The paper uses the curret L1 SBAS ad GBAS as case studies. The paper presets reasoable method to provide autheticatio o the curret SBAS usig about te percet of badwidth. The method is compatible to curret SBAS user equipmet i that they will ot be adversely affected. GBAS ca employ similar meas. As it has greater data badwidth, a more critical issue for GBAS is key distributio to the groud statios. DISCLAIMERS The views expressed herei are those of the primary author ad are ot to be costrued as official or reflectig the views of the U.S. Coast Guard, Federal Aviatio Admiistratio, Departmet of Trasportatio or Departmet of Homelad Security. ACKNOWLEDGMENTS

10 The authors would like to thak Leo Eldredge ad Mitch Naris of the FAA Navigatio Services Directorate for supportig this work. REFERENCES [1] Murphy, T., Harris, M., Burs, J., Modificatios to GBAS for VDB Autheticatio, Navigatio Systems Pael, CAT III Subgroup Meetig, July 8-10, [12] Natioal Istitute of Stadards ad Techology, Recommedatio for Key Maagemet Part 1L Geeral (Revised), Special Publicatio , March [2] RTCA SC-159, GNSS Based Precisio Approach Local Area Augmetatio System (LAAS) Sigal-i- Space Iterface Cotrol Documet (ICD) DO-246D December [3] Scheier, Bruce, Applied cryptography: protocols, algorithms, ad source code i C, 2d ed., Wiley, New York, [4] Katz, Joatha, "Itroductio to Moder Cryptography: Priciples ad Protocols, Chapma & Hall/CRC, Boca Rato, FL, [5] Natioal Security Agecy, Cetral Security Service, The Case for Elliptic Curve Cryptography ml, Jauary 2009 [6] Perrig, A. Caetti, R., Tygar, J.D., ad Sog, D., The TESLA Broadcast Autheticatio Protocol, CryptoBytes, 5:2, Summer/Fall 2002, pp [7] Wullems, C., Pozzobo, O., Kubik, K., Sigal Autheticatio ad Itegrity Schemes for Next Geeratio Global Navigatio Satellite Systems, Proceedigs of the Europea Navigatio Coferece GNSS, Muich, July 2005 [8] Kuh, Markus G., A Asymmetric Security Mechaism for Navigatio Sigals, 6th Iformatio Hidig Workshop, May 2004, Toroto, Caada, Proceedigs, LNCS 3200, pp , Spriger-Verlag. [9] Qiu, Di, Lo, Sherma, Ege, Per, Geoecryptio usig Lora, Proceedigs of the Istitute of Navigatio Natioal Techical Meetig, Sa Diego, CA, Jauary 2007 [10] Bellare, M., Caetti, R., ad Krawczyk, H. Keyig Hash Fuctios for Message Autheticatio, Crypto 96 Proceedigs, Lecture Notes i Computer Sciece, Vol. 1109, Sprig Verlag, 1996 citatio [11] RTCA SC-159, Miimum Operatioal Performace Stadard for Global Positioig System/Wide Area Augmetatio System Airbore Equipmet, RTCA/DO- 229D, December 2006.