User authentication schemes for GNSS selective broadcasting
In this paper three different solutions are proposed for the problem of location-based selective broadcasting of traffic messages
Although at present its implementation within the full operational capability is under discussion and called into doubt due to recent changed circumstances in the overall system management, one of the initially planned features of GALILEO satellite positioning services was signal authentication ( and ). Authentication consists in confirming that a transmitted signal corresponds to the true source. In navigation systems the transmission of signals, that takes place over a radio link, is subject to eventual spoofing attacks (, ).
With authentication, a certified GALILEO receiver can use the signal and is guaranteed that no forged signal occurs (), while an uncertified receiver cannot gain any assurance about this. Hence, authentication provides a security service that can be used both to accomplish a certain level of anti-spoofing capability and is a key element in a scenario where traceability is needed. For this reason the idea of signal authentication in GALILEO services has aroused in the user-segment community a lot of possible scenarios in tracking related applications.
An authenticated signal can avail future road toll payments, GNSS based insurance policy, new flight management computer and location based access control. Within these wide applications areas, secure tracking has become a new application field that is steady growing ( and ).
It is worth noting that the ideas the techniques proposed in this paper are based on, still continue to keep working even in absence of the authentication service: however, in this case the robustness of the non anti tamper solutions against unauthorized access results weakened.
Problem: position-based service
The main purpose of this work consists in to investigate some suitable functional and processing schemes in order to allow a GNSS user equipped with a radioreceiver and processing card for gaining access to restricted information.
The availability of such information is considered restricted in the sense that they are supposed to be subject to a couple of constraints:
1. the user has to be an authorized user
2. each authorized user must have access only to a subset of the complete set of data, a subset that is strictly related to the user actual position.
Moreover, an important additional constrain is required to be fulfilled:
3. the information are broadcast to all the users by a Local Element (LE), that is, no selective transmission is performed among authorized users by point to point data links or directional communications.
In particular, possible information that fall within the definition given above could be traffic information or marine/ land vehicle positions relative to a certain geographical area. These information could be broadcast from a service provider, sited in a base station and equipped with suitable data acquisition devices (such as radars, transponders or other kinds of sensors), and digital link broadcasting facilities. A user in that area could be interested to know the vehicular traffic situation around him, that is in its immediate vicinity, in order to take decisions about where is better to go or how to behave. It is not interested to know the traffic situation of the whole region and, more important, the traffic situation data related to the whole area could be considered sensitive information by the service provider or by competent authorities that would deny whole data avail ability to every single user for security reasons. Hence, selective delivering of information based on the user local position is necessary.
The proposed idea is that data, transmitted by way of digital data-links, are not broadcast or received by directional antennas in order to perform selective delivering depending on the local user position. Differently, software processing schemes based on both well known encryption techniques and GNSS-de rived authenticated pseudoranges are proposed.
The typology of information that constitute the broadcast message are, for each user inside a predefined geographical area:
• position (longitude and latitude, height is considered irrelevant for a maritime scenario)
• heading or ground-track velocity direction
• type of vehicle. All these data are supposed to be gathered by the service provider by external sensors.
An approach to the solution
The main requirement consists in giving a selected traffic information related to a selected area. A system user cannot have the possibility to know all the positions of the other users in the entire zone interested by the service but only in a reduced portion around him.
The idea is discussed on a maritime scenario. It is assumed that there are a ground based station (Local Element, LE) that ciphers traffic information and users on board boats/ ships (Mobile Elements, ME) that have to decrypt this message.
Pseudoranges are chosen as keys for ciphering the traffic message. The entire zone interested by the service is divided into cells of equal area forming a grid (see Figure 1).
Fig 1. Cell grid structure for a geographical area where the service is active
In every cell must be defined a reference point, called Hot-Spot, that is taken as the reference from all the ships inside that cell. Each Hot Spot has its ranges from the GNSS satellites. The pseudoranges of the Hot Spot are defined as the keys for decrypting that part of the broadcast message where the traffic information corresponding to that cell are contained. Every boat/ ship inside that cell must know which is its reference Hot Spot. Hence, based on the vehicle actual pseudoranges (that are strictly related to its actual position), the user has to obtain the pseudoranges of its reference Hot Spot.
The idea is that the broadcast message has an header, encrypted by means of a key that is available to all the users subscribing the service. The header contains the structure of the grid of the cells covering the service area: number of cells, orientation of the grid respect to the North, size of the cells. Moreover the header contain the set of GNSS Satellite Identification Number (PRN) to identify the subset of GNSS satellites with respect the pseudoranges has to be computed to. Therefore, the Local Element and all the users share the same satellites to compute their respective pseudoranges (this assumes that within the geographical area covered by the cell grid there are a set of satellites in view to all the GNSS receivers).
An important feature of the processing scheme is related to the authentication service available from GALILEO satellites, in its form of Navigation Message Authentication (NMA). One of the most important problem is that the users are moving across the area interested by the service and they can pass from a cell to another cell with a different Hot Spot. In order to avoid lack of information in the neighbourhood when an user is close to the edge of its reference cell, the traffic information, ciphered with the key of a cell, includes also the traffic information of the surrounding eight cells.
Pages: 1 2