Signal Authentication a Secure Civil GNSS for Today

Signal Authentication A Secure Civil GNSS for Today

Sherman Lo, David De Lorenzo, and Per Enge Stanford University and Zanio, Inc. Dennis Akos University of Colorado Paul Bradley DAFCA, Inc.

Many civil GNSS applications need secure, assured information for asset tracking, fleet management and the like. But there is also a growing demand for geosecurity location-based services such as hardware configuration and management, virtual site licenses, digital rights management and geofencing. Unfortunately, GNSS is vulnerable to malicious intrusion and spoofing. How can users be sure the information they receive is authentic? This article introduces a new method that uses hidden attributes fundamental to the GPS satellite broadcast — and cross-compared between two receivers — to authenticate signals and the location solutions they generate.

rad Parkinson, first director of giving route instructions to touring seek to discover and exploit weaknesses the GPS Joint Program Office, motorists. in order to disrupt legitimate users or to once remarked that the NAV- As these and other GNSS-enabled perpetrate fraud. BSTAR Global Positioning Sys- applications become increasingly woven Navigation system security is ever tem represents, next to the Internet, into the fabric of our global 21st-centu- more important for two reasons. The perhaps the most successful civilian ry economic and social infrastructure, first reason is to ensure that the position, adoption of military-developed, dual- the consequences of breach-of-service navigation, and time (PNT) information use technology. become greater as well. In this context, upon which we increasingly rely are Today, hundreds of millions of peo- service breach encompasses not only indeed trustworthy. The second is that ple worldwide rely on satellite navigation system outages (e.g., constellation fail- secure PNT can serve as a building block to deliver accurate position and time ures, inadvertent or deliberate interfer- for protection of critical data and assets information to a host of critical servic- ence, and so forth) but also failures of in the global fight against information es, including everything from guiding trust in the basic integrity of the position technology attack. We refer to these aircraft at night and during inclement and time broadcast. features as “security for navigation” and weather to synchronization of cellular Moreover, experience with the Inter- “security from navigation.” communication networks. Other appli- net shows that as a resource becomes Ideally, security would be a built-in cations range from helping emergency more valuable to our civil infrastruc- feature of civilian GNSS. Unfortunately, dispatchers direct rescue personnel to ture, criminal or malicious agents will as with the Internet, this was not an ini-

30 InsideGNSS september/october 2009 www.insidegnss.com tial design consideration for civil use threat space to include not only sophis- another party about the signals that they of GPS. The European Galileo system, ticated foreign powers but also rogue receive, how do I ensure the validity of which will employ such features possibly organizations and even moderately their assertion? as a fee-based service, still is a number of skilled domestic groups or individuals. Current methods of protecting GPS years from operational capability. These developments not only dem- users against system faults or intentional Recently, proposals have been made onstrate intent but also illustrate the attacks rely on cross-checks against met- to incorporate security and authentica- ever-increasing attack sophistication. rics either internal or external to the tion signatures directly into the civil GPS Hacking the satellite-to-receiver signal GNSS subsystem, or on tests of predict- signal. However, GPS probably will not interface opens GNSS to the same types able characteristics of the navigation sig- incorporate these features, due both to of attacks that daily plague personal nal. Of course, as the robustness of the institutional priorities and to long pro- computers, corporate mainframe sys- defensive countermeasures increases, curement and deployment cycles. tems, and the Internet. system complexity and cost go up as well Thus, the GNSS community must An additional attack vector occurs — which can be a barrier in applications work within the existing system to when a supplicant party submits its where the GNSS hardware bill-of-mate- develop civilian navigation security position to a permission-granting agent. rials is expected to remain below $1! features. In this article, we will present Without an authentication token gener- And not all countermeasures are a new technique that can provide such ated as part of the position computation secure against every possible attack. capabilities today for civilian GNSS. process, no mechanism exists whereby For example, even sophisticated direc- a party can assure that a position assertion-of-arrival anti-spoofing methods The GNSS Security Threat tion is bone fide. Consequently, the described in the literature — for exam- Recent experience shows that GNSS navigation security threat space raises ple, the article by P. Y. Montgomery et security threats exist now and will these dual concerns for a user: (1) when alia in Additional Resources — do not increase in the future. In a comprehen- processing signals that I receive myself, protect the integrity of location asser- sive study of GPS vulnerabilities, the U.S. how do I ensure their authenticity? and tions made by one party to another. Department of Transportation warned (2) when receiving an assertion from With these concerns in mind, we in the 2001 Volpe Report that “the GPS signal is subject to degradation and loss through attacks by hostile interests.” Due to the low received power of GNSS signals, the most common attack currently contemplated is denial-of-service by jamming or intentional interfer- ence. Of greater concern in the future will be spoofing, where a signal is transmitted so that a GNSS receiver com- putes an incorrect position. Spoofing represents a more pernicious attack than denial-of-service, because it attempts to misrepresent the user’s true location while at the same time avoiding detection of the attack itself. Concerns about GNSS authenticity are particularly relevant today. For example, several over-the-air spoofing incidents already have been reported. A number of such incidents are mentioned in the article by B. Forssell cited in the Additional Resources section. Additionally, a U.S. research team has developed and described a portable GPS civilian spoofer capable of several different attack mechanisms (See the article by T. Humphreys et alia in Addi- tional Resources.). This “cookbook on GPS spoofing” expands the attacker www.insidegnss.com september/october 2009 InsideGNSS 31 signal authentication

have developed and tested a signal L1/P(Y) code as the secret code being operated upon. While L1/P(Y) is used as an authentication technology that relies illustrative example, the technique can be applied to other navigation and commu- not on the predictable characteristics of nication signals as well. the GPS signal, but rather makes use of hidden attributes that are fundamental Processing of Secret Signals for Authentication – Theory to the satellite broadcast and that can To describe joint processing for signal authentication, we begin with a GPS device be cross-compared between receivers to receiving satellite signals at the L1 frequency. The signals transmitted by each satel- ensure the validity of the signals that are lite are composed of a sinusoidal carrier, a satellite-specific pseudorandom spreading received and the location solutions that code, and a navigation data sequence. those signals generate. The L1 frequency carries both C/A-code and P(Y)-code signals, transmitted in

phase quadrature. Hence, on L1 a GPS receiver has available to it a signal sL1(t) that Anti-Spoofing for Civil GNSS is composed of the received RF energy si(t) from each of N satellites in the visible Some GNSS signals are specifically constellation, plus thermal noise η(t): designed to prevent spoofing or to deny unauthorized access — encrypted signals such as the GPS P(Y) and M-code and Galileo’s Public Regulated Service Note that the received signals are well below the thermal noise floor and only (PRS), or obscured signals such as the detectable after correlation processing with a receiver-generated replica or observation GLONASS P-code. via high-gain steerable antennas. These signals produce asymmetry, We now focus on the data and code components of the L1 signal from a specific meaning that the service provider has satellite i while dropping the L1 subscript; at receiver #1 this signal is : the encryption or generation mechanism while an attacker does not. Con- sequently, an attacker will not be able to generate the authentic encrypted signal for use in a spoofing broadcast or injec- Here, subscripts C and P denote C/A-code and P(Y)-code respectively, A and tion attack. Of course, civil users do not B are scaling parameters for the received signal power, D is the navigation data bit have access to the P(Y), M-code, or PRS, sequence (possibly different for C/A and P(Y)),x C and xP are the C/A-code and P(Y)- and even authorized military GPS users code sequences, τC and τP are the phases of the respective generating functions, fD is the require Selective Availability/anti-spoof- satellite-to-receiver Doppler frequency (it may also include a frequency offset between ing module (SAASM) hardware, which the satellite oscillator and that of the receiver), and θ is the phase of the received RF is both expensive and access-restricted. carrier with respect to the local reference oscillator. Our research has created a method The receiver performs a series of functions on the received signal in space: ampli- to provide the anti-spoofing benefits of fication, mixing and frequency down-conversion, low-pass filtering, and Doppler secret codes, without needing access to frequency and carrier-phase estimation to yield a baseband signal suitable for pro- the codes themselves. This capability is cessing, as follows: achieved by joint processing of the signal received at one location with a nearly synchronous signal received at a remote (preferably trusted) station; the theory of this joint processing is described in the next section. A central tenet of this method is that the better the secret codes are pro- Here, the superscript i has been dropped for clarity and the superscript caret ‘^’ indi- tected by the corresponding operating cates estimation. Processing for C/A-code detection and tracking involves multiplica- authority, such as the U.S. Department tion by a replica C/A-code sequence . Since xC is orthogonal to xP (meaning of Defense (for the P(Y) and M-code) their cross-correlation product is nearly zero for all τC and τP), accumulation (noise- or the Galileo operating agency (for averaging) for an integration interval TC yields in-phase and quadrature terms: the PRS), the better the security of this authentication system. (Security can be expressed in terms of an equivalent cryptographic strength, the brute-force attack time, and so forth.) The following section and the remainder of the article will use the GPS Signal tracking seeks to maximize SI and to minimize SQ by driving to zero the

32 InsideGNSS september/october 2009 www.insidegnss.com differences between the received and estimated values of code-phase, Doppler fre- The value of Δt accounts both for quency, and carrier-phase. Figure 1 shows this process for code-phase alignment. A receiver clock offset and for different receiver with access to the encrypted P(Y)-code sequence can process that signal satellite-to-receiver signal travel times. component in an analogous manner. (In addition, some codeless and semi-codeless Consequently, if Δt should be measured techniques exploit the fact that identical P(Y)-code sequences are broadcast on the on several satellites, then the presence of L1 and L2 frequencies.) the correlation peaks serves not only to The foregoing procedure is common, with small variations, to almost all com- confirm the authenticity of each receiv- mercial GNSS receivers. The innovation we are introducing is the joint processing er’s signal observation but also to locate of signals received at two separate locations to access the secret code sequence for receiver #1 with respect to receiver #2 authentication. This authentication process recognizes and exploits the fact that the in a manner analogous to GPS carrier-

P(Y)-code sequence received at a location #1, xP(t – τP,1), is identical to the sequence phase differential positioning. received at a location #2, xP(t + Δt – τP,2), except for the differential satellite-to-receiver The strength of the correlation peak signal travel time Δt. depends on many factors such as corre- At this point, accumulation of the product of the Eq. (4) quadrature signals from lation time duration and the signal-to- two receivers (and remembering that xC is orthogonal to xP, and that with Doppler noise ratio (SNR) of the measurements. frequency and carrier-phase alignment the ‘sin’ terms go to zero and the ‘cos’ terms For example, the correlation results will go to one) yields: be more evident if the reference station uses a high-gain dish or steered-beam array antenna rather than an omnidirec- Observation of a correlation peak, as shown in Figure 2, indicates the presence tional patch antenna. of component sP(Y)(t) in both receiver #1 and receiver #2 signals, and is accomplished The difference between this joint pro- by sliding the correlation window until Δt = τP,2 – τP,1. A peak in the function SQ,1:2 cessing method and having the actual establishes signal authenticity (with the trivial caveat that receiver #1 and receiver #2 P(Y)-code sequence (which is like hav- not be within reception range of the same signal-spoofing attacker). ing a noiseless measurement) is shown

www.insidegnss.com september/october 2009 InsideGNSS 33 signal authentication

is illustrated in Figure 3. In this example, CDMA signals are below the thermal noise floor the reference station continuously col- lects and stores GPS raw data (or it could do so on a published schedule); these archived data are used in the authenti- Correlation vs. delay of code replica cation joint processing operation. The steps required for joint processing can be described as follows: 1. Record GPS raw data at location #1 (i.e., the user device) and location #2 (i.e., the reference station). 2. Transmit a data snapshot from the user device to the reference station for processing, along with a time- stamp of the data snapshot. FIGURE 1 GPS signal correlation with known CDMA sequences. For each satellite of interest in a data set pair (user device and reference station): 3. Perform Doppler frequency wipe- off. 4. Estimate carrier-phase to allow sig- Correlation vs. delay of nal separation into in-phase and Receiver #2 signal quadrature components. 5. Correlate the Q-channel from the user device with the Q-channel from the reference station; slide the correlation window until a peak of sufficient magnitude appears. The first two steps relate to signal collection and distribution. Note that the signal bandwidth must be sufficient to recover energy from the embedded secret code; for the P(Y)-code, a bandwidth of at least 10-20 megahertz is desirable. Signal processing occurs in FIGURE 2 Two-receiver correlation with unknown CDMA sequence. The presence of a P(Y)-code correlation peak authenticates the signal. The peak timing for several satellites allows relative the last three steps. positioning (and timing) of receiver #1 vs. receiver #2. The simplest method of estimating Doppler frequency and carrier-phase, of course, is to acquire and track the C/ in Equation 6, assuming noise power is , the receiver #1 signal has amplitude B1, A-code; this operation is simple for the and the receiver #2 “reference signal” has amplitude B2 = αB1 (with the same noise); N reference station to perform but could represents the averaging time. Note that as the gain of the reference station antenna be prohibitive at the user device (due to increases, the ratio approaches 1 as expected. processor complexity or battery life concerns, for example). If the data snapshot is not sufficiently long for tracking, then a Doppler frequency estimate can come either from signal acquisition or from the satellite ephemeris. An Authentication Architecture Signal Authentication with This joint processing technique enables both signal authentication and position veri- Live Satellite Broadcasts fication because the appearance of the correlation peaks guarantees the presence of We conducted a validation test shortly the hidden encryption signatures, and the timing of several of these peaks allows after developing the initial signal authen- computation of a differential position receiver-to-receiver. tication concept. This test involved near- A system implementing one possible variant of this authentication architecture simultaneous GPS data observation at

34 InsideGNSS september/october 2009 www.insidegnss.com two widely separated locations, the first Reference Station Reference in Palo Alto, California, and the second Station in Boulder, Colorado. Antenna Track Estimate Doppler Raw RF data were collected at each C/A-code & carrier-phase site with an RF signal analyzer in a 20 megahertz band about the GPS L1 center frequency using a hemispherical patch antenna (both sites) and a 1.8-meter high-gain steerable dish antenna (Palo Alto only). The dish antenna provides approximately 25 decibels of gain over Doppler from orbits that of a standard patch. Coarse time synchronization was achieved through cellular communication links, which Link yielded ~0.25 seconds of timing error. User Device In analyzing the results of this test, we first sought to validate the basic signal-authentication concept. The cor- FIGURE 3 Authentication Architecture. A user device records a snapshot containing GPS signals from several satellites and transmits this snapshot to an authentication reference station for processing. relation between measurements taken This illustrates one simple implementation scheme with minimal signal processing required at the with the patch antennas at the two loca- user device. tions was examined. Figure 4 shows the in-phase (C/A-code) and quadrature frequency and carrier-phase alignment relation output are an artifact of the one- (P(Y)-code) correlation with a 100-mil- (from signal tracking with a GPS soft- millisecond C/A-code repeat interval, lisecond observation window, two-bit ware receiver). The repeating peaks in modulated by the 50-hertz navigation I/Q data samples, and precise Doppler the C/A-code receiver-to-receiver cor- data message.

www.insidegnss.com september/october 2009 InsideGNSS 35 signal authentication

PRN 23 C/A-code Correlation 1500 Reducing the signal bandwidth to a 15- megahertz sampling frequency could 1000 push the data storage requirements 500 below 3,000 bits. 0 Requirements & Benefits -500

Correlation Energy Three elements are needed to support -1000 the authentication technology described 0 0.02 0.04 0.06 0.08 0.1 Time (sec) herein. The most basic requirement is a PRN 23 P(Y)-code Correlation supporting infrastructure of trusted ref- 600 erence stations covering the geographic areas of interest. (Regional coverage may 400 P(Y) correlation peak require only a single reference station.) 200 The other two elements, receiver technology and communication links, have 0 requirements that vary depending on Correlation Energy application. -200 0 0.02 0.04 0.06 0.08 0.1 A reference station network (and Time (sec) the associated authentication servers) is needed to provide the authentica- FIGURE 4 Live data validation of receiver-to-receiver P(Y)-code signal authentication: 100 millisecond correlation window; each receiver utilizes a hemispherical patch antenna. tion function. We should note that the required number of reference stations is quite modest, because a single refer- PRN 23 C/A-code Correlation 40 ence station can serve a sizable area. For example, the continental U.S. could be 20 covered by two or three such stations 0 with significant redundancy, as the reference station network requirement -20 simply is to observe every satellite that

Correlation Energy may be seen by any user in the service -40 0 0.02 0.04 0.06 0.08 0.1 coverage area. (Peer-to-peer authen- Time (sec) tication is a slight modification of the PRN 23 P(Y)-code Correlation above-described architecture and does 20 away with the reference station network P(Y) correlation peak entirely.) 10 The most basic user device, essentially a data capture engine, can make 0 do with less functionality than a typi- cal GNSS receiver, because the entire Correlation Energy -10 authentication processing typically is 0 0.02 0.04 0.06 0.08 0.1 done remotely. Stripping away corre- Time (sec) lation, tracking, and navigation units FIGURE 5 Minimal data storage requirements: 1.8-meter high-gain steerable dish antenna on leaves only a wide-band front-end, sim- receiver #1, one-bit I/Q samples at receiver #2, one-millisecond correlation, 23.68 MHz sampling frequency, total record size = 4,800 bits. Using a 15 MHz sampling frequency would yield 3,000 ple analog-to-digital converter (1-1½ bits of data record length. bit), storage, and input/output subsys- tems. Furthermore, remote processing drastically reduces power consumption, Another important goal of our analy- Using the 1.8-meter high-gain steer- which still can be a major concern for sis seeks to minimize the required mem- able dish antenna for one receiver (i.e., GNSS receiver integrators. ory size of the data snapshot stored at the reference station), one-bit I/Q sam- Real-time or near real-time receivers one receiver. This is important in mem- ples at the other receiver (i.e., the user also require a secure communications ory- or bandwidth-constrained authen- device), and a one-millisecond correla- link. With the proliferation of data com- tication applications such as integrated tion window allows recovery of a promi- munication technologies such as Wi-Fi, circuits, smart cards, or near-real-time nent correlation peak with no more than Wi-Max, and numerous high-speed challenge-response scenarios. 4,800 bits of data, as shown in Figure 5. cellular communication standards, this

36 InsideGNSS september/october 2009 www.insidegnss.com GPS snapshot - time of manufacture navigation, functionality from the user Location Location/time assertion of IC device to the trusted authentication server Batch-specific public encryption key processor. This reduces costs by moving the main security vulnerability from Fab the distributed users to a few hardened locations. The sites containing the authentica- Encrypted with batch- tion processor and the GNSS reception Some time later, specific public key changed location Location/time assertion Authentication equipment can be hardened with fea- Random session key Server tures such as physical security barri- Encrypted with ers, high-gain directional antennas, or session key steered-beam antenna arrays. The ben- Repeat challenge/response GPS-based query efit to this centralization is that high- protocol as required for Encrypted with cost security features only are needed in desired level of assurance session key a few locations, with the resulting cost IC response amortized across many users. The end result is an architecture that FIGURE 6 Using secure GNSS to provide integrated circuit protection. can support many PNT security applications at very reasonable cost. These requirement is not a major constraint in designed for route auditing or cargo include not only current high-value most of the developed world. Addition- transit assurance needs only to store applications such as asset tracking and ally, the hardware needed for these links GPS snapshots in tamperproof memory, fleet management, but also emerging increasingly is being integrated with with verification done at intermediate or geo-security location-based services such GPS in mobile telephony. final destination. as hardware configuration and manage- In contrast, some applications may With these required elements, the ment, virtual site licenses, digital rights find a real-time communications link authentication architecture essentially management and manners policies, and unnecessary. For example, a receiver transfers the security, and possibly the geo-fencing. Moreover, new applications

FIGURE 7 Verification of integrated circuit and hardware through stages of production www.insidegnss.com september/october 2009 InsideGNSS 37 signal authentication

can be supported, such as the following example of secure location signatures for Civil GNSS Security integrated circuit (IC) assurance. -Signal Authentication Location Security for IC - Secure Positioning Information & Assurance Asset Protection Numerous security concerns surround the manufacturing of integrated circuits, Secure Electronic Cryptography & SmartCards & Communication including counterfeiting, theft, and the Key Distribution Access Control introduction of Trojan logic (i.e., a hidden malicious modification to the circuit Financial Transaction Internet & Personnel that triggers for the purposes of compro- Assurance Online Security Security mising security features). Such concerns are growing as a result of the expanding use of third-party intellectual property Fraud Detection Asset Tracking Hazardous Waste & Route Auditing Transport & Compliance (IP) and the rapid globalization of device & Non-repudiation and system manufacturing. The risks to mission-critical systems such as those in FIGURE 8 High-integrity applications of secure GNSS. avionics, military, and communications applications are significant. For this reason, it is likely that GNSS simplification of shared communication Secure GNSS offers a novel and cost- location and time signatures, and the across standardized test access ports. In effective solution to address integrated logic resources required to securely store this way, a system integrator (for exam- circuit and supply chain assurance by them in memory, comprise an IC assur- ple) could validate the functional integ- implanting one or more unique time- ance technology that may be most suited rity, manufacturing provenance, and and location-based signatures within the to high-value mission-critical devices transport chain-of-custody through a IC at the times of fabrication, board level such as systems on chip (SoCs), central common test interface. manufacturing, and system assembly. processing units (CPUs), integrated Figure 7 illustrates an example pro- Figure 6 shows one means of using GNSS memory controllers, specialized digital cess wherein the GNSS security protocol authentication signatures for IC verifica- signal processors (DSPs), and other sys- provides an attack-resistant verification tion as part of a multi-factor integrated tem or I/O control chips. of the manufacturing and transport suite of defensive technologies. We estimate that the storage require- stages within the IC supply chain by However, the IC logic and silicon ments of a 400-kByte GNSS signature, requiring that each successive step be gate-count devoted to the assurance along with the associated encryption dependent on successful authentication functionality are severely constrained, and tamperproofing circuits, and using during the previous step. as resources allocated to security or vali- existing die-to-system communication The scheme in Figure 7 can further be extended into a feature activation scheme that integrates the location and We have developed and tested a signal authentication time signatures with hardware-based technology that relies not on the predictable activation logic and software verifica- characteristics of the GPS signal, but rather makes tion. With the addition of tamper-resis- use of hidden attributes that are fundamental to the tant hardware and software, along with satellite broadcast and that can be cross-compared hardware countermeasures, a robust security system can be created that between receivers to ensure the validity of the signals extends from logic design and device that are received and the location solutions that those fabrication, through the supply channel, signals generate. and into system deployment. Conclusions dation circuits directly compete with the channels, becomes feasible for devices Satellite navigation has emerged as a primary processing features of the die. containing approximately one million global infrastructure utility, comple- For example, the on-die and at-speed transistors. menting modern public services such IP of DAFCA’s reconfigurable security Of course, one benefit of combining as energy distribution, global transport product suite have been optimized to the circuit validation and IC manufac- and travel, and voice and data commu- minimize the footprint in the final sili- turing assurance capabilities at the same nications networks. As a ubiquitous and con device. phase of the design cycle is architectural indispensable component of modern

38 InsideGNSS september/october 2009 www.insidegnss.com David De Lorenzo, Ph.D., is life and business, GNSS is vulnerable Additional Resources a research associate at to malicious intrusion and nefarious [1] Forssell, B., “The Dangers of GPS/GNSS,” the Stanford University misuse. Adversaries can jam, spoof, or Coordinates, February 2009 GPS Research Laboratory manipulate a system to deny service or [2] Humphreys, T. E., and B. M. Ledvina, M. where his current to obfuscate a reported position. Because L. Psiaki, B.W. O’Hanlon, and P.M. Kintner, Jr., research is in GNSS soft- GNSS can be used to authorize actions, “Assessing the Spoofing Threat: Development of ware receivers, adaptive trust and authenticity are required for a Portable GPS Civilian Spoofer,” Proceedings of beam-steering antenna arrays, indoor and urban proper implementation and enforcement the Institute of Navigation GNSS Conference, pgs. reception of radio signals, and navigation system policy. 2314-2325, 2008 security and integrity. He received the Ph.D. In this article, we have described a [3] John A. Volpe National Transportation Systems degree in aeronautics and astronautics from Stan- signal-authentication system architec- Center for the U.S. Department of Transportation, ford University and previously has worked for Lockheed Martin and for the Intel Corporation. ture for single-frequency civil-use GNSS “Vulnerability Assessment of the Transportation devices that delivers a verifiable position Infrastructure Relying on the Global Positioning Per Enge, Ph.D., is a pro- System,” Final Report, 2001 report or confirms a position assertion fessor of aeronautics and astronautics at Stanford by a remote agent. We have validated this [4] Kuhn, M. G., “An Asymmetric Security Mecha- University, where he authentication architecture through live nism for Navigation Signals,” Proceedings of the 6th Information Hiding Workshop, pgs. 239–252, directs the GPS Research signal tests with hardware in the loop, 2004 Laboratory. He has been and have described the implementation involved in the develop- [5] Montgomery, P. Y., and T. E. Humphreys and of GNSS security signatures for integrat- ment of the Federal Aviation Administration’s GPS B. M. Ledvina, “Receiver-Autonomous Spoof- ed circuit and supply chain assurance. Wide Area Augmentation System (WAAS) and ing Detection: Experimental Results of a Multi- Local Area Augmentation System (LAAS). Enge As the satellite navigation attack Antenna Receiver Defense against a Portable received the Ph.D. degree from the University of threat space and sophistication con- Civil GPS Spoofer,” Proceedings of the Institute of Illinois and is a member of the National Academy tinue to grow, this and other defensive Navigation International Technical Meeting, pgs. of Engineering and a Fellow of the IEEE and of the technologies will become increasingly 124-130, 2009 Institution of Navigation. important to the high-integrity applica- [6] Scott, L., “Anti-Spoofing & Authenticated Dennis Akos, Ph.D., is an tion of GNSS, as illustrated in Figure 8. Signal Architectures for Civil Navigation Systems,” assistant professor with With this effort, we will realizesecurity Proceedings of the Institute of Navigation GPS/ the Aerospace Engineer- for GNSS and security from GNSS. GNSS Conference, pgs. 1543-1552, 2003 ing Science Department [7] Stansell, T. A., “Location Assurance Commen- Manufacturers at the University of Colo- tary,” GPS World, July 2007, p. 19 rado at Boulder and holds Stanford University and Colorado [8] Wullems, C., and O. Pozzobon and K. Kubik, a visiting professor researchers use an 89600 vector signal “Signal Authentication and Integrity Schemes for appointment at Luleå University of Technology, analyzer (VSA) from Agilent Tech- Next Generation Global Navigation Satellite Sys- Sweden, and a consulting professor appointment nologies, Santa Clara California, USA, tems,” Proceedings of the European Navigation at Stanford University. His research interests to collect signals received either from Conference GNSS, 2005 include GNSS systems, software-defined radio high-gain steerable dish or hemispheri- (SDR), applied/digital signal processing, and cal-gain patch antennas. The 1.8-meter radio frequency (RF) design. He received the dish is part of the Stanford GNSS Mon- Authors Ph.D. degree in electrical engineering from Ohio University within the Avionics Engineering itor Station; the patch antennas are Sherman Lo, Ph.D., is a Center. NovAtel GPS Pinwheel Model 702 from senior research engineer NovAtel, Inc., Calgary Alberta, Canada. at the Stanford Univer- Paul Bradley is chief tech- The software GNSS receiver and the spe- sity GPS Research Labo- nical officer of DAFCA, Inc. Bradley has more cialized signal authentication codebase ratory where he is the than 20 years’ experi- are implemented in MATLAB from the associate investigator for Stanford University’s ence in electronics and MathWorks, Inc., Natick Massachu- efforts on the technical evaluation of Loran and systems design and spe- setts, USA. also works also on a variety of GNSS-related secu- cializes in product devel- rity and integrity topics. He received the Ph.D. opment and engineering leadership in emerging degree in aeronautics and astronautics from Stan- technology markets. He has held numerous engi- Disclosure: The first three authors ford University and has received the Institute of neering and technical leadership positions at are members of the Stanford Univer- Navigation Early Achievement Award and the Motorola, Nortel, CrossComm, Sonoma Systems, sity GPS Laboratory and have formed International Loran Association President’s and Internet Photonics prior to joining DAFCA. the start-up company Zanio to pursue Award. development of GNSS security and authentication technology.