The Galileo program is about to launch its eagerly anticipated navigation message authentication service. It will be no panacea but the first step in a gradual process of fully securing one of the fundamental technologies of the 21st century.
GNSS jamming and spoofing continue to draw keen audience interest at the hottest, coolest and even the most obscure tech, trade and public policy conferences. Speakers can now recount any number of real-world spoofing incidents where GNSS users have been fooled by tech wunderkind, unwitting technology demonstrators and even enemy regimes.
The answer, as far as spoofing incidents are concerned, is signal authentication. Europe’s Galileo program wants to be the first to offer this basic GNSS security measure to the masses.
“You say ‘Galileo authentication,’ and I think ‘Oh goodie—when?’” stated Sandy Kennedy, VP Innovation at Hexagon’s Autonomy & Positioning division. In that phrase, Kennedy neatly expressed the enthusiasm and impatience with which the industry awaits such a service.
According to Ignacio Fernandez-Hernandez, European Commission Galileo Commercial Service Manager, the Galileo program has been thinking about signal authentication at least since 2013, in the context of its then-envisaged Commercial Service. In 2017, the program officially announced its intention to offer a free Open Signal Navigation Message Authentication (OSNMA) service. Since then it’s been mostly a question of Galileo teasing its users, with no clear launch date announced.
“We are still waiting on final details, and the test period that we have been awaiting since 2017,” said Kennedy. “At the Munich Satellite Summit in March 2019, it was announced that OSNMA testing would begin in Q3 2019. Which has not happened to my knowledge. The ICDs for OSNMA on E1B or commercial authentication services on E6B/C have not been released either. The approach seems to be publish papers by JRC/GSA staff that describe the intention at various industry conferences, but an official ICD has not been released. So we wait for that, and live signals in space to verify with.”
Fernandez-Hernandez explained, “It has been very demanding to add OSNMA to the baseline of a complex program such as Galileo.”
The waiting may soon end. The European Commission now says Galileo will start OSNMA signal-in-space transmission in the first quarter of 2020 and have full service available in 2021.
NMA in a Nutshell
The impact of GNSS on modern life cannot be exaggerated. It has become a dependency-forming technology, whether in the realms of business or leisure, private or public, much like the Internet preceding it. However, unlike today’s wi-fi and 4G-based Internet, with firewalls, passwords and antivirus programs, open-signal GNSS transmissions are mostly unprotected.
“From a security perspective, one of the core problems with current civil signals is that they do not include any authentication features,” according to Logan Scott, principal at LS Consulting. “Simple signal generator [spoofing] attacks based on software-defined radio technologies are easy to mount on unwary receivers. The fact that GNSS signals are so weak makes this all that much easier, since a high-power transmitter is not needed.”
Scott said there are ways to detect spoofing attacks, but none are 100% reliable, and the most reliable ones require additional hardware. On the other hand, there are some types of GNSS signal features that can help against such attacks, one of which is NMA. “NMA uses digital signing algorithms much like those used to validate websites,” he said, “to provide assurances that the transmitted data is actually the correct data and not some fake set of parameters.”
The NMA sender uses a secret key to generate an authentication signature from the original message. Both message and signature are then transmitted to the receiver, which uses a key to verify that the message and authentication signature correspond. Thus, the receiver can affirm that the transmitted and received message are the same, and that the authentication message was generated by someone with access to the transmitter’s secret key.
The Galileo NMA signal will be disseminated over the E1B frequency and is to be available to single-frequency users, explained Reinhard Blasi, Market Development Officer at the European GNSS Agency (GSA). “We define NMA as giving us the ability to guarantee to users that they are utilising non-counterfeit navigation data that comes from the Galileo satellites and not from any other potentially malicious source. Galileo’s NMA is aimed at worldwide consumer users and is to be offered for free.”
The service will also be backward compatible, Blasi said. “By this we mean current OS users’ performance won’t be affected, and there is no obligation to actually use the NMA signal when it becomes available,” he said.
One Small Step
“In general, OSNMA is a good feature for Galileo to offer,” said Kennedy, “especially for receivers that are relying on the signal in space to provide almanac and ephemeris information.”
But as Mark Petovello, former University of Calgary professor and Inside GNSS columnist, now with Apple, has pointed out, there are clear limits to what NMA can do: “Certain types of spoofing attack are detectable when NMA is implemented. However, NMA on its own is insufficient for full position, velocity and timing [PVT] authentication, since this requires both the navigation message and range measurements from each satellite, and NMA does not authenticate the range. This is the most important limitation of NMA-only approaches.”
“We know that NMA cannot straightforwardly authenticate the ranging signal,” said Fernandez-Hernandez, “but if used wisely, it can still provide many advantages. OSNMA is a step in the right direction, but a very significant one. If navigation data is a valuable asset, then it has to be protected, no matter what spoofers can or cannot do. Most of the digital data we use nowadays, for example on social networks, web pages or mobile phone communications, is protected by some sort of authentication, but this is not yet the case for satnav data.”
The Galileo program wants to be sure that it does not create too high an expectation at this juncture. It has been burned in the past when it could not deliver on promises, mostly involving overambitious timetables. The GSA’s Blasi also acknowledged NMA’s limitations: “The OSNMA capability contributes to enhance the resilience of the OS PVT solution, but it is not expected to provide a PVT solution fully secure against all spoofing threats. It does not authenticate PVT; this would require authentication of both the navigation message and range measurements. The aim of OSNMA is indeed to authenticate data for geolocation information from the Open Service through the navigation message (I/NAV) broadcast on the E1b signal component, and that is intended as an important but not unique and sufficient contribution to a full, user-level, end-to-end authentication.”
The Service Formerly Known as CS
So a gap will remain in Galileo’s armor when the NMA service comes on line. Could this leave room for industry to innovate, for enterprising commercial providers to fill the gap with the missing range-authentication component?
One early objection to the Galileo program offering ever-improving services for free was that it would cut into the business of Europe’s own commercial sector, which the program’s owner, the EU, is sworn to defend. The European Commission has generally taken the line that European industry will always innovate new business cases and commercial offers, whether in the area of high precision or security, regardless of the level or type of free service made available by open GNSS.
Either way, the Galileo program appears intent on moving forward with further authentication measures beyond the OSNMA service. Blasi stated that a much higher level of authentication will be provided by the limited-access Galileo Public Regulated Service (PRS), although its availability date remains unclear. “And in between those two will be another new Galileo service, previously designated as the Galileo Commercial Service (CS),” he said, “comprising a data-authentication signal that will be access-controlled, perhaps provided for a fee, based on the spreading code encryption of E6C plus some ancillary data in E6B/E1B, including OSNMA.”
This full signal-authentication service, formerly envisaged as a component of the CS, will be incorporated in the years following the introduction of the OSNMA, said Fernandez-Hernandez. “And this will be complemented by authentication of most Galileo signals and messages in the second generation of Galileo.” While various parties may still refer to this ‘signal authentication service’ by its former moniker of CS, Fernandez-Hernandez said, “this does not necessarily mean that it will be provided for a fee. This is still under analysis.”
Thus, at some point in the unspecified future, Galileo users will have multiple authentication options available, with the ability to determine for themselves which service best answers their particular vulnerabilities and security needs.
In Defence of OSNMA
Some observers question the value of OSNMA. Is the public cost of implementing this kind of rudimentary data authentication in Galileo or any GNSS actually worth the level of protection it offers? Fernandez-Hernandez replied, “The Galileo program is implementing it because it is taking benefit of already existing features inherited from the safety-of-life service that were dropped from Galileo some years ago. Thanks to that, its implementation and 10-year operation cost is estimated by GSA as only 0.2% of the total program cost.”
Similar questions have been raised about the value of enabling OSNMA in receivers. Is it worth the trouble to do this work, given the debatable level of protection provided by OSNMA or GNSS authentication in general?
Fernandez-Hernandez again: “In fact, OSNMA is reasonably simple to implement on the receiver side. The GSA can confirm this as they’ve already demonstrated the implementation of OSNMA in various EU-funded projects, including the PATROL project by STmicroelectronics and FANTASTIC by Septentrio.”
Why use OSNMA or even signal authentication if receivers can deliver anti-spoofing protection based on inertial sensors or signal processing? “GNSS authentication and receiver-based antispoofing aren’t mutually-exclusive, but complementary,” said Fernandez-Hernandez.
“Regarding the receivers,” he said, “OSNMA is a new service, never implemented in satnav as we know it, and this leads to new situations in the receiver that we will have to deal with. From a technical point of view, we must ensure that adding authentication does not degrade the satnav experience by reducing availability, receiver performance, or creating intermediate states that receivers have not been designed to handle.”
To help manufacturers through these potential issues, he said, the Galileo program will soon publish OSNMA receiver implementation guidelines. “The receivers will need to have basic anti-tampering measures to protect the cryptographic information, and they should also perform consistency checks to fully benefit from GNSS authentication.”
A particular challenge, he said, is to ensure the authenticity of the receiver position. “Doing that for data is relatively easy, but as we all know, satellite navigation depends on the signal’s time of arrival, which the receiver calculates. Signals are affected by many error sources, and there are always stochastic processes involved. Signals can be reflected, or even replayed. So instead of being ‘provably secure’, which is the term generally used in cryptography, we can only talk about a ‘probably secure’ position. The challenge is to ensure that this probability is as high as possible.”
Another interested observer pointed out that most of today’s receivers are assisted: they receive data from a ground server. What’s the advantage of authenticating data from the OSNMA signal if it can be authenticated on the ground by a third party? “NMA adds continuous unpredictability to the signal,” Fernandez-Hernandez said. “This feature makes the signal difficult to spoof for all types of receivers, including assisted and non-assisted ones. In addition, NMA cryptographic keys can simplify the authentication of GNSS data assistance services and make them more robust.”
He also pointed out that of the 6.4 billion satnav receivers now working, about 10% are non-consumer devices. “About 500 million of these serve in road applications, 30 million are in drones and there are about 10 million being used in maritime applications, and all of these are generally non-assisted. So these applications may be even more dependent on signal-based message authentication.”
The User Benefits
The proposed Galileo ‘hybrid symmetric/asymmetric’ NMA, a designation that we won’t explain here, is not the only means to authenticate an open GNSS signal. The proposed implementation of a ‘symmetric’ NMA, on the new L1C GPS signal has been described elsewhere, and Logan Scott has proposed an authentication method involving the use of a ‘digital watermark.’ All methods come with inherent strengths and weaknesses.
Reinhard Blasi said the trend is towards authentication as a priority for safety-critical applications. Carlo des Dorides, Executive Director, GSA, has said, “Autonomous driving is a growing interest, and GNSS is a key enabling system, along with cameras and other technologies. Signal authentication is seen by many as a prerequisite for driverless mobility, providing much-needed assurance against the very real threat of spoofing.” Any number of other pertinent application areas can easily be envisaged.
As a free service, OSNMA will differentiate Galileo from other GNSS. Hexagon’s Autonomy & Positioning division President Michael Ritter said, “Even in the civilian world, having a Galileo constellation, hopefully soon with an authentication signal, and at the same time having the GPS constellation, it will be much harder to attack the signal.” As to Galileo’s stand-alone value, he added
“It’s nice to see more and more satellites coming online, delivering greater and greater accuracy, but the real focus should be on authentication. When I talk to people about Galileo, that’s the real seller.”
NMA is only one tool that receivers can use against spoofing, but it would seem to be a step in the right direction, and many will be eager to give it a whirl. There’s nothing like getting a great idea off the drawing board to test it, use it and appreciate it in the real world.