Method and Apparatus for authenticating a satellite navigation signal using the signal of the Galileo Commercial Service, to Qascom S.r.l. of Italian nationality with Head Office in Bassano del Grappa (Vicenza), Via O.Marinali N.87 Technical field

[0001] The present invention concerns a system and a method for authenticating satellite navigation signals (GPS and Galileo), and particularly authentication techniques of the signal and relative checking of falsification. The invention uses the encrypted signal "commercial service" of the Galileo system to detect falsification attacks of the signal carried out on free signals.

State of the art

[0002] Navigation Satellite Systems (Global Navigation Satellite Systems GNSS) are increasingly used as precise positioning and timing system in critical applications both in terms of finance and in terms of protecting human life. The use of such technologies has been adopted in many fields without evaluating how much a spoofing attack of the signal can create potential risks of economic loss or problems on the safety and protection of human life. Certain positioning and time are a requirement not only for critical applications, but also for information security services, like location based encryption (location based access control, LBAC) and position certification, which are used for limiting the access to information or resources on the base of a particular position or time. A spoofing attack has the objective of compromising the time and position calculated by a receiver thereby generating a simulated GNSS signal that seems real to the receiver. Theft and terrorism are typical scenarios for spoofing attacks towards applications like the monitoring of hazardous transportation or precious materials and synchronization of the time through GNSS. The cost for carrying out a spoofing attack is no longer a deterrent since GNSS simulators can be rented at low cost, and they can be developed with low-cost hardware like "software defined radio" platforms. The "receiver-spoofer" concept, a GNSS receiver connected to a GNSS transmitter, has been demonstrated on such platforms.

[0003] We will now refer to figure 1. Such a figure represents how a falsification signal attack, or spoofing attack can occur. The satellites (101) for satellite global navigation (GNSS) generate the signal (102) that is transmitted from space to the receiver. Such a signal is received by a receiver (103) and is processed in order to obtain the position, speed and time data (107). A spoofing attack is carried out by another apparatus, called "spoofer" (106), which, through a single antenna (105), emits a signal which is replica and equivalent to all the signals transmitted by the satellites (104). Such a signal, if suitably calibrated in terms of power and synchronised with the signals of the satellites, can be used to falsify the position of the receiver as wished.

[0004] There is an ever-increasing need to authenticate the satellite navigation signal for critical financial applications and for applications relating to protecting human life. The Galileo "Safety of Life" _, service should have guaranteed such an opportunity through authentication of the integrity data transmitted by the satellites, but such a service has been for the moment delayed. [0005] Many techniques have been proposed to mitigate such a problem in receivers, and they can be summarised as: a. Techniques based on the use of external sensors; b. Techniques based on the analysis of the signal and of the observable data derived therefrom; c. Techniques based on the identification of data that cannot be predicted by spoofers.

[0006] The first category of techniques comprises the use of inertial systems or the use of opportunity signals that, compared with the satellite navigation signal, makes it possible to check whether the two positions are coherent. Some patents concerning the second and third category are described hereafter, together with the relative limitations with respect to the proposed innovation.

[0007] Document EP 2162865 A2 (Processing of satellite navigation system signals, published in 2010 by NXP B.V.) claims a system that implements a locating service that comprises (a) a satellite navigation receiver (which comprises a radio apparatus for the acquisition of raw signal samples) and (b) a central system that receives from the receiver (a) both the position and the time and the raw signal samples. In order to check the authenticity of the position and of the time, the central system checks that the raw signal samples are consistent with the time and the position calculated in the receiver. Such an invention does not take into account that the raw signals can be spoofed (spoofing), and only deals with solving the problem of the falsification of data transmitted by the receiver, assuming the difficulty of generating fake signals. [0008] Document EP2397868 A1 (Method of providing an authenticable time-and-location indication, published in 2011 by the European Union) claims a method for authenticating position and time using an encrypted satellite navigation signal. The encrypted signal is used to calculate the position and time in the receiver, using keys of the system installed in a secure area of the receiver; position and time are then digitally signed and sent to the central system together with other information. The aforementioned invention, unlike the one proposed, amongst other things requires the receiver to be equipped with security systems to store the keys, making the receiver complex and very expensive.

[0009] Document no. US 2009/0195354 A1 (Authenticating a signal based on an unknown component thereof, registered in 2008 by Peter Levin, David S. De Lorenzo, Per K. Enge, Sherman C. Lo) and patent no. US 2012/0121087 A1 (Spoofing detection for civilian GNSS signals, published in 2010 by Mark L. Psiaki) claim a method for checking the authenticity of the satellite navigation signal. They use the comparison of the signal received by two different satellite receivers to check that the first receiver has values, which a priori are unknown, equal to those sent by the second. The aforementioned invention is very different from the present one since, amongst other things, the method is based on the comparison between signals received by different receivers without knowing keys, and in order to work it requires the installation of various reference stations in the required coverage area.

[0010] As described in EP2397868 A1 , the Galileo Commercial Service (CS) was devised for services that foresee a payment for access to the signal. For this purpose, the design foreseen for the CS foresees the development of counterfeiting-resistant receivers that can store the encryption keys used for accessing the signal. Such a design becomes similar to the approach used in military receivers. However, such an approach is very expensive, both in terms of hardware and in terms of cost of the service to distribute and load the encryption keys in the receivers. The costs involved in such a process would make it difficult for such technology to enter the markets that require the authentication of the signal but at the same time minimum costs. Such markets comprise, for example, motorway payments based on GNSS and payments by electronic commerce.

[0011] The article "Anti-spoof ing and open GNSS signal authentication with signal authentication sequences", SATELLITE NAVIGATION TECHNOLOGIES AND EUROPEAN WORKSHOP ON GNSS SIGNALS AND SIGNAL PROCESSING (Navitec), 2010 5 ^th ESA WORKSHOP ON, IEEE - 8 December 2010, by Oscar Pozzobon et al. Teaches an authentication system of GNSS signals that can be integrated in the GNSS signal itself. The system taught in such a document foresees to provide, on the same frequency, an encrypted service, in which the spread spectrum code is secret, and an unencrypted service synchronised with the previous one, through which portions of the secret spread spectrum code are transmitted together with their generation time; such sequences are then correlated with the encrypted signal. The encrypted service is in quadrature phase with respect to the unencrypted signal. In this article, it is taught that the portions of encrypted code, i.e. the signal authentication sequences (SAS), are transmitted by the satellite in orbit. The apparatus that checks the authenticity of the signal has no knowledge of the encryption keys with which the encrypted signal was generated, but, autonomously, uses the sequences received to carry out a correlation with the channel in quadrature phase and check the passage of said sequence at the predetermined time.

Purposes of the invention

[00 2] The main object of the present invention is to improve the state of the art relative to systems and methods for authenticating an unencrypted satellite navigation signal.

[0013] Another object of the present invention is to provide a system for authenticating an unencrypted satellite navigation signal that has an alternative configuration with respect to the configurations of conventional apparatuses.

[0014] A further object of the present invention is to provide a method for authenticating an unencrypted satellite navigation signal that is an alternative to the conventional methods and easy to be implemented.

[0015] According to a first aspect of the present invention, a method for authenticating an unencrypted satellite navigation signal according to the attached claim 1 is provided.

[0016] According to a further aspect of the present invention a system for authenticating an unencrypted satellite navigation signal according to the attached claim 8 is provided.

[0017] The dependent claims refer to preferred and advantageous embodiments of the invention.

Brief description of the drawings

[0018] Further aspects and advantages of the present invention will become clearer from the following detailed description of some currently preferred embodiments thereof, illustrated purely as a non-limiting example in the attached drawings, in which: figure 1 illustrates, in general, how a spoofing attack of an unencrypted satellite navigation signal can occur; figure 2 shows a schematic representation of a system for authenticating an unencrypted satellite signal according to the present invention; figure 3 is a schematic representation of the main components of a first apparatus of the system according to the present invention; figure 4 illustrates the progression of the satellite navigation signals according to a first variant of the authentication method according to the present invention; figure 5 shows the progression of the satellite navigation signals according to a second variant of the authentication method according to the present invention; figure 6 is a block diagram of the method for authenticating a satellite navigation signal according to the present invention; and figure 7 illustrates a functional block diagram of a second apparatus of the system according to the present invention.

Description of the invention

[0019] The proposed authentication method requires the use of the Galileo Commercial Service (CS) or of other encrypted satellite navigation signals. The Galileo CS is a value added service integrated in the Galileo satellite navigation system. The signal is transmitted over the frequency E6 (1278.750 MHz), and it is a Binary Phase Shift Keying (BPSK) phase change signal in which data are transmitted through a spread spectrum of the signal at a chip frequency of 5Mhz. On the frequency E6 the combination of three channels is transmitted with a single signal: E6A, E6B and E6C. Channel E6A is reserved for governmental signals, whereas channels E6B and E6C are dedicated to CS. Channel E6B can transport data (so-called "satellite navigation messages" or "navigation messages"). In frequency E1/L1 signals from various systems are transmitted, including GPS, Galileo, Glonass and Beidou, which contain unencrypted channels, like the channel GPS C/A and the channel Galileo E1 B. Such channels too contain data. In the context of such a patent configurations are taken into consideration in which signals transmitted over an unencrypted channel (like GPS C/A or Galileo OS) are checked through an encrypted channel (like Galileo E6B). For every frequency, the signal received by the receiver is the juxtaposition of signals transmitted over different channels. In order to avoid ambiguity in identification, each of such signals can sometimes be called "component" (for example, component of the signal received relative to the channel E1 B).

[0020] The signal foresees the support for the encryption of the spread spectrum code ("spreading" code), thus making the signal not- obtainable by anyone not in possession of the keys. At the date when such a document was written, the content of the data transported in the signal of the CS had not been defined yet. However, an innovative detail of the invention in object is that the authentication system is independent from the data that will be transported in the channel. This is possible since in order to authenticate the signal only the spread spectrum codes, also called Pseudo Random Numbers (PRN), are used, which in the case of the signal CS can be encrypted and thus cannot be determined without knowing the encryption keys.

[0021] At the date at which such a document was written only 4 Galileo satellites are in orbit, and they do not transmit data in the signal of the CS. Moreover, it is currently impossible to predict when the data transmission service will be available, and with what characteristics. An innovative detail of the invention is that with 4 satellites only circulating in orbit, the authentication system could still be used without waiting for the complete service to come into effect.

[0022] Let us refer to figure 2, which represents (201) one or more satellite systems (GPS, Galileo, Glonass or Beidou) transmitting unencrypted signals (not encrypted) for civil use and at least 1 or 2 Galileo satellites that transmit the signal CS (channel E6B or E6C, or that signal which will be encrypted). The signals that travel in space (202) have a different frequency, since the unencrypted signals like GPS Coarse Acquisition (C/A) and Galileo Open Service (OS) transmit in the frequency E1/L1 ( 575.42 MHz) whereas the signal of the Galileo CS travels in the frequency E6 (1278.750 MHz). Such signals are received by a first apparatus, called authentication apparatus (208) that uses two different antennae for receiving the two frequencies E6 and E1/L1 (203,204). Such an apparatus processes the signals and transforms them into digital, thereby allowing the telematic transmission of processed data (205) to a second apparatus, preferably an authentication server (206). The authentication server uses a standard GNSS reference receiver to extract the navigation messages of the signals in E1/L1 useful for determining the transmission time (207) described hereafter. The transmission can take place with any digital data transportation means like wifi networks, internet networks or via cellular network. It should be noted that the authentication apparatus (208) does not contain the decryption keys of the Galileo CS. It is thus impossible for the apparatus to decrypt the signal, carry out measurements or extract data. On the other hand, it is possible for the authentication apparatus (208) to decrypt and carry out time and distance measurements from the satellite for the unencrypted signals in the frequency E1/L1 , like for example the GPS C/A or Galileo OS service.

[0023] If, as an example, the signals of the Galileo CS and Galileo OS are taken as reference, they will be transmitted by the same satellite, but the spread spectrum codes will be synchronised at a single time reference, typically called system time. The concept of synchronisation of the spread spectrum codes of the Galileo CS with the Galileo OS, or of synchronisation of the codes with times of other systems forms the basis of this invention.

[0024] The signals processed and the measurements made on the unencrypted channels by the authentication apparatus are transmitted to the authentication server that has the keys required for encoding the encrypted signal. The invention is based on the concept that 2 spread— spectrum sequences transmitted over different frequencies by the same satellite must have a time correspondence, since they have been generated simultaneously by the same satellite at the same moment. At the same time, spread spectrum sequences generated by other satellites at a particular time for which it is possible to calculate the difference of the Galileo time (for example the difference of the GPS time from the Galileo time) must have time correspondence with the Galileo spread spectrum sequences, once the time difference between the different systems and the time difference given by the different positions of the satellites at the moment of transmission have been determined. The concept of time correspondence includes all of the possible measurable delay contributions (like for example the Broadcast Group Delay relative to signals transmitted over different frequencies), not explained hereafter so as to keep the presentation brief.

[0025] The security of the system is based on the concept that while the unencrypted signals can be generated, and thus spoofed (spoofing), the encrypted signals cannot be regenerated since the keys for generating them are not available. In this invention we refer to the need to authenticate unencrypted signals using the encrypted signal of the Galileo CS, but other existing or future encrypted signals can be used, like for example the Galileo Public Regulated Service (PRS), should they be synchronised in a transmission phase and there is access to the decryption keys.

[0026] Let us now refer to figure 3 which represents a block diagram of the high-level authentication apparatus (304). Such an apparatus has the function of acquiring and synchronising the signals received, and transmitting them to the authentication server. The signal of the frequency E1/L1 is received by a dedicated antenna (303) and is converted to a baseband frequency (305). Such a signal is then digitized by an analogue digital converter (306) and is used by the digital processing block (307) to extract information necessary for the synchronisation and extraction of information on the reference time. Since it is a signal that contains unencrypted channels, the digital processing block is able to acquire the signal, to determine the start of the spread spectrum code for the unencrypted channels sought (for example E1 B), and to extract the data contained therein. The processing block can also extract the system transmission time (TOW) and calculate the transmission time to the receiver (TO: moment of generation and transmission, by the satellite, of the spread spectrum code, referring to the time of the receiver) of such a specific satellite navigation message and use a synchronisation mechanism (308) to align the spread spectrum codes both of the digitized signal E6 (309) and of the digitized signal (for example E1B) in E1/L1 (306). The digital data obtained by the processing block of the signal over the unencrypted channels are combined, compressed and made available for the transmission through a communication interface (310) like for example a USB, Ethernet or serial port.

[0027] In order to better explain the logic of the authentication, let us refer to figure 4 that represents the case of checking a Galileo Open Service signal transmitted in the frequency E1/L1 with a Galileo CS signal transmitted in the frequency E6. Once the signals E6 (402) and E1/L1 (403) have been received at a time Trx, it is necessary to find the transmission times to the receiver (TO) of the Galileo Open Service code received in E1/L1 (TO: moment of generation and transmission, by the satellite, of the spread spectrum code, referring to the time of the receiver) and its delay τ, in the signal samples received at time Trx (404). The algorithm for searching the transmission time is described hereafter. Once the delay has been estimated, TO and τ are used to generate the reference code of the Galileo CS (channel B or C) at the precise moment (401). In order to do this, the algorithm also needs the encryption keys of the signal. The code of the Galileo CS generated (401) at time TO can thus be correlated with the signal E6 received at time Trx carrying out a cross-correlation, and a value above a certain threshold will determine that the code E6 is coherent with the code E1/L1 , checking the authenticity of the signal E1/L1. In the case of an inauthentic signal, in the time position Trx a code corresponding to the signal E6 received will not be generated.

[0028] Let us now refer to figure 5, which represents the same example of figure 4 but applied to the case of checking a non-Galileo signal (example GPS or Glonass) received in the frequency E1/L1 and of the signal of the Galileo CS received in the frequency E6. Once the signals E6 (502) and E1/L1 (503) have been received at a time Trx, it is necessary to find the transmission time TO of each signal GNSS (non- Galileo) received in E1/L1 and its delay τ from Trx (504). The algorithm for searching the transmission time is described hereafter. Once the transmission time to the receiver (TO) has been estimated, it is necessary to calculate the time difference ΔΤ (505) that exists between the moment at which the spread spectrum code was transmitted by the Galileo satellite in E6 and the moment at which the spread spectrum code in E1/L1 on a non-Galileo satellite has left, in order to find the reference time in which to generate the reference code E6 for the check. This is possible by calculating the following two values: d. The information of the orbits of the GNSS satellites to be checked and of the Galileo satellites, in order to calculate the time difference ΔΤ between the two codes. e. The difference between the time of the Galileo system (Galileo System Time, GST) and the time of the GNSS system received over E1/L1.

[0029] TO, τ and ΔΤ are used to generate the reference code of the Galileo CS (channel B or C) at the precise moment (501). In order to do this the algorithm also needs of the encryption keys of the signal. The code of the generated Galileo CS (501) can thus be correlated with the signal E6 received by carrying out a cross-correlation, and a value above a certain threshold will determine that the code E6 is coherent with the code E1/L1 , checking the authenticity of the signal E1/L1.

[0030] Let us now describe the algorithm to seek the transmission time TO (at the receiver), described in figure 6. Such a time can be determined both in the authentication apparatus and in the remote authentication server. In the case of calculation of the transmission time in the apparatus (left branch of the diagram in figure 6), it must proceed to the acquisition and tracing of the satellite navigation signals transmitted unencrypted in E1/L1 , with at least 4 satellites. Once the bits of the navigation messages (step 606), the ephemeris and the system transmission time (Time of Week, TOW) have been extracted, the apparatus is able to estimate, for each satellite, the pseudorange measurement (or estimation of the distance between receiver and satellite) from the satellite (p) and the reception time or receiver time (Trx). For each satellite, the transmission time to the receiver TO is obtained by calculating (step 607) T0=Trx - (p/c). Once the transmission time TO to the receiver has been found for each satellite, the system can proceed to acquire the signal E6 (step 609) coherently and to transmit to the remote authentication server (step 610) the digitized signal E6 and TO.

[0031] In the case of calculation of the transmission time to the receiver TO in the remote authentication server (right branch of the diagram of Figure 6), the authentication apparatus records the signals E6 and E1/L1 in a synchronised manner (612), using an internal clock. With this option the authentication apparatus must be able to obtain an approximate reception time of the signals ~Trx. Such a time ~Trx can be inputted by the user, or derived from at least one external source (for example from an internal support clock, from GSM apparatuses, from Internet connection, etc). Such a time and the signals are transmitted to the remote authentication server (613). The authentication server continuously receives the bits that travel in space from at least one reference receiver (615), and extracts the bits (or navigation message) at the reference time ~Trx (614). Such bits contain the system time (Time of Week, TOW) and are aligned with the bits of the signal E1/L1 , in order to find the transmission time to the receiver TO (616). The length of the signal E1/L1 (and therefore the number of bits present in it) must be evaluated accurately in order to reduce the collisions between bits in the case of signals that are too short.

[0032] Let us now refer to figure 7, which represents a functional block diagram of the authentication server (206). The objective of the authentication server is to check the signals to determine the authenticity of the signal E1/L1. Such a block receives the signals recorded and data from the authentication apparatus (701 and 714), and carries out the checking operations to search for the presence of a signal of the commercial service. Depending upon the approach for determining the transmission times to the receiver (TO) obtained from the signals E1/L1 as explained in the previous paragraph, the system seeks the TO from the signal samples received by the remote authentication server or uses the TO calculated by the authentication apparatus. In the case of searching for the transmission time to the receiver TO by the authentication server, for each satellite a baseband reference signal (711) and the local replica of the PRN code of the signal E1/L1 to be searched for (710) are generated. The search function of the transmission time of the code (709) carries out the acquisition and tracing operations of a determined PRN code on E1/L1 , extraction of the bits, and aligns the extracted bits with the bits received by the external GNSS reference receiver (715). The bits of the external reference receiver also contain the system time (TOW) that is used as time reference. Once the alignment has been found, and given the system time reference (TOW), the system can determine the transmission time TO of the signal E1/L1 , which is passed to the generation block of the local replica for the signal E6 (705). In the case of non-Galileo signals, the time ΔΤ obtained by calculating the position of the satellites from the ephemeris of the system in question and the clock offset with respect to Galileo is also calculated. In the case in which the transmission time is provided by the authentication apparatus, it is directly supplied to the generation block of the encrypted code E6 (705). The authentication motor receives the signals E6, and generates the replica of the baseband carrier of the signal (703). Since the signal is encrypted, it is necessary to generate the encrypted code at the correct moment as a local replica (705) to carry out the correlation with the signal received. This will be used to check whether the signal received is authentic. The generation of the encrypted code takes place by accessing a security module (708) that contains the encryption keys necessary to regenerate the signal at a given time. Once the signals received and the encrypted signal generated locally are combined, a checking block of the authentication (707) will carry out the correlation between the signals to check for the presence of peaks, and thus determine whether the signal E1/L1 , potentially falsifiable, was transmitted coherently with the signal E6, which is not falsifiable (707). Thresholds that can be set via software both on the value of the peak and on the search window can determine the value for the decision whether the signal is authentic or not. The checking block of the signal (707) has a true/false value as output. [0033] The research leading to these results has received funding from the European Union Framework Programme (FP7/2007-2013) under grant agreement n° 277699-2.

[0034] The system and the method for authenticating an unencrypted satellite navigation signal described above can undergo numerous modifications and variants within the scope of protection of the following claims.