Advances of SBAS authentication technologies

Satellite Based Augmentation System (SBAS) provides the corrections and integrity information to users, but as its signal format is opened to the public and Global Navigation Satellite System (GNSS) spoofing technology becomes more realistic, more feasible and cheaper. It's foreseeable that there will be risks of spoofing threats against SBAS in the future. SBAS signal authentication technology provides a system-level solution to spoofing threats by adding special markers to SBAS signals so that receivers can verify whether the SBAS signals are from the on-orbit Geostationary Earth Orbit (GEO) satellites or whether the signal information has been forged and tampered with. First, this article introduces the existing anti-spoofing methods that can be applied to SBAS, especially the Elliptic Curve Digital Signature Algorithm (ECDSA) and Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocols. Then it discusses four possible solutions in a combination with the existing SBAS Interface Control Document (ICD). Two main Key Performance Indicators (KPIs), Time Between Authentication (TBA) and Authentication Latency (AL), obtained in the four main scenarios are compared. By analyzing the EGNOS Authentication Security Testbed (EAST) test simulation results of European Geostationary Navigation Overlay Service (EGNOS) in Europe, the impact of SBAS after joining the authentication service is obtained.


Background
Satellite Based Augmentation System (SBAS), as a wide augmentation system, broadcasts the differential corrections and integrity information to users for improving the accuracy, availability and integrity of its services in a wide range (RTCA MOPS 229). Applied in the field of safe-of-life, SBAS can meet the navigation needs of civil aviation from the en-route phase to precision approach phase of an aircraft. As SBAS Dual Frequency and Multiple Constellation (DFMC) technology has been developed (TAN, 2008), its services can play an important role in the field of high integrity demands such as aviation, navigation, and railway. In addition to being vulnerable to the natural disturbance and electromagnetic interference in complex environmental conditions, SBAS is subject to malicious spoofing attacks due to its open signal format which makes receivers capture deceptive signals in an unconscious state, leading to integrity risks. Improving the security of SBAS services becomes an important task in the SBAS technology development.
SBAS authentication technology provides a solution to this problem by adding special markers to SBAS signals (Psiaki & Humphreys, 2016) so that the receivers can verify whether the SBAS signals are from the on-orbit Geostationary Earth Orbit (GEO) satellites and whether the signal has been forged or tampered with. The technology ensures the integrity of signals/navigation messages and provides authentication services. Without affecting the usage of SBAS services, it provides users with more secure navigation messages by increasing navigation messages integrity verification and signal source identification so as to tackle spoofing attacks.

Open Access
Satellite Navigation https://satellite-navigation.springeropen.com/ *Correspondence: gwg9821@163.com 2 Beihang University, Beijing, China Full list of author information is available at the end of the article

Evolution of navigation signal authentication
The basic principle of authentication is that the message sender conducts cryptographic operation on the original message to generate an "authentication symbol" and sends it to the receiver along with the original message. Then the receiver validates message integrity and authenticates identity by verifying the symbol.
The Global Positioning System (GPS) authentication was first proposed by Scott in 2003(Scott, 2003. To reduce the software and hardware costs, it would be easier to generate GPS spoofing signals in the future. Applying a cryptographic algorithm to civil GPS navigation messages and spreading codes was proposed to protect GPS signals from spoofing attacks, and further three levels of protection measures were put forward, i.e., message authentication, public spreading code authentication, and encrypted spreading code authentication. In 2004, the potential market for Galileo Navigation Satellite System (Galileo) authentication service was outlined by Pozzobon et al., who indicated Galileo authentication would be used for open services, life safety services, and public regulatory services (Pozzobon et al., 2004). Subsequently, two methods, Elliptic Curve Digital Signature Algorithm (ECDSA) and Timed Efficient Stream Loss-Tolerant Authentication (TESLA), were proposed for navigation message authentication (Wullems et al. 2005). An authentication method based on GPS-L1C message, which mixes ECDSA and TESLA in the navigation message to authenticate users with low requirements for synchronization, was came up by a research team in the University of Texas. In 2017, Galileo provided the Galileo signal authentication service for the first time, which featured the Open Service Navigation Message Authentication (OS-NMA) message structure integrated into the Galileo I/NAV message sequence with TESLA protocol, and standardized generation and verification of Message Authentication Code (MAC) and keychain (Chiara et al. 2017).
There are two types of navigation signal authentication, i.e., Navigation Message Authentication (NMA) and Spreading Code Authentication (SCA). For NMA, a cryptographic marker is added to the navigation message, and the receiver uses the marker to authenticate the signal source. For SCA, the unpredictable chips are inserted in an unencrypted public spreading code, and then the receiver verifies the unpredictable chips in the received code sequence with a cryptographic algorithm to authenticate the identity of the signal source. SBAS provides users with integrity message and message tampering is the major threat it faces, so NMA is adopted as the signal authentication method for SBAS. The SBAS system provides users with Global Navigation Satellite System (GNSS) corrections and integrity messages. Spoofing is carried out by generating false signal that are highly similar to the real SBAS signal and tampering the message. A system-level spoofing countermeasure based on SBAS NMA has been provided against this kind of SBAS message tampering (Chiara et al. 2016(Chiara et al. , 2017.

NMA schemes for SBAS authentication
The SBAS signal authentication adopts NMA method (Fernandez-Hernandez et al., 2014). In order to protect the navigation message data, the Digital Signature (DS) or MAC is authenticated at the user terminal. There are two types of SBAS message authentication methods, i.e., DS and TESLA (Neish et al. 2018(Neish et al. , 2019a(Neish et al. , 2019b(Neish et al. , 2019c. DS is based on asymmetric cryptography. The sender uses its private key to sign the message, while the receiver uses a public key to verify the signature of the message (Yuki, 2016).
DS adopts ECDSA, which uses Elliptic Curve Cryptography (ECC) to simulate the digital signature algorithm. It has high security, but its encryption and decryption speed is low.
TESLA protocol is a broadcasting authentication protocol based on MAC designed by Perring et al. (2000). This protocol uses symmetric cryptographic mechanism to enable the broadcasting authentication of messages and achieves the asymmetry of broadcasting authentication by delaying the release of the authentication key in the one-way keychain, which prevents message forgery ensuring the security of messages.

Security level for SBAS authentication
The length of the key depends on the Security Level (SL) of the authentication service which refers to the difficulty for the password algorithm to be cracked by force. For example, the 128-bit security level means that it would take 2 128 attempts to break. For symmetric ciphers, the security level is generally equal to the length of the key. For asymmetric ciphers, the security level is generally less than the length of the key. For example, for the ECDSA algorithm with a security level of 128-bit, the length of the private key is 256-bit, and the length of the public key is 512-bit. Considering the round expectancy of SBAS service, a security level of 128-bit is selected.

Comparison of the two KPIs from diverse schemes
Time Between Authentication (TBA) and Authentication Latency (AL), as Key Performance Indicators (KPI) of SBAS authentication, were proposedby several researchers. (Chiara et al., 2017;Enge & Walter, 2014;Fernandez-Hernandez et al., 2014;Neish et al., 2019aNeish et al., , 2019b: TBA, understood as the time between authentication verification events, is a relevant design parameter which balances the robustness and performance. When authentication message is transmitted frequently, it needs significant bandwidth and potentially degrades the performance; on the other hand, when authentication message is transmitted infrequently, it forces the receiver to coast during a longer time using non-authenticated information (Figs. 1, 2).
AL, understood as the maximum time between the reception of a message and its authentication, is also a relevant parameter given that, unlike GNSS ephemerides, SBAS messages are continuously changing. AL is directly related to Time To Alert (TTA). The ideal authentication delay should not exceed 6 s, because the TTA is 6 s. AL and TBA are interrelated and their relationship depends on the scheme, as shown in Fig. 3.
Considering the channel (I/Q) and the authentication protocols (TESLA/ECDSA), four schemes were developed, as shown in Fig. 3.

Status of SBAS signal authentication
In 2016 the European Union (EU) proposed the European Geostationary Navigation Overlay Service (EGNOS) signal authentication plan (Chiara et al. 2016), then developed the EGNOS Authentication Security Testbed (EAST) (Chiara et al. 2017), preliminarily designed the authentication protocol, the authentication message broadcasting scheme and the key performance indicators, and continuously evaluated the authentication method. Alternatives for SBAS authentication include ECDSA digital signature and TESLA protocols (Chiara et al. 2017;Neish et al. 2018), in which ECDSA adopts the Elliptic Curve Schnorr (EC-Schnorr) standard.
The United States has not yet explicitly proposed the Wide Area Augmentation System (WAAS) authentication service plan, while a team from Stanford University has been actively promoting the formulation of SBAS signal authentication standard. They adopted the same alternatives as those used in Europe, including the ECDSA and TESLA protocols (Neish et al. 2019a(Neish et al. , 2019b, in which ECDSA adopted the National Institute of Standards and Technology (NIST)

Fig. 3 Simplified scheme of the implementations of SBAS message authentication
Optoelectronics have carried out the research on NMA authentication (Liu 2015(Liu , 2018Mu et al. 2020 zation Administration, 2016azation Administration, , 2016b, and the simulation verification of Over The Air Rekeying (OTAR) broadcasting process was carried out.

Simulation results and analysis
The simulation trials based on the EGNOS EAST platform were carried out by Fernandez-Hernandez et al. (Fernandez-Hernandez et al. 2014), and the results on the performances of SBAS authentication in the I/Q-channel schemes, as well as SBAS authentication were presented.

Simulation results of authentication performance in I/Q-channel schemes
According to the 128-bit security level, ECDSA authentication message (512-bit) requires three 216-bit message frames, but TESLA only needs one 216-bit message frame. At this time, the maximum TBA of TESLA is six seconds, and the maximum TBA of ECDSA is 18 s. Table 1 shows the simulation results of the SBAS message authentication schemes. For L1-ECDSA, a 1% Authentication Error Rate (AER) is achieved with a Carrier-to-Noise ratio (C/N 0 ) of 28.5 dB·Hz. In these conditions, the average TBA is 13.52 s, the authentication period is 18 s (three message frames), and the maximum AL is from 20 to 29 s. The maximum delay suggests that due to the 1% of authentication failures, three digital signature message frames may have an additional digital signature frame.
The 6s TTA required by SBAS is just satisfied in the Q channel scheme. Using I/Q power 1:1 allocation will reduce the performance. A power apportionment of 75%/25% for the I/Q channels will reduce the Q channel power by about 1 dB, but still meets the 6s TTA requirement.
The simulation results of SBAS To study the impact of SBAS authentication on the original SBAS service, the simulation trials were implemented by Fernandez-Hernandez et al. (2014,2018). The simulations with L1 and L1/L5 scenarios, were conducted in European air service area (Fernández-Hernández et al., 2018). Table 2 summarizes the impact of TESLA and ECDSA schemes on the service performances such as Vertical Position Errors (VPE), Vertical Protection Level (VPL), continuity, and availability of SBAS under different Page Error Rate(PER) conditions. When PER = 0, the presence or absence of authentication has no effect on all performance indicators. For PER = 1 × 10 -3 , since the loss of each message may cause identity authentication failure, the continuity risk of SBAS messages after joining the authentication protocol is significantly higher, but the availability remains above 99%. It can be seen that joining the authentication service will have an impact on the SBAS message but still meet the availability performance.

Conclusion
This article introduces two different SBAS message authentication methods, ECDSA and TESLA, and four different feasible schemes combined with the current SBAS Interface Control Document (ICD). Combined with the simulation results of European EGNOS in EAST, the results of several performance indicators with or without certification are analyzed. It can be seen that after joining the authentication service, the performance of SBAS is less affected. SBAS messages are protected against spoofing.
Starting from improving the design of signals, SBAS authentication provides user terminals with the technical means to cope with spoofing and interference, enhancing the security of the SBAS augmentation service and promoting its applications in the fields of safe-of-life, such as aviation, navigation, and high-speed train. However, there are still many problems and challenges to be addressed in the authentication of SBAS. In terms of system design, the SBAS signal authentication improves the security of SBAS service, but may reduce its service performances such as integrity and continuity so that the demand for Category I of Precision Approach (CAT-I) may not be met. Several aspects need to be improved in the future, such as the selection of authentication protocols, optimal configuration of authentication parameters, processing of bit errors at the user terminals, and integrated applications of Automatic Dependent Surveillance-Broadcast (ADS-B)/SBAS. Overall performance evaluation for SBAS also needs to be carried out to ensure the balance between the SBAS augmentation service and authentication service. In order to add authentication processing in the current SBAS processing at user terminals, we need to study the strategies of processing different authentication results to ensure the real-time use of integrity alarm information (< 6 s). Meanwhile, SBAS MOPS must be taken into consideration in aviation applications.
Concerning the compatibility and interoperability of GNSS/SBAS authentication, SBAS authentication only ensures the security of the augmentation service. However, the security of GNSS system is the cornerstone of the security for GNSS positioning service. European Galileo plans to provide OS-NMA authentication, and American Air Force Research Laboratory (AFRL) will launch Navigation Technology Satellite-3 (NTS-3) to implement technical trials of GPS signal authentication based on Chips-Message Robust Authentication (CHIMRA) signals. In the future, it is necessary to implement signal authentication of GNSS and the design of compatibility and interoperability of GNSS/SBAS authentication.
In the development of SBAS authentication standards we should consider the SBAS operation process and cryptographic algorithm standards in different countries, and have sufficient trials.