Straight Talk on Anti-Spoofing - Securing the Future of PNT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SECURITY & WIRELESS | Signal Processing
Straight Talk on Anti-Spoofing
Securing the Future of PNT
Disruption created by intentional generation of fake GPS signals could have serious economic consequences. This article discusses
how typical civil GPS receivers respond to an advanced civil GPS spoofing attack, and four techniques to counter such attacks:
spread-spectrum security codes, navigation message authentication, dual-receiver correlation of military signals, and vestigial
signal defense. Unfortunately, any kind of anti-spoofing, however necessary, is a tough sell.
Kyle Wesson, Daniel Shepard, and Todd Humphreys
G
PS spoofing has become Volpe Report. In November 2010, the the spoofing and jamming threat
a hot topic. At the 2011 U.S. Position Navigation and Timing and the other on possible mitigation
Institute of Navigation National Executive Committee techniques. The reports are anticipated
(ION) GNSS conference, 18 papers requested that the U.S. Department of to show that GPS disruption due to
discussed spoofing, compared with Homeland Security (DHS) conduct a spoofing or jamming could have
the same number over the past comprehensive risk assessment on the serious economic consequences.
decade. ION-GNSS also featured its use of civil GPS. In February 2011, Effective techniques exist to defend
first panel session on anti-spoofing, the DHS Homeland Infrastructure receivers against spoofing attacks. This
called “Improving Security of GNSS Threat and Risk Analysis Center article summarizes state-of-the-art
Receivers,” which offered six security began its investigation in conjunction anti-spoofing techniques and suggests
experts a forum to debate the most with subject-matter experts in a path forward to equip civil GPS
promising anti-spoofing technologies. academia, finance, power, and receivers with these defenses. We start
The spoofing threat has also drawn telecommunications, among others. with an analysis of a typical civil GPS
renewed U.S. government scrutiny Their findings will be summarized receiver’s response to our laboratory’s
since the initial findings of the 2001 in two forthcoming reports, one on powerful spoofing device. This will
32 GPS World | January 2012 www.gpsworld.com
Signal Processing | SECURITY & WIRELESS
illustrate the range of freedom a
spoofer has when commandeering
a victim receiver’s tracking loops.
We will then provide an overview of
promising cryptographic and non-
cryptographic anti-spoofing techniques
and highlight the obstacles that impede
their widespread adoption.
The Spoofing Threat
Spoofing is the transmission of
matched-GPS-signal-structure
interference in an attempt to
commandeer the tracking loops of a ▲ SPOOFING TESTBED at the University of Texas Radionavigation Laboratory, an advanced and
victim receiver and thereby manipulate powerful suite for anti-spoofing research. On the right are several of the civil GPS receivers
the receiver’s timing or navigation tested and the radio-frequency test enclosure, and on the left are the phasor measurement
unit and the civil GPS spoofer.
solution. A spoofer can transmit its
counterfeit signals from a stand-off Lab Attack. So far, no open literature Although our spoofer fooled all of
distance of several hundred meters or has reported development or research the receivers tested in our laboratory,
it can be co-located with its victim. into the sophisticated attack. This there are significant differences
Spoofing attacks can be classified as is likely because of the success of between receivers’ dynamic responses
simple, intermediate, or sophisticated the intermediate-type attack: to to spoofing attacks. It is important to
in terms of their effectiveness and date, no civil GPS receiver tested understand the types of dynamics that a
subtlety. In 2003, the Vulnerability in our laboratory has fended off an spoofer can induce in a target receiver
Assessment Team at Argonne intermediate-type spoofing attack. to gain insight into the actual dangers
National Laboratory carried off a The spoofing attacks, which are that a spoofing attack poses rather
successful simple attack in which they always conducted via coaxial cable than rely on unrealistic assumptions
programmed a GPS signal simulator or in radio-frequency test enclosures, or models of a spoofing attack. For
to broadcast high-powered counterfeit are performed with our laboratory’s example, a recent paper on time-stamp
GPS signals toward a victim receiver. receiver-spoofer, an advanced manipulation of the U.S. power grid
Although such a simple attack is easy version of the one introduced at the assumed that there was no limit to the
to mount, the equipment is expensive, 2008 ION-GNSS conference (see rate of change that a spoofer could
and the attack is readily detected “Assessing the Spoofing Threat,” GPS impose on a victim receiver’s position
because the counterfeit signals are World, January 2009). and timing solution, which led to
not synchronized to their authentic To commence the attack, the spoofer unrealistic conclusions.
counterparts. transmits its counterfeit signals in code- Experiments performed in our
In an intermediate spoofing attack, phase alignment with the authentic laboratory sought to answer three
a spoofer synchronizes its counterfeit signals but at power level below the specific questions regarding spoofer-
signals with the authentic GPS signals noise floor. The spoofer then increases induced dynamics:
so they are code-phase-aligned at the the power of the spoofed signals so that ◾ How quickly can a timing or
target receiver. This method requires they are slightly greater than the power position bias be introduced?
a spoofer to determine the position of the authentic signals. At this point, ◾ What kinds of oscillations can
and velocity of the victim receiver, the spoofer has taken control of the a spoofer cause in a receiver’s
but it affords the spoofer a serious victim receiver’s tracking loops and position and timing?
advantage: the attack is difficult to can slowly lead the spoofed signals ◾ How different are receiver responses
detect and mitigate. away from the authentic signals, to spoofing?
The sophisticated attack involves a carrying the receiver’s tracking loops These questions were answered by
network of coordinated intermediate- with it. Once the spoofed signals determining the maximum spoofer-
type spoofers that replicate not only have moved more than 600 meters in induced pseudorange acceleration
the content and mutual alignment position or 2 microseconds in time that can be used to reach a certain
of visible GPS signals but also their away from the authentic signals, the final velocity when starting from a
spatial distribution, thus fooling even receiver can be considered completely velocity of zero, without raising any
multi-antenna spoofing defenses. owned by the spoofer. alarms or causing the target receiver
www.gpsworld.com January 2012 | GPS World 33
SECURITY & WIRELESS | Signal Processing
30 minutes for a typical CDMA tower setup. A spoofer, or
spoofer network, could also cause multiple neighboring
towers to interfere with one another. This is possible because
CDMA cell-phone towers all use the same spreading code
and distinguish themselves only by the phasing (that is, time
offset) of their spreading codes. Furthermore, it appears that
a spoofer could impair CDMA-based E911 user-location.
Power-Grid Vulnerability. Like the cellular network, the
power grid of the future will rely on accurate GPS time-
stamps. The efficiency of power distribution across the grid
can be improved with real-time measurements of the voltage
and current phasors. Phasor measurement units (PMUs)
have been proposed as a smart-grid technology for precisely
this purpose. PMUs rely on GPS to time-stamp their
measurements, which are sent back to a central monitoring
▲ FIGURE 1 Theoretical and experimental test results for a high-quality station for processing. Currently, PMUs are used for closed-
handheld receiver's dynamic response to a spoofing attack. loop grid control in only a few applications, but power-
Although not shown here, the maximum attainable velocity is
around 1,300 meters/second. grid modernization efforts will likely rely more heavily on
PMUs for control. If a spoofer manipulates a PMU’s time
stamps, it could cause spurious variations in measured
to lose satellite lock. The curve in the velocity-acceleration phase angles. These variations could distort power flow or
plane created by connecting these points defines the upper stability estimates in such a way that grid operators would
bound of a region within which the spoofer can safely take incorrect or unnecessary control actions including
manipulate the target receiver. These data points can be powering up or shutting down generators, potentially
obtained empirically and fit to an exponential curve. Alarms causing blackouts or damage to power-grid equipment.
on the receiver may cause some deviations from this curve Under normal circumstances, a changing separation in the
depending on the particular receiver. phase angle between two PMUs indicates changes in power
FIGURE 1 shows an example of the velocity-acceleration flow between the regions measured by each PMU. Tests
curve for a high-quality handheld receiver, whose position demonstrate that a spoofer could cause variations in a PMU’s
and timing solution can be manipulated quite aggressively measured voltage phase angle at a rate of 1.73 degrees
during a spoofing attack. These results suggest that the per minute. Thus, a spoofing attack could create the false
receiver’s robustness — its ability to provide navigation indications of power flow across the grid. The tests results
and timing solutions despite extreme signal dynamics — also reveal, however, that it is impossible for a spoofer to
is actually a liability in regard to spoofing. The receiver’s cause changes in small-signal grid stability estimates, which
ability to track high accelerations and velocities allows a would require the spoofer to induce rapid (for example,
spoofer to aggressively manipulate its navigation solution. 0.1–3 Hz) microsecond-amplitude oscillations in timing.
The relative ease with which a spoofer can Such oscillations correspond to spoofing dynamics well
manipulate some GPS receivers suggests that GPS- outside the region of freedom of all receivers we have tested.
dependent infrastructure is vulnerable. For example, the A spoofer might also be able to affect fault-location estimates
telecommunications network and the power grid both obtained through time-difference-of-arrival techniques using
rely on GPS time-reference receivers for accurate timing. PMU measurements. This could cause large errors in fault-
Our laboratory has performed tests on such receivers to location estimates and hamper repair efforts.
determine the disruptions that a successful spoofing attack What Can Be Done? Despite the success of the intermediate-
could cause. The remainder of this section highlights threats type spoofing attack against a wide variety of civil GPS
to these two sectors of critical national infrastructure. receivers and the known vulnerabilities of GPS-dependent
Cell-Phone Vulnerability. Code division multiple access critical infrastructure to spoofing attacks, anti-spoofing
(CDMA) cell-phone towers rely on GPS timing for tower- techniques exist that would enable receivers to successfully
to-tower synchronization. Synchronization prevents towers defend themselves against such attacks. We now turn to four
from interfering with one another and enables call hand-off promising anti-spoofing techniques.
between towers. If a particular tower’s time estimate deviates
more than 10 microseconds from GPS time, hand-off to and Cryptographic Methods
from that tower is disrupted. Our tests indicate that a spoofer These techniques enable a receiver to differentiate authentic
could induce a 10-microsecond time deviation within about GPS signals from counterfeit signals with high likelihood.
34 GPS World | January 2012 www.gpsworld.com
Signal Processing | SECURITY & WIRELESS
receiver can predict when the next
SSSC will be broadcast but not its
exact sequence. Upon reception of an
SSSC, the receiver stores the front-end
samples corresponding to the SSSC
interval in memory. Sometime later,
the cryptographic digital key that
generated the SSSC is transmitted
over the navigation message. With
knowledge of the digital key, the
receiver generates a copy of the actual
transmitted SSSC and correlates it
with the previously-recorded digital
samples. Spoofing is declared if the
correlation power falls below a pre-
determined threshold.
When the security-code chip
▲ FIGURE 2 GNSS receiver components required for GNSS signal authentication. Components
that support code origin authentication are outlined in bold and have a gray fill, whereas interval is short (high chipping rate), it
components that support code timing authentication are outlined in bold and have no fill. is difficult for a spoofer to estimate and
The schematic assumes a security code based on navigation message authentication. replay the security code in real time.
Thus, the SSSC technique on L1C
offers a strong spoofing defense since
the L1C chipping rate is high (that is,
1.023 MChips/second). Furthermore,
the SSSC technique does not rely
on the receiver obtaining additional
▲ FIGURE 3 Placement of the periodically unpredictable spread spectrum security codes in the information from a side channel; all the
GPS L1C data channel spreading sequence.
relevant codes and keys are broadcast
over the secured GPS signals. Of
Cryptographic strategies rely on the block all work together. This hybrid course a disadvantage for SSSC is
unpredictability of so-called security combination of statistical hypothesis that it requires a fairly fundamental
codes that modulate the GPS signal. tests and Boolean logic demonstrates change to the currently-proposed L1C
An unpredictable code forces a spoofer the complexities and subtleties behind definition: the L1C spreading codes
who wishes to mount a successful a comprehensive, probabilistic GPS must be altered.
spoofing attack to either signal authentication strategy for Implementation of the SSSC
◾ estimate the unpredictable chips on- security-enhanced signals. technique faces long odds, partly
the-fly, or Spread Spectrum Security Codes. because it is late in the L1C planning
◾ record and play back authentic GPS In 2003, Logan Scott proposed a schedule to introduce a change to
spectrum (a meaconing attack). cryptographic anti-spoofing technique the spreading codes. Nonetheless,
To avoid unrealistic expectations, it based on spread spectrum security in September 2011, Logan Scott
should be noted that no anti-spoofing codes (SSSCs). The most recent and Phillip Ward advocated for
technique is completely impervious to proposed version of this technique SSSC at the Public Interface Control
spoofing. GPS signal authentication targets the L1C signal, which will be Working Group meeting, passing the
is inherently probabilistic, even when broadcast on GPS Block III satellites, first of many wickets. The proposal
rooted in cryptography. Many separate because the L1C waveform is not and associated Request for Change
detectors and cross-checks, each with yet finalized. Unpredictable SSSCs document will now proceed to the
its own probability of false alarm, are could be interleaved with the L1C Lower Level GPS Engineering
involved in cryptographic spoofing spreading code on the L1C data Requirements Branch for further
detection. FIGURE 2 illustrates how the channel, as illustrated in FIGURE 3. Since technical review. If approved there,
jammer-to-noise ratio detector, timing L1C acquisition and tracking occurs it passes to the Joint Change Review
consistency check, security-code on the pilot channel, the presence Board for additional review and,
estimation and replay attack (SCER) of the SSSCs has negligible impact if again approved, to the Technical
detector, and cryptographic verification on receivers. Once tracking L1C, a Interchange Meeting for further
www.gpsworld.com January 2012 | GPS World 59
SECURITY & WIRELESS | Signal Processing
consideration. The chances that the
SSSC proposal will survive this
gauntlet would be much improved
if some government agency made a
formal request to the GPS Directorate
to include SSSCs in L1C — and
provided the funding to do so. The
DHS seems to us a logical sponsoring
agency.
Navigation Message Authentication. If
an L1C SSSC implementation proves
unworkable, an alternative, less-
invasive cryptographic authentication
scheme based on navigation message
authentication (NMA) represents
a strong fall-back option. In the
same 2003 ION-GNSS paper that
▲ FIGURE 4 Format of the proposed CNAV ECDSA signature message, which delivers the first or
he proposed SSSC, Logan Scott second half of the 466-bit ECDSA signature and a 5-bit salt in the 238-bit payload field.
also proposed NMA. His paper
was preceded by an internal study complete signature can be embedded is with our laboratory’s spoofing testbed
at MITRE and followed by other a 96-second signature block such as the demonstrated the NMA-based signal
publications in the open literature, one shown in FIGURE 5. In this structure, authentication structure described
all of which found merit in the NMA the two CNAV signature messages are earlier offered a receiver a better-than
approach. The NMA technique embeds interleaved between the ephemeris 95 percent probability of detecting
public-key digital signatures into the and clock data to meet the broadcast a spoofing attack for a 0.01 percent
flexible GPS civil navigation (CNAV) requirements. probability of false alarm under a
message, which offers a convenient The choice of the duration between challenging spoofing-attack scenario.
conveyance for such signatures. The signature blocks is a tradeoff between NMA is best viewed as a hedge.
CNAV format was designed to be offering frequent authentication and If the SSSC approach does not gain
extensible so that new messages can maintaining a low percentage of the traction, then NMA might, since it
be defined within the framework of CNAV message reserved for the digital only requires defining two new CNAV
the GPS Interference Specification signature. In our proposal, signature messages in the GPS IS — a relatively
(IS). The current GPS IS defines only blocks are transmitted roughly every minor modification. CNAV-based
15 of 64 CNAV messages, reserving five minutes (FIGURE 6) so that only 7.5 NMA could defend receivers tracking
the undefined 49 CNAV messages for percent of the navigation message is L2C and L5. A new CNAV2 message
future use. devoted to the digital signature. Across will eventually be broadcast on L1 via
Our lab recently demonstrated the GPS constellation, the signature L1C, so a repackaged CNAV2-based
that NMA works to authenticate not block could be offset so that a receiver NMA technique could offer even
only the navigation message but could authenticate at least one channel single-frequency L1 receivers a signal-
also the underlying signal. In other approximately every 30 seconds. Like side anti-spoofing defense.
words, NMA can be the basis of SSSC, our proposed version of NMA P(Y) Code Dual-Receiver Correlation.
comprehensive signal authentication. does not require a receiver’s getting This approach avoids entirely the
We have proposed a specific additional information from a side issue of GPS IS modifications. The
implementation of NMA that is channel, provided the receiver obtains technique correlates the unknown
packaged for immediate adoption. public key updates on a yearly basis. encrypted military P(Y) code between
Our proposal defines two new CNAV NMA is inherently less secure than two civil GPS receivers, exploiting
messages that deliver a standardized SSSC. A NMA security code chip known carrier-phase and code-phase
public-key elliptic-curve digital interval (that is, 20 milliseconds) is relationships. It is similar to the
algorithm (ECDSA) signature via the longer than a SSSC chip interval, dual-frequency codeless and semi-
message format in FIGURE 4. thereby allowing the spoofer more codeless techniques that civil GPS
Although the CNAV message format time to estimate the digital signature receivers apply to track the P(Y) code
is flexible, it is not without constraints. on-the-fly. That is not to say, however, on L2. Peter Levin and others filed a
The shortest block of data in which a that NMA is ineffective. In fact, tests patent on the codeless-based signal
60 GPS World | January 2012 www.gpsworld.comSignal Processing | SECURITY & WIRELESS
the resulting 5.5 dB attenuation of the
P(Y) code. Because the dual-receiver
method can run continuously in the
background as part of a receiver’s
standard GPS signal processing, it
▲ FIGURE 5 The shortest broadcast signature block that does not violate the CNAV ephemeris
and timing broadcast requirements. To meet the required broadcast interval of 48 seconds can declare a spoofing attack within
for message types 10, 11, and one of 30–39, the ECDSA signature is broadcast over a seconds — a valuable feature for many
96-second signature block that is composed of eight CNAV messages. applications.
Two considerations about the
dual-receiver technique are worth
noting. First, the secure receiver
must be protected from spoofing for
the technique to succeed. Second,
the technique requires a secure
▲ FIGURE 6 A signed 336-second broadcast. The proposed strategy signs every 28 CNAV communication link between the
messages with a signature broadcast over two CNAV messages on each broadcast channel.
two receivers. Although the first
requirement is easily achieved by
authentication technique in 2008; chips (semi-codeless technique) over locating secure receivers in secure
Mark Psiaki extended the approach to a secure network to the defending locations, the second requirement
semicodeless correlation and narrow- receiver. The defending receiver makes the technique impractical for
band receivers in a 2011 ION-GNSS correlates its locally-extracted some applications that cannot support
paper. P(Y) with the samples or W-code a continuous communication link.
In the dual-receiver technique, one estimates from the secure receiver. Of all the proposed cryptographic
receiver, stationed in a secure location, If a spoofing attack is underway, the anti-spoofing techniques, only the dual-
tracks the authentic L1 C/A codes correlation power will drop below a receiver method could be implemented
while receiving the encrypted P(Y) statistical threshold, thereby causing today. Unfortunately the P(Y) code
code. The secure receiver exploits the the defending receiver to declare a will no longer exist after 2021,
known timing and phase relationships spoofing attack. Although the P(Y) meaning that systems that make use of
between the C/A code and P(Y) code to code is 20 MHz wide, a narrowband the P(Y)-based dual-receiver technique
isolate the P(Y) code, of which it sends civil GPS receiver with 2.6 MHz will be rendered unprotected, although
raw samples (codeless technique) or bandwidth can still perform the a similar M-code-based technique
estimates of the encrypting W-code statistical hypothesis tests even with could be an effective replacement.
“This is not the end...
It is not even the beginning of the end.
But it is, perhaps, the end of the beginning.”
Winston Churchill describing Locata’s finest hour.
HISTORY REPEATS ITSELF – GPS REBORN
YOUR OWN GPS The Local Constellation is launched – ION 2011 www.locatacorp.com
The trademarks Locata, GPS 2.0, Your Own GPS and Local Constellation are registered to Locata Corporation.
www.gpsworld.com January 2012 | GPS World 61SECURITY & WIRELESS | Signal Processing
The dual-receiver method, therefore, SSSC NMA Dual- VSD
Receiver
is best thought of as a stop-gap: it
can provide civil GPS receivers with Cryptographic Method Yes Yes Yes No
an effective anti-spoofing technique Communication Link No Yearly Continuously No
today until a signal-side civil GPS
Extra Hardware No No Communication No
authentication technique is approved (IMU, Accelerometer, Link
and implemented in the future This Antenna)
sentiment was the consensus of the
Time Between 30 seconds 30 seconds About 1 second Seconds
panel experts at the 2011 ION-GNSS Authentications (possible) (possible)
session on civil GPS receiver security.
Receiver Autonomous No No No Yes
Non-Cryptographic Methods Time to Years Years Months Months
Non-cryptographic techniques are Implementation
enticing because they can be made Requires Changes Yes, L1C Yes, 2 No, Uses P(Y) No
receiver-autonomous, requiring to GPS Interface Data Channel New CNAV Code
Specification Spreading Code Messages
neither security-enhanced civil
GPS signals nor a side-channel
▲ TABLE 1 Comparison of anti-spoofing techniques discussed in this article.
communication link. The literature
contains a number of proposed
non-cryptographic anti-spoofing of the VSD should only be to reduce exist, the reality is that no anti-spoofing
techniques. Frequently, however, the degrees-of-freedom available to a techniques currently defend civil GPS
these techniques rely on additional spoofer, forcing the spoofer to act in receivers. All anti-spoofing techniques
hardware, such as accelerometers or a way that makes the spoofing signal face hurdles. A primary challenge for
inertial measurements units, which or vestige of the authentic GPS signal any technique that proposes modifying
may exceed the cost, size, or weight mimic multipath. In other words, the current or proposed GPS signals is
requirements in many applications. VSD seeks to corner the spoofer and the tremendous inertia behind GPS
This motivates research to develop reduce its space of possible dynamics. signal definitions. Given the several
software-based, receiver-autonomous Among other options, two potential review boards whose approval an
anti-spoofing methods. effective VSD techniques are SSSC or NMA approach would have
Vestigial Signal Defense (VSD). This ◾ a maximum-likelihood bistatic- to gain, the most feasible near-term
software-based, receiver-autonomous radar-based approach and cryptographic anti-spoofing technique
anti-spoofing technique relies on the ◾ a phase-pseudorange consistency is the dual-receiver method. A receiver-
difficulty of suppressing the true GPS check. autonomous, non-cryptographic
signal during a spoofing attack. Unless The first approach examines the approach, such as the VSD, also
the spoofer generates a phase-aligned spatial and temporal consistency warrants further development.
nulling signal at the phase center of of the received signals to detect But ultimately, the SSSC or NMA
the victim GPS receiver’s antenna, a inconsistencies between the techniques should be implemented: a
vestige of the authentic signal remains instantaneous received multipath and signal-side civil GPS cryptographic
and manifests as a distortion of the the typical multipath background anti-spoofing technique would be of
complex correlation function. VSD environment. The second approach, great benefit in protecting civil GPS
monitors distortion in the complex which is similar to receiver receivers from spoofing attacks.
correlation domain to determine if a autonomous integrity monitoring
spoofing attack is underway. (RAIM) techniques, monitors phase Manufacturers
To be an effective defense, the VSD and pseudorange observables to detect The high-quality handheld receiver
must overcome a significant challenge: inconsistencies potentially caused cited in Figure 1 was a Trimble Juno SB.
it must distinguish between spoofing by spoofing. Again, a spoofer can act Testbed equipment shown: Schweitzer
and multipath. The interaction of the like multipath to avoid detection, but Engineering Laboratories SEL-421
authentic and spoofed GPS signals is this means that the VSD would have synchrophasor measurement unit;
similar to the interaction of direct-path achieved its modest goal. Ramsey STE 3000 radio-frequency test
and multipath GPS signals. Our most chamber; Ettus Research USRP N200
recent work on the VSD suggests that Anti-Spoofing Reality Check universal software radio peripheral;
differentiating spoofing from multipath Security is a tough sell. Although Schweitzer SEL-2401 satellite-
is enough of a challenge that the goal promising anti-spoofing techniques synchronized clock (blue); Trimble
62 GPS World | January 2012 www.gpsworld.comSignal Processing | SECURITY & WIRELESS
Grant
Continued from page 17. available for launch in FY 2014. And the 2SOPS more than 20 times in the
OCX remains on-track for a Ready- past five years, and I have known and
military sectors. We take pride in pro- To-Operate (RTO) date in 2015. visited every 2SOPS commander since
viding extremely accurate PNT ser- DJ: Finally, if you were Queen for that organization began to include
vices to billions of users worldwide. a Day, what would you like to see then Lt. Col. and now General Wil-
And we are spending consider- changed? liam Shelton, the four-star AFSPC/
able resources to modernize the GPS JG: For operators, there is always an CC. I have never seen a more moti-
constellation to provide even better interest in and a desire for greater ca- vated GPS crew force than the one I
service in the future. The continued pability, faster processing...and for us saw during my last visit with Lt. Col.
fielding of new GPS IIF satellites it is in pushing the envelope for even Grant. Squadrons tend to reflect the
and GPS control segment software greater accuracy with precision tim- work ethic, mores and integrity of
updates are key to current modern- ing, position and navigation. their commander, and my hat is off to
ization efforts. GPS III satellites and There is also an interest in expand- Lt. Col. Jennifer Grant because her
the Next Generation Control System ing application of our NAVWAR crews are obviously very motivated to
(OCX) will further enhance GPS ca- (Navigation Warfare) knowledge, support the warfighter, and they seem
pabilities. Fully compliant user equip- application and operations — having very happy in their jobs. The atmo-
ment is essential as modernization an even greater number of people sphere in 2SOPS these days is posi-
efforts continue. trained and embedded with warf- tive, upbeat and very customer (that’s
We’ll continue to improve our ighters as NAVWAR experts. This is you and me) oriented. Plus, many of
constellation with the launches of where I think we will see some real the crewmembers are just back from
new satellites; the next GPS IIF is growth in the future. tours in Afghanistan and Iraq, so they
scheduled to launch in September of know the needs of the warfighter and
2012 and the first GPS III should be Note from Don Jewell: I have visited they are working hard to fulfill them.
Resolution SMT receiver (silver); HP GPS time and frequency
reference receiver. 7HFKQLFDO
References, Further Information /HDGHUVKLS
University of Texas Radionavigation Laboratory, http://
radionavlab.ae.utexas.edu. :HDUH7RN\R
Full results of Figure 1 experiment are given in Shepard, 'HQSD 7(:
D.P. and T.E. Humphreys, “Characterization of Receiver WKHWHFKQRORJ\
Response to Spoofing Attacks,” Proceedings of ION-GNSS OHDGHUIRUFU\VWDOV
2011. DQG7&;2¶VIRU
NMA can be the basis of comprehensive signal *36DSSOLFDWLRQV
authentication: Wesson, K.D., M. Rothlisberger, T. E. 2XURVFLOODWRUV
DUHWKHXOWLPDWH
Humphreys (2011), “Practical cryptographic civil GPS
FRPELQDWLRQRI
signal authentication,” Navigation, Journal of the ION,
VPDOOVL]HORZSKDVHQRLVHORZK\VWHUHVLV
submitted for review; available at http://radionavlab.ae.utexas.edu/nma
DQGJUHDWVWDELOLW\RYHUWHPSHUDWXUH
Humphreys, T.E, “Detection Strategy for Cryptographic
2XUSURGXFWVFDQEHIRXQGLQWKHOHDGLQJ
GNSS Anti-Spoofing,” IEEE Transactions on Aerospace
VPDUWSKRQHVDURXQGWKHJOREH
and Electronic Systems, 2011, submitted for review;
available at http://radionavlab.ae.utexas.edu/detstrat
6KRXOGQ¶W\RXNQRZDERXWXV"
KYLE WESSON is pursuing his M.S. and Ph.D. degrees in electrical and
computer engineering at the University of Texas at Austin. He is a member of 7(:$PHULFD
the Radionavigation Laboratory. He received his B.S. from Cornell University.
DANIEL SHEPARD is pursuing his M.S. and Ph.D. degrees in aerospace =DQNHU5RDG
engineering at the University of Texas at Austin, where he also received his 6DQ-RVH&$
B.S. He is a member of the Radionavigation Laboratory.
TODD HUMPHREYS is an assistant professor in the department of )$;
Aerospace Engineering and Engineering Mechanics at the University of
Texas at Austin and director of the Radionavigation Laboratory. He received ZZZWHZDPHULFDFRP
a Ph.D. in aerospace engineering from Cornell University.
www.gpsworld.com January 2012 | GPS World 63You can also read
