Iran GPS Spoofing and the RSA Cipher

Peter Fairbrother zenadsl6186 at zen.co.uk
Fri Dec 23 19:52:38 GMT 2011 

Ian Mason wrote:
> 
> On 23 Dec 2011, at 15:33, Ian Batten wrote:
>>
>> Leaving aside the practicalities of the algorithms, an asymmetric 
>> system would be attractive for military-grade GPS, as it would mean 
>> that the theft and complete analysis of a receiver would not provide 
>> the key material for spoofing.  There are a lot of military handsets 
>> and by definition they are going to be used in hostile environments 
>> with a risk of capture, so were it possible to engineer a system where 
>> the handsets did not contain the transmission keys that would be a 
>> desirable property.  As you point out, it might prove very difficult 
>> to achieve, but those problems would bring some value as well.
>>
>> ian
> 
> I see what you're getting at, but I think you haven't really thought it 
> through or misunderstand the problem. Remember that the satellites are 
> broadcasting to all receivers, not having a conversation with each GPS 
> receiver individually. The satellite/receiver system would still need to 
> share secret material as having one private key per receiver would be 
> impractical. If nothing else it would require the satellite to 
> speculatively transmit the current spreading code key wrapped in many 
> different public keys.


I'm with t'other other Ian on this - an enemy finding a receiver could 
then use it to locate themselves, and if they could extract the key (a 
big if - it's hard enough to extract the key from the chip in a bank 
card) they could build more receivers (until the key is changed), but if 
it's RSA protected they couldn't use the key they found to spoof other 
receivers.


Brian's property, being able to calculate bit x without having to 
calculate bits 1 ...x is probably essential, but it isn't exactly hard 
to do, and it doesn't require RSA. Anything which can reset a simplish 
PRNG every second or so could also be used.



Pure speculation: Although it's somewhat inefficient, it is doable. ..a 
bit of theory goes in here, multichannel datastream, XOR of subset of 
datastreams gives real individualised ciphertext, XOR again plus key for 
real plaintext .. you can switch off the signal to any individual 
receivers which are known to be in enemy hands. You can also spoof a few 
captured or cloned receivers at once as well.



Getting back to the actual drone, I know very little about it. Is it 
autonomous or controlled by a satellite signal link? I have heard a 
whisper that for at least some drones which have such a link, the remote 
setup of that control link is protected by RSA.

But then the USAF isn't exactly famous for getting codes right, or even 
for using codes at all. It wouldn't surprise me terribly if there were 
some unencrypted links around. Maybe this one:


> 
> All the GPS satellites transmit simultaneously on the same frequency 
> using a CDMA/DSSS modulation. The only way you can separate the signals 
> from multiple satellites is to use a different spreading code for each 
> satellite, both for satellite transmission and terrestrial reception. 


That's true if the receivers are all in one place and omnidirectional, 
but if you have several receivers which are well-seperated then you can 
seperate the signals from the satellites (and find the prngstream, and 
transmit that to your equipment). That sounds like something a country 
could easily do over it's own territory.

Doesn't matter what the encryption scheme used for the CDMA/DSSS 
modulation was, the keystream is just plaintext against that attack.


Now I'm not sure if the keystream would be particularly useful for 
everyday equipment, as it's maybe half a second or so out of date, but 
if a receiver can keep half a second's worth of raw data ..




> The spreading code is the bitstream output of a PRNG, also sometimes 
> called a keystream when the intent is encryption. The receiver needs the 
> spreading code to demodulate the transmitted signal, so it has to 
> generate exactly the same spreading code as the sender is using just to 
> detect the signal - a fundamentally symmetric relationship.
> 
> For the public channels such as the C/A (Coarse/Acquisition) signal the 
> the PRNG formulation (key+algorithmn)  used to generate the spreading 
> signal is well known, the key is the satellite number. The M-code 
> channel is an anti-spoofing feature and also uses a secret and much 
> longer spreading code to achieve the antispoofing characteristic.

Merry Christmas!


-- Peter Fairbrother

More information about the ukcrypto mailing list