S spoofing.

Peter Fairbrother zenadsl6186 at zen.co.uk
Sat Dec 24 21:00:04 GMT 2011

John Brazier wrote:
> Dear all,
> I am now no doubt out of date, but one of the rules I learnt was that an
> encryption system only has to be as good as the timescale you're concerned
> about.
> So the Playfair was completely appropriate as a battlefield cypher in the
> First World War: even if you knew the system, it would take you at least an
> hour to derive the key, at which point the information was redundant.
> I would assume any of these drones is a technological compromise between
> flight time, control, and weapons delivery.  The last probably being the
> most important, it would mean that they would, assuming their control system
> is cryptographically protected, go for the simplest possible system that
> gives them protection within the expected flight time. That, to me, would
> certainly exclude RSA as its computing baggage would be better directed
> towards things like targeting.
> But I'm not an expert in this domain.

I think there are two issues here, control of the vehicle and GPS 
spoofing. I have heard that RSA is used in the setup of control links, 
which makes sense.

The use of RSA in GPS anti-spoofing technology is a little more 
uncertain, but it is also possible. I think it is most unlikely to be 
used as a prng stream generator, but it's use in distributing 
verification and/or prng stream keys seems well within normal crypto 

Of course, there are easier ways to spoof GPS than breaking the crypto.

There's the method I mentioned, and also perhaps the simplest method of 
all, which afaics cannot be cryptographically protected against - if you 
want a GPS receiver at point Y to think it is at point X, put something 
at point X which can collect the GPS signals there, and send them to 
point Y at signal strength levels which overwhelm the legitimate GPS 
signals at point Y.

You don't have to even think about the crypto then, never mind break it.

-- Peter Fairbrother

> JB
> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk
> [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter
> Fairbrother
> Sent: 23 December 2011 7:53 PM
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Iran GPS Spoofing and the RSA Cipher
> Ian Mason wrote:
>> On 23 Dec 2011, at 15:33, Ian Batten wrote:
>>> Leaving aside the practicalities of the algorithms, an asymmetric 
>>> system would be attractive for military-grade GPS, as it would mean 
>>> that the theft and complete analysis of a receiver would not provide 
>>> the key material for spoofing.  There are a lot of military handsets 
>>> and by definition they are going to be used in hostile environments 
>>> with a risk of capture, so were it possible to engineer a system 
>>> where the handsets did not contain the transmission keys that would 
>>> be a desirable property.  As you point out, it might prove very 
>>> difficult to achieve, but those problems would bring some value as well.
>>> ian
>> I see what you're getting at, but I think you haven't really thought 
>> it through or misunderstand the problem. Remember that the satellites 
>> are broadcasting to all receivers, not having a conversation with each 
>> GPS receiver individually. The satellite/receiver system would still 
>> need to share secret material as having one private key per receiver 
>> would be impractical. If nothing else it would require the satellite 
>> to speculatively transmit the current spreading code key wrapped in 
>> many different public keys.
> I'm with t'other other Ian on this - an enemy finding a receiver could then
> use it to locate themselves, and if they could extract the key (a big if -
> it's hard enough to extract the key from the chip in a bank
> card) they could build more receivers (until the key is changed), but if
> it's RSA protected they couldn't use the key they found to spoof other
> receivers.
> Brian's property, being able to calculate bit x without having to calculate
> bits 1 ...x is probably essential, but it isn't exactly hard to do, and it
> doesn't require RSA. Anything which can reset a simplish PRNG every second
> or so could also be used.
> Pure speculation: Although it's somewhat inefficient, it is doable. ..a bit
> of theory goes in here, multichannel datastream, XOR of subset of
> datastreams gives real individualised ciphertext, XOR again plus key for
> real plaintext .. you can switch off the signal to any individual receivers
> which are known to be in enemy hands. You can also spoof a few captured or
> cloned receivers at once as well.
> Getting back to the actual drone, I know very little about it. Is it
> autonomous or controlled by a satellite signal link? I have heard a whisper
> that for at least some drones which have such a link, the remote setup of
> that control link is protected by RSA.
> But then the USAF isn't exactly famous for getting codes right, or even for
> using codes at all. It wouldn't surprise me terribly if there were some
> unencrypted links around. Maybe this one:
>> All the GPS satellites transmit simultaneously on the same frequency 
>> using a CDMA/DSSS modulation. The only way you can separate the 
>> signals from multiple satellites is to use a different spreading code 
>> for each satellite, both for satellite transmission and terrestrial
> reception.
> That's true if the receivers are all in one place and omnidirectional, 
> but if you have several receivers which are well-seperated then you can 
> seperate the signals from the satellites (and find the prngstream, and 
> transmit that to your equipment). That sounds like something a country 
> could easily do over it's own territory.
> Doesn't matter what the encryption scheme used for the CDMA/DSSS 
> modulation was, the keystream is just plaintext against that attack.
> Now I'm not sure if the keystream would be particularly useful for 
> everyday equipment, as it's maybe half a second or so out of date, but 
> if a receiver can keep half a second's worth of raw data ..
>> The spreading code is the bitstream output of a PRNG, also sometimes 
>> called a keystream when the intent is encryption. The receiver needs the 
>> spreading code to demodulate the transmitted signal, so it has to 
>> generate exactly the same spreading code as the sender is using just to 
>> detect the signal - a fundamentally symmetric relationship.
>> For the public channels such as the C/A (Coarse/Acquisition) signal the 
>> the PRNG formulation (key+algorithmn)  used to generate the spreading 
>> signal is well known, the key is the satellite number. The M-code 
>> channel is an anti-spoofing feature and also uses a secret and much 
>> longer spreading code to achieve the antispoofing characteristic.
> Merry Christmas!
> -- Peter Fairbrother

More information about the ukcrypto mailing list