Iran GPS Spoofing and the RSA Cipher

John Brazier prunesquallor at proproco.co.uk
Fri Dec 23 23:37:49 GMT 2011 

Dear all,

I am now no doubt out of date, but one of the rules I learnt was that an
encryption system only has to be as good as the timescale you're concerned
about.

So the Playfair was completely appropriate as a battlefield cypher in the
First World War: even if you knew the system, it would take you at least an
hour to derive the key, at which point the information was redundant.

I would assume any of these drones is a technological compromise between
flight time, control, and weapons delivery.  The last probably being the
most important, it would mean that they would, assuming their control system
is cryptographically protected, go for the simplest possible system that
gives them protection within the expected flight time. That, to me, would
certainly exclude RSA as its computing baggage would be better directed
towards things like targeting.

But I'm not an expert in this domain.

TTFN

JB

-----Original Message-----
From: ukcrypto-bounces at chiark.greenend.org.uk
[mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter
Fairbrother
Sent: 23 December 2011 7:53 PM
To: UK Cryptography Policy Discussion Group
Subject: Re: Iran GPS Spoofing and the RSA Cipher

Ian Mason wrote:
> 
> On 23 Dec 2011, at 15:33, Ian Batten wrote:
>>
>> Leaving aside the practicalities of the algorithms, an asymmetric 
>> system would be attractive for military-grade GPS, as it would mean 
>> that the theft and complete analysis of a receiver would not provide 
>> the key material for spoofing.  There are a lot of military handsets 
>> and by definition they are going to be used in hostile environments 
>> with a risk of capture, so were it possible to engineer a system 
>> where the handsets did not contain the transmission keys that would 
>> be a desirable property.  As you point out, it might prove very 
>> difficult to achieve, but those problems would bring some value as well.
>>
>> ian
> 
> I see what you're getting at, but I think you haven't really thought 
> it through or misunderstand the problem. Remember that the satellites 
> are broadcasting to all receivers, not having a conversation with each 
> GPS receiver individually. The satellite/receiver system would still 
> need to share secret material as having one private key per receiver 
> would be impractical. If nothing else it would require the satellite 
> to speculatively transmit the current spreading code key wrapped in 
> many different public keys.


I'm with t'other other Ian on this - an enemy finding a receiver could then
use it to locate themselves, and if they could extract the key (a big if -
it's hard enough to extract the key from the chip in a bank
card) they could build more receivers (until the key is changed), but if
it's RSA protected they couldn't use the key they found to spoof other
receivers.


Brian's property, being able to calculate bit x without having to calculate
bits 1 ...x is probably essential, but it isn't exactly hard to do, and it
doesn't require RSA. Anything which can reset a simplish PRNG every second
or so could also be used.



Pure speculation: Although it's somewhat inefficient, it is doable. ..a bit
of theory goes in here, multichannel datastream, XOR of subset of
datastreams gives real individualised ciphertext, XOR again plus key for
real plaintext .. you can switch off the signal to any individual receivers
which are known to be in enemy hands. You can also spoof a few captured or
cloned receivers at once as well.



Getting back to the actual drone, I know very little about it. Is it
autonomous or controlled by a satellite signal link? I have heard a whisper
that for at least some drones which have such a link, the remote setup of
that control link is protected by RSA.

But then the USAF isn't exactly famous for getting codes right, or even for
using codes at all. It wouldn't surprise me terribly if there were some
unencrypted links around. Maybe this one:


> 
> All the GPS satellites transmit simultaneously on the same frequency 
> using a CDMA/DSSS modulation. The only way you can separate the 
> signals from multiple satellites is to use a different spreading code 
> for each satellite, both for satellite transmission and terrestrial
reception.


That's true if the receivers are all in one place and omnidirectional, 
but if you have several receivers which are well-seperated then you can 
seperate the signals from the satellites (and find the prngstream, and 
transmit that to your equipment). That sounds like something a country 
could easily do over it's own territory.

Doesn't matter what the encryption scheme used for the CDMA/DSSS 
modulation was, the keystream is just plaintext against that attack.


Now I'm not sure if the keystream would be particularly useful for 
everyday equipment, as it's maybe half a second or so out of date, but 
if a receiver can keep half a second's worth of raw data ..




> The spreading code is the bitstream output of a PRNG, also sometimes 
> called a keystream when the intent is encryption. The receiver needs the 
> spreading code to demodulate the transmitted signal, so it has to 
> generate exactly the same spreading code as the sender is using just to 
> detect the signal - a fundamentally symmetric relationship.
> 
> For the public channels such as the C/A (Coarse/Acquisition) signal the 
> the PRNG formulation (key+algorithmn)  used to generate the spreading 
> signal is well known, the key is the satellite number. The M-code 
> channel is an anti-spoofing feature and also uses a secret and much 
> longer spreading code to achieve the antispoofing characteristic.

Merry Christmas!


-- Peter Fairbrother

More information about the ukcrypto mailing list