In the past 20 years, many electronic location determination (LD) systems have been introduced that can determine, with varying inaccuracies, the present location of a mobile receiver. The LD system can be based on electromagnetic signals received frown satellites, such as the Global Positioning System (GPS), the Global Navigation Satellite System (GLONASS), and the ORBCOMM system. The LD system can also be based on electromagnetic signals received from ground-based systems (usually, but not necessarily, fixed in location), such as LORAN-C, TACAN, DECCA, OMEGA, JTIDS Relnav and the Position Locating and Reporting System (PLRS). Many of these LD systems are summarized in Tom Logsdon, The Navstar Global Positioning System, Van Nostrand Reinhold, New York, 1992, pp. 17-47, incorporated by reference herein.
In many instances, an LD system is used to determine the location of a mobile station, containing an LD system antenna and receiver/processor, and the results are transmitted to a central station for further processing and/or storage. The results transmitted by the mobile station may be the raw measurements made at that station, or may be the results of partial or full processing of these measurements at that station. In many situations, the location of the mobile station and the time the LD measurements were made are sensitive or proprietary, and the mobile station user prefers that this location information, as well as other related sensitive information, be transmitted and received confidentially. For example, if a geological survey team is conducting a mineral or petroleum survey of a large area of land, extending over several days or weeks, and is periodically transmitting its findings to a central station for analysis and storage, the team will wish to keep its results, and the locations corresponding to these results, confidential and unavailable to anyone else who receives these transmitted messages.
One attractive method of assuring confidentiality is to encrypt the transmitted data. If a single, static code or cipher is used for such transmissions, the great amount of data transmitted by the mobile station using such a code or cipher allows an eavesdropper greater opportunity to decode or decipher the encrypted data by looking for similarities in these data and working backward to determine the cleartext or non-encrypted data.
A satellite-based or ground-based LD system can provide for transmission of messages, including but not limited to present location information, but provides no security for such messages. Security concerns are two-told here: (1) a concern that no unauthorized person obtain access to the information contained in such messages (Type 1 security) and (2) a concern that no unauthorized person obtain access to and make adulterating changes in this information before such information is received by its intended recipients (Type 2 security). Type 1 security is a concern if the information transmitted is, or will be used as a basis for preparation of, confidential or proprietary information. Type 2 security is a concern in transmission of confidential or non-confidential information, such as financial transactions information, where accuracy is of greater importance than secrecy.
Hermann, in U.S. Pat. No. 4,102,521, discloses a system for coding guidance signals that are produced at a central station and transmitted to a self-propelled vehicle, such as a missile or guidable satellite, that is to be guided or whose control surfaces are to be adjusted from time to time. The length of the coded signal is kept low, and transmission of the coded signal is immediately preceded by transmission of a noise signal with uniform power density per unit frequency interval, to frustrate attempts to jam or interfere with transmission and receipt of the coded signal. The coded signal, when received by the vehicle, is decoded and applied to guide or control the vehicle. The concern here is interference with receipt by the intended recipient (the vehicle) of the transmitted message, not receipt and comprehension of the guidance signal by some other entity. Coding and anti-interference measures, but not encryption and decryption, are employed.
Teeter et al disclose use of pseudo-noise modulations and specific address encoding to permit multiple conversations or signal transmissions between a central station and a plurality of vehicles, or between the vehicles, in U.S. Pat. No. 4,117,271. A receiver for such (broadcast) signals is provided with a filter that accepts only signals with the proper address coding and disposes of all other messages. The encoded address also identifies the source of the message. The inventors note that this technique is useful only over modest ranges and that the most suitable frequency range is tens of kilohertz up to tens of megahertz.
Encryption using destination addresses using a TDMA satellite communications system is disclosed in U.S. Pat. No. 4,418,415, issued to Fennel et al. A common encryption/deception key is held by all authorized users of a network. This key is EXclusively ORed with the specified destination address, and the output (digital) signal is passed through an encryption engine, on the satellite and at the intended ground-based receiver, using the same key or another key. The encryption engine output signal is then combined with the channel data to be transmitted in another EXclusive OR circuit and transmitted to the network users. Each of the receivers receives the message and reverses the encryption process, using its own destination address as part of the decryption key. However, only the (single) intended receiver produces a cleartext message that is comprehensible.
Hanas et al, in U.S. Pat. No. 4,709,266, disclose use of s satellite scrambling network to provide messages that are scrambled or encrypted differently for different geographical regions. This is useful for distributing scrambled video, voice and data subscriber messages. A master uplink message (ground-to-satellite) is used to control the scrambling or encryption commands that determine the scrambling applied to each geographical area and/or to groups of individual subscribers.
U.S. Pat. No. 4,739,510, issued to Jeffers et al, discloses insertion of digitized audio and control signals in the horizontal blanking intervals of a television signal. The control signals appear as frames or packets, with a header containing a group address, synchronization and program-related information. A second portion of the header, containing control information addressed only to one or more specified receiver units, allows control of certain receiver functions at the transmission end of the system. The system uses several tiers of message authorization levels and a common audio or video key that is encrypted differently for use by each receiving authorized receiver. An authorized receiver receives only the information intended for that receiver, and unauthorized receivers receive only a scrambled message.
A satellite communication system for financial institutions, with message authentication, is disclosed by Laurance et al in U.S. Pat. No. 4,860,352. Specification of the transmitter position is appended to the message transmitted. The receiver authenticates the message by first comparing this transmitted position information with the actual transmitter information stored in the receiver system. If the two sets of transmitter position information do not agree, the receiver discards the remainder of this message as originating from an invalid sender.
Horne, in U.S. Pat. No. 4,887,296, discloses a three-key cryptographic system for a direct broadcast satellite system, to be used in video broadcasting to a plurality of ground-based receivers, each having a unique address number. A signature key, which is an encryption using the address number for that receiver, is stored in the receiver at the time of manufacturing. At the transmitter, a common key is encrypted, using the unique signature key for a receiver that is targeted for a portion of the message to be transmitted. The data stream contains message portions intended for all receivers and message portions intended for, and decryptable only by, individual receivers. A target receiver decrypts its messages, using the common key and signature key used by the transmitter to encrypt the receiver's portions of the message.
A system for encryption and decryption of voice and data transmissions to and from an aircraft is disclosed in U.S. Pat. No. 4,903,298, issued to Cline. The encryption unit is selectively inserted in, and removed from, the audio path between a radio transmitter and a receiver, one of which is located on an aircraft. This feature is intended to be used by businesspersons, travelling by air, who need occasional contact with their associates on the ground.
U.S. Pat. No. 4,916,737, issued to Chomet et al, discloses an anti-piracy television program scrambling/descrambling system that allows the encryption/decryption code to be changed periodically (e.g., once per month) by communication from the head end or central station. The receiver's decryption unit has an unalterable ROM portion, containing its unique serial or address number, and an EPROM portion, containing an alterable ROM portion with a look-up table that can be changed by receipt of special signals from the head end.
Kolbert discloses use of parallel transmission of "real" data and "junk" data to all recipients, to mask which user is the intended recipient of a message, in U.S. Pat. No. 4,932,057. The system is intended to be used where several different systems on an aircraft (e.g., communication, navigation, visual display) receive different subsets of data, some of which are confidential. The radiation produced by transmission along hardwired circuits in parallel allegedly masks the message and the intended recipient.
U.S. Pat. No. 4,972,431, isssued to Keegan, discloses a method of decryption of encrypted P-code signals in a Global Positioning System (GPS). The encrypted binary signals are squared using a relatively narrow bandwidth so that each GPS satellite signal can be separated from the other signals and so that the GPS carrier phase and pseudorange signals can be recovered from the composite signal. The signal-to-noise ration is kept reasonably high so that very weak signals can be received and analyzed.
An encrypted satellite communications system with relatively easy rekeying is disclosed by Leopold in U.S. Pat. No. 4,993,067. The contemplated provides communications between a satellite and all ground receivers in a defined geographic area. A message received by or from a receiver located in an improper receiver area is discarded. A designated ground receiver transmits a rekeying request to the satellite. The satellite determines whether the rekeyed areas correspond to geographically permitted areas. If the answer is affirmative, the satellite transmits rekeying instructions to change the geographical configuration of the ground-based receivers, either immediately or at a previously selected time.
Geographically defined lock-out of direct broadcast satellite signals, such as pay-per-view television, is also disclosed by Jeffers et al in U.S. Pat. No. 5,036,537. Before the broadcast, each receiver in the geographic area intended to be lock out is addressed and prevented from receiving that broadcast, using a blackout tier system that determines which receivers are to be locked out, based upon a designation code assigned to that receiver.
U.S. Pat. No. 5,113,443, issued to Brockman, discloses a method for scrambling a satellite communication by (1) encoding and modulating different portions of the communication onto different carrier frequencies to form a total signal and (2) transmitting the total signal to a ground station using the different frequency channels. The ground station receives the transmitted signal, decodes the individual channel signals using the known carrier frequencies, and accumulates the signal as a decoded whole. Only an authorized ground station possessing a key can decode and properly sum the received signals to produce the message originally transmitted from the satellite.
Esserman et al disclose signal encryption apparatus for satellite communications that generates a plurality of distinct keys, in U.S. Pat. No. 5,115,467. A secret common key is combined with distinct parameter data (unique to a particular station) to produce a distinct key for communications transmitted to that station.
A global communications system for transmitting encrypted messages to each of a plurality of different geographic areas is disclosed by Davis et al in U.S. Pat. No. 5,129,095. One or more satellites communicates with ground stations in each distinct geographic area by use of identification words on different channels. The system is intended for use in paging selected users in a plurality of countries.
In U.S. Pat. No. 5,210,534, Janex discloses an encoding method for exchange of navigation information between sea vessels. When coordinated movement of the vessels is desired, the vessels communicate using encoded messages drawn from a fixed glossary of such messages.
Cross, in U.S. Pat. No. 5,221,925, discloses a location interrogation system in which a mobile unit, upon receipt of an interrogation signal, transmits its present location in a conventionally encoded format to a central station that has issued the interrogation signal, to assist in tracking the mobile unit.
A communication system for control of access to a location-sensitive remote database is disclosed in U.S. Pat. No. 5,243,652, issued to Teare et al. A central station stores and transmits encrypted television material whose encryption key is available only for a viewers in a specified geographical area, as determined by a GPS or Loran location determination system.
Transmission of encrypted information packages from a central site to a remote site, in response to receipt of a request for specified information from that site, is disclosed in U.S. Pat. No. 5,247,575, issued to Sprague et al. The encryption key is changed periodically (e.g., weekly), but does not depend upon any past information.
Molva et al, in U.S. Pat. No. 5,347,580, disclose an authentication method using a smartcard to encrypt the presently displayed time with a cryptographically strong key. A public work station receives the encrypted time message, generates one or more values from this message, and further encrypts and/or transmits these values to a server station. The server station uses the received values to authenticate the holder of the smartcard and to accept or reject a message or command frown the holder.
U.S. Pat. No. 5,365,585, issued to Pohl et al, discloses a method for encryption using a feedback register with selectable taps and having an input terminal that receives an additional signal. The register produces a pseudorandom, encrypted output signal and can be used for encryption and decryption of messages.
What is needed is an approach for encrypting a message transmitted by an mobile LD station, where the encryption parameters change with time in a manner that is determinable by a station with knowledge of the present and/or preceding location coordinates or other location indicia of the transmitting station. Preferably, the encryption parameters change as the location of the station changes, using one or more coding algorithms that depend upon the present or recent location data. Preferably, this approach should allow temporary cutoff of transmission when the magnitude of the velocity of the mobile station is either zero or is below a small velocity threshold so that an eavesdropper has less information to use for decoding information contained in the messages transmitted.