Secure radio-navigation, in particular satellite navigation, will tomorrow be as important and vital as secure Internet is today. However, many of the threats to satellite navigation cannot be prevented or combated through the current technologies at least for civilian mass-market applications.
There are a number of positioning applications, in which the genuine position of a user at a certain time needs to be known with a high degree of certainty and trust. Such applications include, for instance, fleet management, road tolling, geofencing, virtual site licenses, safety-critical location-based services, pay-as-you drive car insurance schemes, etc. In other applications, it may be necessary to establish whether a user was in possession of certain data at a certain time and in a certain location.
Market penetration and user acceptance of these applications will largely depend on their reliability and the confidence in the integrity and robustness of the services provided. In this context, the users of the invention encompass both receiver users, whose positions are determined based on radio-navigation signals of the radio-navigation system (one would typically refer to these users as “end users”), and service providers, who use the positioning data received from the end users. These service providers may be referred to as third party service providers because they are normally distinct from the operator of the positioning system.
The end users, on the one hand, typically want to be sure of the authenticity of the source of the radio-navigation signals. This preoccupation is linked to the concept hereinafter referred to as signal-in-space (SIS) authentication.
Third party service providers, on the other hand, typically want to have a guarantee that each positioning data that they receive from their end users (subscribers) actually corresponds to the end user's position at the indicated time. This implies, first, that the positioning data has been computed on the basis of genuine radio-navigation signals and, second, that it has not been tampered with, i.e. modified of falsified for the purpose of providing a wrong position or time.
The concept relating to the authentication of the positioning data declared by end users or transmitted by their radio-navigation signal receivers will hereinafter be referred to as the position-velocity-time (PVT) authentication. PVT stands for position-velocity-time, the most common set of positioning data calculated by receivers.
International patent application WO 2009/090515 addresses the problem of the authentication of positioning data in the context of infrastructure-free road tolling. The charging system in an automated road toll system is based on distance travelled, date and/or time of the travel, location (geographical area) and/or vehicle characteristics (length, cubic capacity, fuel consumption, CO2 emissions, etc.). WO 2009/090515 aims at preventing a so-called “fake GPS attack”, i.e. providing false GPS data to the tolling institution in order to reduce the road tolls payable. This is done by providing the tolling institution with vehicle condition sensor readings (speed, steering angle, travel distance, local weather, etc.). The tolling institution then crosschecks the GPS data with the vehicle condition data in order to authenticate or invalidate the GPS data.
International patent application WO 2009/001294 also relates to fraud prevention and detection in the context of a road tolling system. The user receiver retrieves the positioning data by receiving, down-converting and processing navigation signals. The tolling institution is then provided with the decoded position data as well as with raw data (samples of the down-converted navigation signals) and may then check whether the sample of raw data corresponds to that expected at the particular location and time indicated by the position information transmitted.
A similar approach is followed by U.S. Pat. No. 5,754,657, which discloses an authentication or validation method wherein the receiver whose position is to be validated or invalidated transmits an “augmented data signal” comprising raw radio-navigation signal data as well as the asserted position and time. The “augmented data signal” is transmitted to a central station, which essentially checks whether the raw data are consistent with the asserted position and time as well as with the signals broadcast by the satellites.
Another interesting solution is proposed in the article “Signal Authentication—A Secure Civil GNSS for Today”, by Sherman Lo et al., published in the September/October 2009 issue of InsideGNSS. The authentication method disclosed in this article relies on the fact the GPS L1 frequency carries both C/A code and (encrypted) P(Y)-code signals, transmitted in phase quadrature. The user receiver transmits its computed position and time together with a snapshot of the (raw) P(Y)-code signals to an authentication authority. The method exploits that the P(Y)-code sequence received at a first location (the location of a receiver, whose position is to be authenticated) is identical to the P(Y)-code sequence received at a second location (the location of a reference receiver under the control of the authentication authority), if the difference of the satellite-to-receiver signal times is taken into account. The presence of a correlation peak in the (raw) P(Y)-code sequences recorded at the two locations establishes signal authenticity of the C/A code (if it is assumed that both receivers are not simultaneously within the reception range of the same signal-spoofing attacker). Aspects of the method disclosed in the article have also been the object of patent applications US 2009/0195443 and US 2009/0195354.
Basically, there are three different types of threats to the integrity of positioning data:                Threats to the integrity of the signals-in-space (e.g. jamming, spoofing and meaconing). These are threats occurring “upstream” of the computation of the positioning data. Jamming is the emission of a radio frequency signal or noise with sufficient power and with specific characteristics in order to supplant the navigation signals within the neighbourhood of the jammer. Jamming has the effect of preventing positioning receivers to acquire and track navigation signals within an area, the surface of which depends on the emission power of the jammer. The positioning receiver subjected to a jamming attack is rendered unable to produce PVT data or may only produce PVT data affected by high uncertainty (exhibiting a large error range). All signals, encrypted or not, can be jammed. Jammers are available on the market at low prices (less than 100). Jamming can be detected by positioning receivers equipped with ad hoc devices and algorithms. Jamming is an illegal activity in most countries. Spoofing is the broadcast of signals resembling positioning signals by a simulator located on the ground in order to deceive positioning receivers. Spoofing is illegal in most countries. Spoofers cannot in principle simulate encrypted signals (e.g. the current GPS P(Y)-code, the future GPS M-code, or the future Galileo PRS- and CS-codes) unless they can break the encryption of the navigation code, which is very unlikely. Spoofers are not readily available on the market yet but can be easily produced by receiver manufacturers and/or by technically versed persons. It is expected that spoofers will be available in few years on the market for affordable prices between about 100 and 1000. Meaconing is the reception and rebroadcast of genuine navigation signals, with or without a time delay. The original signals are read using a high quality antenna, delayed and then retransmitted by an emitter, so that the delayed signals lead to the computation of a wrong position. Unlike spoofing, meaconing can, under certain conditions, deceive also positioning receivers working with encrypted navigation signals.        Threats to the computation of the PVT (e.g. hardware or software bugs, worms and/or viruses altering the computation process).        Threats to the integrity of the PVT after it has been computed (tampering with the computed PVT) or after it has been allegedly computed (in case of completely made up positioning data). A PVT could e.g. be intercepted and replaced by a fake PVT in the transmission over telecommunication networks between the user receiver and the third party service provider. It could also be modified when stored on electronic supports, e.g. within the service provider's facilities.        