ADS-B Authentication

Compliant with

Mode-S Extended Squitter

Using PSK Modulation

ITSC 2015 Sept. 17, 2015

Sept. 17, 2015 ITSC 2015 1

Omar Yeste and René Jr. Landry

Mode-S Extended Squitter (ES)

• Air Traffic Management

• ID, 4D position, intention

• ADS-B

– Automatic Dependent Surveillance-Broadcast

– Also proposed

for Collision

Avoidance in

Connected

Autonomous

Vehicles

Sept. 17, 2015 ITSC 2015 2

Courtesy of MIT

Mode-S ES Threatens

• Eavesdropping

– Messages are intentionally non-encrypted

• Jamming or denial of service

– Transmitter operating at the 1090 MHz channel.

• Radiation of Hazardously Misleading

Information (HMI):

– Spoofing (or impersonation) - multilateration

– Message manipulation.

– Message injection or replay

Sept. 17, 2015 ITSC 2015 3

Outline

1. Proposed solution (What? How?)

2. Modulation Order Selection

3. ADS-B Transmitting Device

– Preliminary results

4. ADS-B Receiving Device

5. Timestampting

6. Conclusions

Sept. 17, 2015 ITSC 2015 4

1. Proposed Solution (What?)

• Embed a Digital Signature in the message

• Protects against most types of HMI

– Message replay?

• Secure ADS-B still compliant with Mode-S ES.

Seamless transition:

– Old equipment can still decode the message

– New equipment can authenticate the message

Sept. 17, 2015 ITSC 2015 5

1. Proposed Solution (How?)

• Mode-S ES uses PPM (amplitude modulation)

• Use M-PSK modulation to embed the signature

• Previous works have paved the way:

– Key management

– Digital Signature length (448 bits, secure until 2030)

Sept. 17, 2015 ITSC 2015 6

2. Modulation Order Selection

Modulation Sensitivity

( BER 10-7 )

Maximum Range

70W 125W 200W

BPSK/QPSK −88.7 dBm 213NM 285NM 361NM

8PSK −82.8 dBm 108NM 145NM 183NM

16PSK −𝟕𝟔. 𝟖 dBm 54NM 73NM 92NM

Class A3 −81.0 dBm 34NM 64NM 90NM

Class A3+ −83.5 dBm 35NM 85NM 120NM

Sept. 17, 2015 ITSC 2015 7

• ADS-B consists of 112 pulses + preamble

• 4 bits/pulse: 448 bits

• Preamble used for carrier recovery

3. ADS-B Transmitting Device

3.1 Initial Architecture

Sept. 17, 2015 ITSC 2015 8

ADS-BMessage(112 bits)

Add Preamble(11N00NNN)

Digital Signature(448 bits)

Zero Padding(0x00000000)

-32 zeroes-

D16PSKGray Coding

PPMModulator

4 MSPS

1 MSPS

4 MSPS

1 MSPS 2 MSPSAmplitude

1 MSPS

SignedADS-B

Message

Amplitude/Phase to Complex

↑2“Nearest”

2 MSPS Phase

Nutaq’s ZeptoSDR

• Main components:

– Radio420X: High quality radio module

– Xilinx Zynq FPGA (pass-through mode)

– Dual ARM Cortex-A9

• Features

– Remote and embedded

operation

– GNU Radio support

Sept. 17, 2015 ITSC 2015 9

3. ADS-B Transmitting Device

3.3 SDR Platform

3. ADS-B Transmitting Device

3.3 GNU Radio

Sept. 17, 2015 ITSC 2015 10

3. ADS-B Transmitting Device

3.3 Preliminary Results

Sept. 17, 2015 ITSC 2015 11

3. ADS-B Transmitting Device

3.3 Preliminary Results

Sept. 17, 2015 ITSC 2015 12

3. ADS-B Transmitting Device

3.3 Preliminary Results

Sept. 17, 2015 ITSC 2015 13

3. ADS-B Transmitting Device

3.3 Preliminary Results

Sept. 17, 2015 ITSC 2015 14

3. ADS-B Transmitting Device

3.3 Preliminary Results

Sept. 17, 2015 ITSC 2015 15

3. ADS-B Transmitting Device

3.3 Spectrum Mask

Sept. 17, 2015 ITSC 2015 16

3. ADS-B Transmitting Device

3.3 Spectrum Mask

Sept. 17, 2015 ITSC 2015 17

3. ADS-B Transmitting Device

3.3 Phase Reversal

Sept. 17, 2015 ITSC 2015 18

3. ADS-B Transmitting Device

3.3 Phase Reversal

Sept. 17, 2015 ITSC 2015 19

3. ADS-B Transmitting Device

3.3 Initial Architecture

Sept. 17, 2015 ITSC 2015 20

3. ADS-B Transmitting Device

3.3 Proposed Architecture

Sept. 17, 2015 ITSC 2015 21

Sept. 17, 2015 ITSC 2015 22

3. ADS-B Transmitting Device

3.3 Proposed Architecture

ADS-BMessage(112 bits)

Add Preamble(11N00NNN)

Digital Signature(448 bits)

Zero Padding(0x00000000)

-32 zeroes-

D16PSKGray Coding

PPMModulator

4 MSPS

1 MSPS 1 MSPS

2 MSPS

SignedADS-B

Message

↑2“Nearest”

↑10“Nearest”

2 MSPS

↑2“Nearest”

4 MSPS

↑5“Cubic”

20 MSPS Phase

20 MSPSAmplitude

4 MSPS

Amplitude/Phase to Complex

1 MSPS

• Pulse rise time < 0.1 µs (Pulse shape)

• Phase transition > 0.25 µs (Spectrum Mask /

Merged Pulses)

3. ADS-B Transmitting Device

3.3 Spectrum Mask

Sept. 17, 2015 ITSC 2015 23

4. ADS-B Receiving Device

Sept. 17, 2015 ITSC 2015 24

AMDemodulator

ThresholdPreambleDetection

Down converted Complex

Signal

SymbolSynchronism

PPMDemodulator

Carrier Offset Estimation

D16PSKDemodulator

Signature

ADS-BMessage

5. Timestamping

• A pair (Message/Time) is used to generate the

signature

• Time uncertainty is < ±0.8 s

• Timestamp resolution: 2 s

– Time replay window of 2.8 s in the worst case

Sept. 17, 2015 ITSC 2015 25

Tm = Time of measurement

Information available at the GNSS output

Information available at the ADS-B transmitter’s input

Transmission of message

Reception of message at the ADS-B receiving subsystem

𝛿𝐺𝑁𝑆𝑆 𝛿𝐷𝐵 𝛿𝑂𝑢𝑡 𝛿𝑝𝑟𝑜𝑝

𝛿𝐼𝑛

Conclusion

• Solution against HMI

• Fully compliant with Mode-S ES standard

– Seamless transition

• 16-PSK modulation

– Allows authentication of every message (448 bits)

– Theoretical BER allows intended coverage area

• Timestamping to prevent message reply

– Vulnerable window of 2.8 s

Sept. 17, 2015 ITSC 2015 26

Thank you

Questions?

Sept. 17, 2015 ITSC 2015 27

Contact us: Omar.Yeste@lassena.etsmtl.ca, ReneJr.Landry@etsmtl.ca

mailto:Omar.Yeste@lassena.etsmtl.camailto:ReneJr.Landry@etsmtl.ca