GB2413448A

GB2413448A - Positioning system

Info

Publication number: GB2413448A
Application number: GB0408683A
Authority: GB
Inventors: Markus Guenther Kuhn
Original assignee: Cambridge University Technical Services Ltd CUTS
Current assignee: Cambridge University Technical Services Ltd CUTS
Priority date: 2004-04-19
Filing date: 2004-04-19
Publication date: 2005-10-26
Anticipated expiration: 2024-04-19
Also published as: GB2413448B; GB0408683D0

Abstract

A GPS-type positioning system comprises a plurality of transmitters and at least one receiver is described. Each transmitter, transmits a first signal. After a delay, a second signal is transmitted, which second signal includes information relating to the first signal. The first signal may comprise a spread spectrum signal and the second signal may include information relating to the spreading sequence used in the first signal. A receiver receives and buffers the first signal and, after a delay, receives the second signal which it uses to identify and separate information in the first signal. The system can be resistant to spoofing by an interfering enemy transmitter,

Description

1 2413448 Positioning system Navigation or positioning services, such as

the Global Positioning System (GPS) and similar, currently offer no signal integrity protection of use to the general public. Where the broadcast signal is fully documented, as is the case for the civilian C/A signal of GPS, an attacker can replace the receiver antenna with a signal generator that delivers a simulated signal as it would be received at an arbitrarily chosen location. Where the broadcast signal is encrypted with a symmetric cipher, as is the case for the military Y signal of GPS, anyone who can build or reverse engineer a receiver will know the key and can use it to spoof other receivers. Such encryption is only of use in a closed user community (e.g. the military) or with highly tamper-resistant conditional access modules protecting the common key. In an open user community without common secret keys, integrity protection is needed instead.

The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued.

Therelore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to

be prior art by inclusion in this section.

Positioning systems may be used in many situations to track items. For instance, in a transport company for high-valued goods armoured lorries may be equipped with satellite navigation receivers which are queried via radio every few minutes by computer. If one of the lorries deviates from the planned route or loses contact without plausible explanation, action can be taken immediately to prevent it being stolen.

Another example is the prison service. Some convicts may live and work outside the prison, but have to remain within a specified area. Others may be offenders on probation that must stay outside certain areas or just have their location monitored continuously. A navigation receiver may be attached to their ankles and a prison computer queries it via radio (e.g. GSM) several times per hour.

Several such systems for remote attestation of location via GPS have been fielded, in particular for vehicle tracking. The use of trusted GPS receivers has also been proposed for location-based network authentication. Radio tagging of offenders to control a curfew is now practiced in several countries.

These are examples of security systems that use a navigation-signal receiver as a trusted component. Such a receiver may end up in the hands of an attacker with a strong incentive to manipulate the system such that it reports a pretended position r' instead of its actual position r.

Conventional pseudo-range positioning systems will now be considered with reference to Fig. 1. Modern positioning systems use a number of transmitters 2 X located at known coordinates x' R3. Each transmitter is equipped with a synchronised clock and knows the exact system time t. A receiver R 4 is located at the coordinates r]13 (to be determined). Each transmitter X' broadcasts a navigation signal s(t) that propagates through space in all directions with speed c. At position r the signal g(r,t) will be received: g(r,t) = A, slat - I ' ail + n (t) (l) where Al is the attenuation the signal suffers from Xi to R. and n(t) is back ground noise. With carefully chosen functions s'(t) (low auto- and cross correlation), the receiver can separate the individual terms of this sum, identify the time delay Ix, - rl / c for each and infer from it the "range" d: d'=lx, - rl. (2) With three known ranges d' to known transmitter positions x, three equations (2) can be solved unambiguously for r (unless all three x, are located on a line).

Highly stable clocks (e.g., caesium oscillators) are costly and pure receivers cannot participate in two-way clock synchronization. Therefore, in practice, R will only have access to an imprecise estimate tr = t + ur of the exact system time t. It therefore receives the signal g(r, tr) = Ad, A, s, (t - ' + ur) + n(t) (3) and can infer from the delays Ix, - rl / c - ur only the "pseudo-ranges" d, = |x, - rl - cur. (4) The clock error ur adds a fourth unknown scalar. With pseudo-range measurements to at least four transmitters X, the resulting system of equations (4) can be solved for both r and ur, providing both the exact position and time without requiring a precise local clock.

We will now consider an attacker of a system for remote attestation of location who has access to its navigation receiver (for example because it was tied to her ankle following a court order). There are two points that may be manipulated.

The first is the output of the receiver or the channel over which it reports the position of its antenna. The receiver could be substituted with a device that continuously outputs pretended positions r'. This can be prevented with well understood cryptographic authentication protocols that protect the link to the querying computer. If the receiver is only moderately tamper-resistant, an attacker who successfully extracts the key used in one will not have gained anything useful for spoofing the location reports from other receivers, making this attack difficult to scale. s

The second point of attack is the navigation antenna or, more generally speaking, the connection of the receiver with the electromagnetic environment specific to its location. An attacker can separate the antenna from the receiver, or place it into a shielded enclosure along with a transmitting antenna, either way gaining full control over the input of the receiver. This enables several types of attack on a tamper- resistant receiver whose output is cryptographically protected.

In a relaying attack (also known as worm-hole attack), the receiver is connected to a remote antenna located at the pretended position r'. Such an attack may be logistically complex (arrangements may have to be made to move the remote antenna around in a plausible way) and the remote antenna can easily be located.

In a signal-synthesis attack, the receiver is connected to a device that generates the navigation broadcast signal g(r', t) as it can be expected to be found at the pretended location. With fully-standardised plaintext broadcast signals, where all aspects of the message format and modulation are publicly known, a modest amount of hardware can simulate the signal to be expected at any point in time and space.

Carefully implemented encryption can guarantee the integrity and confidentiality of transmitted data, but this alone is not sufficient in the case of a navigation signal. Here the security-critical aspect of the signals s,(t) lies not only in the data they carry, but also in their exact relative arrival times at the receiver.

This is exploited in the selective-delay attack, in which the attacker uses the signal g(r, t) received at the actual position r, converts it into a prediction of the signal g(r', t - At) that would have been received at the pretended position r' a short time At earlier, and feeds that into the receiver. To accomplish this, the attacker needs to be able to separate the signal g(r, t) into the individual terms of equation (1), that is g (r, t) = A, g, (r, t) + n(t) (5) with g, (r, t) = s, (it _ I 1). (6) c This can then be reassembled into g(r',t-At)=A, g,(r,t+l I I I-At)+ n'(t) (7) after choosing At 2 max fix, - rl - |x, - r'|}/c (8) to preserve causality.

The 24 orbiting satellites of the GPS constellation emit two separate broadcast signals s,(t), known as the civilian C/A and military Y signals. They both carry the same 50 bit/s data stream, which includes information on the current time and the exact orbital parameters of each satellite that receivers need to calculate the time-dependent transmitter positions xj(t). This data is transmitted using direct-sequence spread- spectrum (DSSS) modulation. The civilian C/A signal is modulated using a relatively short published spreading function. It can therefore not only be demodulated by the general public, but is also vulnerable to a signalsynthesis attack.

The military Y signal is produced by multiplying the 50 bitts data signal with a secret and very long 10.23 MHz pseudo-random spreading sequence. This not only encrypts the signal like a stream cipher; it also spreads the lOO Hz main lobe bandwidth of the data signal by a factor of 2 x 1O, to 20 MHz. As a consequence, its peak power-spectral density is reduced by the same factor (53 dB) and generally ends up roughly 28 dB below the thermal noise density seen by a typical receiver (see B.P. Parkinson, J.J. Spilker: Global Positioning System: Theory and Applications, Volume l, ISBN 1-56347-106-X, p. 89).

The original reason for this design was an international regulation that protects microwave telephone links in the same frequency band from interference.

Various tactical low-probability-of-intercept communication systems use DSSS modulation in a similar way to keep the power-spectral density of the transmission signal below the noise densities at expected eavesdropper sites.

In both the time and frequency domain, the Y signal disappears in the noise.

Someone trying to manipulate the GPS Y code will therefore find it difficult to split g(r, I) up as in equation (5). As the shape of the waveforms is not known, correlation techniques cannot be applied to extract the phase of the Y signal from the noise.

It would therefore be very difficult to apply even a selective-delay attack on a GPS Y signal received with an omnidirectional antenna. The only option left to an attacker is to separate individual transmitters by using high-gain antennas.

The use of at least four tracking dish antennas or a phased array may be feasible in some particularly well-funded attacks, but in most situations an attacker is likely to be mobile and only able to operate an omnidirectional antenna to capture g(r, I).

The problem with the GPS Y signal is of course that since it is based on a single secret key, anyone in possession of the secret key can not only decode the Y signal to determine their position, but is also able to perform a signal synthesis attack on any other Y signal receiver. As a result, encrypted spread spectrum navigation signals are so far used only in closed, mutually trusting user communities (in the case of the GPS Y signal, the US military).

Another protection against signal-synthesis attacks has been proposed by MacDoran et al. in US patent no. 5757916. Their "location signature sensor" not only decodes the GPS C/A navigation signal to report its position to a remote authentication peer. It also detects and records a number of unpredictable attributes of the GPS signal, for example the clock noise added by the selective availability (SA) function of GPS to reduce the quality of service to the general public, as well as shortterm fluctuations in the relative orbital positions that are not reported in the broadcast data. As long as the location signature sensors at both ends of the authenticated communication can see the same satellites, they can convince each other of being within a few thousand kilometres.

Again, this system only provides symmetric authentication and anyone able to verify the output of a location signature sensor in a geographical region will also be able to fake the output of such a sensor from anywhere within the same region.

Embodiments of the present invention will now be described, by way of example only, with reference to the attached drawings, in which: Figure l shows an example of a known positioning system employing a plurality of satellite transmitters and at least one receiver; Figure 2 shows an example of one embodiment of a positioning system employing a plurality of satellite transmitters and at least one receiver; Figure 3 is flow chart illustrating at a high level operation of a transmitter according to one embodiment; Figure 4 is flow chart illustrating at a high level operation of a receiver according to one embodiment; Figure 5 is flow chart illustrating at a more detailed level operation of a transmitter according to one embodiment; and Figure 6 is flow chart illustrating at a more detailed level operation of a receiver according to one embodiment.

A method and apparatus for a positioning system is described. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.

The needs identified in the foregoing, and other needs and objects that will become apparent from the following description, are achieved in the present invention, which comprises, in one aspect, a method of operating a positioning system transmitter for use in a positioning system comprising a plurality of positioning system transmitters and at least one receiver, the method comprising generating a first signal and, at a given predetermined time, transmitting the first signal. After a delay, a second signal is transmitted, which second signal includes information relating to the first signal.

There is also provided a method of operating a positioning system receiver for use in a positioning system comprising a plurality of positioning system transmitters and at least one receiver, the method comprising receiving a first signal and buffering the first signal. After a delay, a second signal is received, which second signal includes information relating to the first signal, and using the second signal to identify and separate information in the first signal.

The first signal may comprise a spread spectrum signal, with the second signal including information relating to the spreading sequence used in the first signal.

The first signal may comprise a carrier wave spread by a spreading sequence derived from a value N. the value N for instance being a randomly generated number, and the second signal including information relating to the value N of the first signal. The second signal may be signed with a digital signature.

The transmitter may be arranged to transmit the first signal at a relatively low spectral power density such that when transmitted the first signal is weak enough to evade detection without knowledge of the second signal. The transmitter may be arranged to transmit the first signal at such a power such that when transmitted the first signal is strong enough to enable detection with knowledge of the second signal.

The delay may be any suitable value and in general will be greater than the expected time uncertainty of a receiver of the positioning system. For instance, the delay may be of the order of magnitude of around 10 seconds. The first signal, for example, may be in the order of magnitude of 1 second in duration.

The first signal may be transmitted, for instance, using phase shift keying or binary offset carrier modulation.

The transmitter may be arranged to transmit an alert signal prior to transmitting the first signal, to alert receivers that the first signal is to be transmitted.

The transmitters of the positioning system transmitters may be arranged to transmit substantially simultaneously the first signal. The transmitters may be arranged to transmit the first signal in substantially the same frequency band.

In other aspects, the invention encompasses a computer apparatus and a computer-readable medium configured to carry out the foregoing steps.

The proposed navigation-signal scheme offers protection against signal synthesis and selective-delay attacks as is the case with systems which keep the key secret, but achieves this without the need to distribute and share long-term secret keys among receivers, which if stolen would enable attacks on others.

The ability to verify a navigation signal is separate from the ability to generate a new one or apply a selective-delay attack. There is provided a practical solution based on short-term information hiding. Unlike previously proposed techniques, it adds to navigation signals an asymmetric security property, such that those able to verify the integrity of an antenna signal are not able to synthesise one that could pass the same verification process.

According to a first embodiment, and as illustrated in Figures 2, 3 and 4, at intervals, for example every few seconds, all transmitters in the navigation system broadcast simultaneously a transmitter-specific first signal hi(t), referred to herein as a hidden marker. This is shown in Figure 3, as step 302. Only the transmission of one single round of hidden markers will be discussed here, starting at system time tm However it will be understood that this entire process will be repeated a few seconds later starting at another time tm.

A transmitter may transmit a hidden marker at regular intervals known to a receiver. For instance, the positioning system may operate according to a system specification which specifies the timing and frequency of transmission of the hidden marker by a transmitter. Alternatively the transmitter may determine when the hidden marker is to be transmitted and may send an alert signal prior to the transmission of the hidden maker to alert a receiver of the positioning system that a hidden marker is to be transmitted. In response to receiving such an alert signal, the receiver may prepare to store the hidden marker.

Generally speaking, the hidden marker is a waveform that none of the receivers (or attackers) know before a second message M is broadcast. The technique generates for each transmitter Xi a random number Ni before the time for broadcasting the hidden markers, then generates the hidden markers h, from Ni using a pseudo-random bit generator, and finally publishes the Ni in the second message M. The second message M contains information relating to the first signal, for instance: the time of its transmission; the identity or position of the transmitter that sent the first signal; information relating to the spreading sequence (i.e. the random number N.) used to generate the first signal. The second message may also be signed with a digital signature. There may be a single such message M that reveals the values Ni used by all transmitters, or there may equally be a set of separate messages Mi, each revealing the value N of one or more transmitters.

The receiver stores in a buffer memory the received thermal noise, embedded in which there is a superposition of very weak waveforms, the hidden markers.

The receiver can find these hidden markers within the recorded noise only after it has been told what these waveforms look like. This happens when it receives the second message M, which, generally speaking, contains all information that a receiver needs to determine the noise-free original shape of the broadcast hidden marker.

The hidden marker contains no data. It is just a waveform that disappears in the noise unless the receiver knows exactly what to look for. The information regarding what to look for is sent out in the second message M, well after the hidden markers have been broadcast.

The hidden markers are broadcast with DSSS modulation using an unpublished spreading sequence and advantageously with a peak amplitude and power spectral density that is at least 20 dB below the thermal noise seen by any receiver. The transmitter may be arranged to transmit the first signal at a relatively low power such that, when transmitted, the first signal is weak enough to evade detection by a receiver without knowledge of the second signal. Similarly, the transmitter may be arranged to transmit the first signal at such a power such that when transmitted the first signal is strong enough to enable detection by a receiver with knowledge of the second signal.

At the time at which the hidden marker is transmitted, all the receivers and attackers can do is to digitise and buffer the entire antenna signal (filtered to the transmission band) (steps 402 and 404). This preserves, in each receiver, the information about the relative arrival times of the hidden markers, but it cannot be accessed yet, because the shape of the spreading function needed for the cross-correlation is not available at that time. It is broadcast only after a delay p (steps 304 and 306). Once this has been received (step 406), both regular receivers and attackers can identify and separate the markers in the recorded antenna signal (step 408). But any signal-synthesis or selective- delay attack can now be performed only with a delay At > p, and by choosing p large enough, this delay can easily be detected by any receiver even using a loosely synchronised low-cost crystal clock.

The value of the delay p is chosen to be larger than both the time taken to transmit the hidden marker and the estimated error of the local clock in the receiver. A suitable value for p is say 10 seconds. For a crystal oscillator having a frequency error of Or = 10-s, the crystal oscillator will not have accumulated a phase error larger than 10 s after one week (ur(1 week) < 10 s).

One week may in some applications be a useful worst-case time between opportunities for a receiver to resynchronise its internal clock to a trusted source of the system time via some two-way communication channel that is authenticated using a cryptographic challenge-response protocol.

In more detail, and with reference to Figure 5, according to one embodiment the steps taken at each broadcasting station X' to generate the hidden-marker signal are: 1. Some time before time tm is reached, X, generates a cryptographically secure random number (nonce) N. em (step 502).

2. The nonce N. I'm is used to seed a cryptographically secure pseudorandom-bit generator P(N, m' j) { -1 +1 3 that outputs a sequence of bits with indices j = {0 1, 2, . . . } (step 504).

3. From time tm to tm + Or, X' generates the hidden marker h'(t), a sinusoidal carrier wave that is multiplied with the output of the seeded pseudorandom-bit generator, in order to spread its frequency spectrum (step 506): h,(t)=A sin[27l fc (t-tm)] P(N,t. Lfs (t-tm)), for tm< t < tm+ (I (9) Here fc is the chosen centre frequency of the resulting signal andf5 is the bit rate of the spreading sequence, which is equivalent to half the main-lobe bandwidth of the resulting spectral power-density distribution: I H (f) 12 = (A / f)2. sin [f (f f) / f j2 ( l O) The parameters tm,fC andfs are identical for all transmitter stations (in other words, this is CDMA, not FDMA or TDMA), and the amplitude A is chosen low enough to bring the spectral power density of the received signal well below the noise level.

in equation (9), the hidden marker is generated by binary phase-shift keying of a sine carrier wave with a spreading sequence. Hidden markers may also be generated using any of a number of alternative modulation techniques, including binary offset carrier modulation.

Parameter os is the duration of the hidden marker waveform. A typical value for a GPS-like satellite navigation system would be in the order of one second.

Parameter is selected to be long enough to ensure that the simultaneously transmitted hidden markers hat) from the transmitters X' overlap substantially when they arrive at the receiver R. For example, in a satellite navigation system, all satellites are equally far away from the centre of the Earth, but receivers are typically about 6000 km from the centre of the Earth on (or near) its surface. Therefore, the difference in distance between receivers can be up to 6000 km (or 20 light milliseconds), and therefore the hidden marker arrival times can vary by up to 20 ms between different satellites. Therefore, in a satellite-based navigation system, the duration of the hidden marker should be substantially longer than 20 ms.

Parameter Os also needs to be long enough such that after the cross correlation has been performed, the signal-to-noise ratio is high enough to: a) allow the receiver to recognise the position of the hidden marker clearly from the position of the resulting peak in the cross correlation; and b) ensure that the noise does not create in the cross correlation with sufficiently high probability peaks that have an amplitude larger than 1/W of the peak that the hidden marker causes, where W is a security parameter discussed below.

In one example embodiment, the spreading frequency may be chosen to be MHz, such that the hidden marker signal, and therefore also the input of the receiver, has a bandwidth of 20 M Hz. If the length of the hidden marker is = 1 s, then a cross correlation with it is equivalent to filtering the bandwidth of the input signal to about 1 Hz. Assuming (pessimistically) an equivalent antenna temperature of 290 K (including atmospheric noise, cosmic background radiation, antenna temperature noise, transmission line losses, amplifier noise, etc.), at a carrier frequency off = 1.5 GHz the noise power in a 1 Hz band will be about -204 dBW. If the power at which each hidden marker is transmitted is selected such that it reaches the receiver at a power level of about -170 dBW, then the 34 dB signal-to- noise ratio ensures that spurious peaks in the cross-correlation output caused by noise remain much smaller than the peak caused by the hidden marker. An attacker on the other hand might use a better antenna with an equivalent noise temperature of only K, but not knowing the shape of the hidden marker, will have to work with the full 20 M Hz bandwidth of the signal, which leads to -135 dBW received noise power. This is 35 dB above the signal energy, therefore for the attacker the shape or phase of the hidden marker is not recognizable. In order to make the received noise level more predictable, transmitters may add additional random noise to their hidden marker before broadcasting it.

The hidden marker is then transmitted at t = tm (step 508).

4. At time tm + p (where p > us), X, broadcasts (step 51 0) a data packet of the form M,, =SignK,(tm,X,,x,(tm)'N,.'m) (11) which is a message that is cryptographically signed with the private key Ki of the navigation system and that reveals a full description of the previously transmitted hidden marker, including its transmission time tint the identifier X, and exact location x(tm) of the transmitter, and finally the random number Nm used by that transmitter to generate this particular marker signal. Parts of this message may be transmitted earlier, as long as no information about Ni (m is revealed until the nonce-release time tin + p has been reached. The public key K for verifying messages signed with the private key Ki is public knowledge and known to the receiver.

As illustrated with reference to Figure 6, according to one embodiment each receiver R goes through the following steps in order to use the hidden marker scheme to determine its position in a way that is robust against signal-synthesis and selective-delay attacks: 1. The implementation of the receiver's local clock tr(t) is not influenced in any way by information received through navigation signals. We assume that it has a known maximum relative frequency error hi, such that r-tr (t) | < We also assume that tr was last adjusted by an authenticated two-way clock synchronization from a trusted source at system time t such that | tr(t^ ) - t^ | < As. The error u, (t) of the local clock tr(t) is then bounded by |ur(t)| < if (t-t) + as, for t > t (12) Simple crystal oscillators offer Of < 1 O-S and authenticated two-way clock synchronization over wireless computer networks usually offers as < 100 me.

2. During a time interval slightly larger than [tm, tm + oS], the receiver digitises the entire frequency band [{c - fs, fc + fs] with a sampling rate of at least 4.fs and stores it in a RAM buffer B(t) (step 602). As will be clear to a person skilled in the art, in practice this may occur at an intermediate frequency, the received signal being transformed fromthe received bandwidth to an intermediate frequency and then sampled and digitised.

3. The receiver then waits for the arrival of the broadcast messages M,m, (step 604) and determines whether the message has a signature that cannot be verified using the navigation system's well-known public key K or a marker time tin that does not match the marker time for which the receiver initiated the wide-band recording in the previous step (step 606) . Those messages that meet these criteria are discarded (step 608).

4. For each Ni am extracted from a message Mum that passed these checks, the receiver now regenerates the hidden marker h,(tr) from equation (9) (step 610). This is then cross-correlated (step 612) with the RAM buffer B: C', (r)= iB(t)h,(t+r)dt (13) 5. For each cross-correlation result C, m, the position I,, of the largest peak in it is recorded, together with the relative attenuation co', of any second- largest peak (step 614).

6. Of the recorded tuples (i, r, m, fit), m) the receiver now discards all where the second-largest peak is not attenuated by at least a configurable security factor W relative to the largest peak (step 616).

The factor W takes into account the relative attenuation that an attacker can achieve between the signal strength received from two different transmitters, by using directional antennas (e.g., four parabolic dishes pointing at where the four GPS satellites should be). For W = 20 dB, this excludes already many types of compact and portable antennas that an attacker might use.

7. The remaining peak-positions [i,m are then used as pseudo-ranges d, =cr,,,n =1x,-rl-cur (14) (step 618) and the resulting set of equations, which use the received digitally signed transmitter positions x,, is solved for r and ur (step 620).

8. The receiver then determines (step 622) whether the ur value remains within the clock uncertainty allowed by inequality (12) and is smaller then p. If so, the result is accepted and the message is considered verified (step 624).

Otherwise the message is discarded (step 608).

There is an alternative way of separating the right side of equation (5) into the terms contributed by the individual transmitters, which does not depend on knowing the spreading functions. If the approximate positions of transmitters are predictable, at least four of them can be targeted with directional antennas.

If their gain is high enough to lift the broadcast signals out of the background noise, demodulation and threshold operations can be applied to free the signal of one station completely from any interference by the others, enabling a selective-delay attack that cannot be detected. The only protection against this attack appears to be to keep the signal strength enough below the noise limit to require antennas so large that their use during a practical attack becomes infeasible.

If the signal-to-noise ratio achievable with directional antennas is not sufficient for separating the signals completely, then the attacker can still delay the raw antenna signals and mix them together for the receiver. This step can divide the signal-to-noise ratio seen by the receiver by up to the number of antennas used. It will also cause weaker shadow peaks to show up in the cross correlation results for each transmitter station, at the relative delays applied to the other stations. The security parameter W in the receiver algorithm as described above defines how sensitively the receiver should react to such shadow peaks. This sensitivity could be made dependent on the distance in time from the main peak, such that a selective-delay attack with directional antennas is not confused with secondary peaks caused by multi-path propagation.

The implementation of the disclosed technique in a satellite navigation system similar to the American GPS, Russian GLONASS or the planned European Galileo system seems the most attractive option, because in satellite navigation, all receivers are roughly equally remote (e.g., 20000-25000 km for GPS) from the transmitters. Other types of pseudoranging navigation systems include land-based long-wave transmitters (e.g. , the LORAN-C system) or short-range ultrasonic positioning systems. It is envisaged that the disclosed technique may also be applicable to these.

In the above description, the second message M is broadcast by the same transmitter that also transmits the hidden marker. This would seem a practical solution but is not essential. Message M could alternatively also reach the receiver via any other means, such as the Internet, a mobile-phone network, etc. Alternatively, the second message M may be transmitted in a separate frequency band to the hidden marker and a receiver may be designed to receive signals in both frequency bands. This means that a transmitter may send a hidden marker relatively frequently and the associated message M may be transmitted after a delay on the second frequency band.

The frequency with which the hidden marker is sent may depend upon the criticality of the determined position of the receiver. For instance, if a receiver is associated with an aircraft, the hidden marker may be transmitted more frequently as the position of an aircraft in the air is considered critical.

Whereas, for instance, if a receiver is associated with a person, the hidden marker may be transmitted more frequently, as the position of the person may be considered less critical. Again the frequency with which a hidden marker is transmitted may be determined according to a system specification.

Transmitters may emit hidden markers with a variety of power levels, durations and bandwidths, to accommodate the needs of different applications, and include these parameters as well in to the signed messages M. Buffering a single hidden marker may in a typical embodiment require many megabytes of RAM. It seems therefore practical to transmit the message M that allows detection of the hidden marker as soon as possible, such that this memory can be reused by receivers for the next hidden marker transmission. It is also possible to transmit M much later or to send the buffered antenna signal to some third party for verification. This latter implementation may be practical where the receiver has very good communication paths but very little processing capacity.

There has been considered an aspect of the security of pseudo-ranging positioning systems such as GPS, namely how a receiver can be misled about the position of its antenna if an attacker is allowed to insert a signal manipulation device between the receiver and the antenna. We have shown that positioning systems currently offer no defence against signalsynthesis or selective-delay attacks without the receiver obtaining all the information necessary to mount these attacks on others.

A new signal structure has been outlined together with a corresponding verification algorithm for receivers that solves this problem. A weak spread spectrum broadcast signal is temporarily hidden in background noise while receivers buffer the entire radio band in RAM. The Respreading key is only published after a time that is larger than the uncertainty of the local clock in the receiver, at which time both a signal-synthesis and a selective-delay attack can easily be detected.

The system is still based on the pseudo-ranging principle and uses only a low cost local clock in the receiver. It can therefore still be defeated by relaying attacks. Against these we see no solution other than using a more expensive highly-stable oscillator in the receiver, or using authenticated two-way ranging, both of which would be able to detect the added delay.

The system is also vulnerable to selective-delay attacks involving at least four high-gain directional antennas. A security parameter that limits the height of shadow peaks in the cross-correlation result can be used to control the minimum antenna gain needed for this attack to succeed, thereby limiting its practicality.

In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims

Claims: 1. A positioning system transmitter for use in a positioning

system comprising a plurality of positioning system transmitters and at least one receiver, the positioning system transmitter being arranged, in use, to: generate a first signal, at a given predetermined time, transmit the first signal, after a delay, transmit a second signal, which second signal includes information relating to the first signal.
2. A transmitter according to claim 1 wherein the first signal comprises a spread spectrum signal and wherein the second signal includes information relating to the spreading sequence used in the first signal.
3. A transmitter according to claim 1 or 2 wherein the first signal comprises a carrier wave spread by a spreading sequence derived from a value N.
4. A transmitter according to claim 3 wherein the value N is a randomly generated number.
5. A transmitter according to claim 3 or 4 wherein the second signal includes information relating to the value N of the first signal.
6. A transmitter according to any preceding claim wherein the second signal is signed with a digital signature.
7. A transmitter according to any preceding claim wherein the transmitter is arranged to transmit the first signal at a relatively low spectral power density such that when transmitted the first signal is weak enough to evade detection without knowledge of the second signal.
8. A transmitter according to any preceding claim wherein the transmitter is arranged to transmit the first signal at such a power such that when transmitted the first signal is strong enough to enable detection with knowledge of the second signal.
9. A transmitter according to any preceding claim wherein the delay is greater than the expected time uncertainty of a receiver of the positioning system.
10. A transmitter according to any preceding claim wherein the delay is of the order of magnitude of around 10 seconds.
11. A transmitter according to any preceding claim wherein the first signal is in the order of magnitude of 1 second in duration.
12. A transmitter according to any preceding claim wherein the first signal is transmitted using phase shift keying or binary offset carrier modulation.
13. A transmitter according to any preceding claim wherein the transmitter is arranged to transmit an alert signal prior to transmitting the first signal, to alert receivers that the first signal is to be transmitted.
14. A positioning system comprising a plurality of positioning system transmitters according to any preceding claim, each positioning system transmitter being arranged, in use, to: generate a first signal, at a given predetermined time, to transmit substantially simultaneously the first signal, after a delay, transmit a second signal, which second signal includes information relating to the first signal. s
15. A positioning system according to claim 14 wherein the transmitters are arranged to transmit the first signal in substantially the same frequency band.
16. A positioning system receiver for use in a positioning system comprising a plurality of positioning system transmitters and at least one receiver, the positioning system receiver being arranged, in use, to: receive a first signal; buffer the first signal; after a delay, receive a second signal, which second signal includes information relating to the first signal; use the second signal to identify and separate information in the first signal.
17. A receiver according to claim 16 wherein the first signal comprises a spread spectrum signal and wherein the second signal includes information relating to the spreading sequence used in the first signal.
18. A receiver according to claim 16 or 17 wherein the first signal comprises a carrier wave spread by a spreading sequence derived from a value N.
19. A receiver according to claim 18 wherein the value Nis a randomly generated number.
20. A receiver according to claim 18 or 19 wherein the second signal includes information relating to the value N of the first signal.
21. A receiver according to any of claims 16 to 20 wherein a digital signature in the second signal is verified.
22. A receiver according to any of claims 16 to 21 wherein the first signal is received at a relatively low spectral power density such that the first signal is weak enough to evade detection by the receiver without knowledge of the second signal.
23. A receiver according to any of claims 16 to 22 wherein the first signal is received at such a power such that the first signal is strong enough to enable detection by the receiver with knowledge of the second signal.
24. A receiver according to any of claims 16 to 23 wherein the delay is greater than the expected time uncertainty of a receiver of the positioning system.
25. A receiver according to any of claims 16 to 24 wherein the delay is of the order of magnitude of around 10 seconds.
26. A receiver according to any of claims 16 to 25 wherein the first signal is in the order of magnitude of I second in duration.
27. A receiver according to any of claims 16 to 26 wherein the first signal is transmitted using phase shift keying or binary offset carrier modulation.
28. A receiver according to any of claims 16 to 27 wherein the receiver is arranged to receive an alert signal prior to receipt of the first signal, to alert the receiver that the first signal is to be transmitted.
29. A positioning system comprising a plurality of positioning system transmitters and at least one receiver according to any preceding claim, each positioning system transmitter being arranged, in use, to: receive a plurality of first signals, each of which is sent from one of the transmitters, after a delay, receive a plurality of second signals, each of which is sent from the transmitters, which second signal includes information relating to the first signal sent by the transmitter.
30. A positioning system comprising a plurality of positioning system transmitters and at least one receiver according to any preceding claim, each positioning system transmitter being arranged, in use, to: receive a plurality of first signals, each of which is sent from one of the transmitters, after a delay, receive a second signal, which includes information relating to the first signals sent by the transmitters.
31. A positioning system according to claim 29 or 30 wherein the receivers are arranged to receive the plurality of first signals in substantially the same frequency band.
32. A method of operating a positioning system transmitter for use in a positioning system comprising a plurality of positioning system transmitters and at least one receiver, the method comprising: generating a first signal, at a given predetermined time, transmitting the first signal, after a delay, transmitting a second signal, which second signal includes information relating to the first signal.
33. A method of operating a positioning system receiver for use in a positioning system comprising a plurality of positioning system transmitters and at least one receiver, the method comprising: receiving a first signal; buffering the first signal; after a delay, receiving a second signal, which second signal includes information relating to the first signal; using the second signal to identify and separate information in the first signal.