WO2007083270A1 - System and method for verifying global position information - Google Patents

System and method for verifying global position information Download PDF

Info

Publication number
WO2007083270A1
WO2007083270A1 PCT/IB2007/050152 IB2007050152W WO2007083270A1 WO 2007083270 A1 WO2007083270 A1 WO 2007083270A1 IB 2007050152 W IB2007050152 W IB 2007050152W WO 2007083270 A1 WO2007083270 A1 WO 2007083270A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
server
remote device
satellites
verification data
Prior art date
Application number
PCT/IB2007/050152
Other languages
French (fr)
Inventor
Graham Thomasson
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2007083270A1 publication Critical patent/WO2007083270A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/13Receivers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/13Receivers
    • G01S19/14Receivers specially adapted for specific applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Definitions

  • This invention relates generally to a method and system for generating and recording position information in relation to a mobile device having global positioning capability, and for verifying the integrity of such position information.
  • a typical Global Positioning System comprises a plurality of satellites 100 orbiting the Earth, which transmit signals. These signals are received by the receiver of a mobile device 102 and a processor therein demodulates the received signals, finds the phase of a pseudo random noise (PRN) code at the time of reception so as to measure the time of flight against a local clock by means of a known correlation technique, decodes the data which contains satellite orbit information, etc., and solves the equations for position and local clock error. Measured Doppler shifts also give velocity and clock drift information. Data representative of the resultant position fix is transmitted across a communications network 104 to a server 106 where the data is logged and retained.
  • PRN pseudo random noise
  • IF data may be obtained from an RF signal.
  • 1-bit sampling is chosen, together with a sampling frequency of 5.265 GHz on an intermediate frequency of 1.185 GHz, although higher precision sampling is possible and is well-known, and other intermediate frequencies and sampling frequencies are possible and are used.
  • the RF signal from the satellites (that all transmit at 1575.42 GHz) is received by an antenna 600 and mixed by a mixer 602 with a signal generated from a local oscillator 604 at a frequency of 21.06 GHz, which frequency has been multiplied by a specific factor (75, in the illustrated example) in a multiplier 606, resulting in a frequency of 1579.5 GHz.
  • the result of this mixing is a signal at the frequency difference of the two input signals to the mixer, namely 4.08 GHz in the illustrated example.
  • This signal is sampled in an analogue to digital (AfD) converter 608, at a specific sampling frequency, which (at 5.265 GHz in this example) is actually greater than the mixer output frequency.
  • AfD analogue to digital
  • This sampling frequency is generated from the frequency of the local oscillator which has been divided by 4 in our example. This produces a bit stream at a data rate of the sampling frequency.
  • Devices that have satellite positioning capability typically include mobile phones, laptops/personal computers, and stand-alone devices. The problem to be addressed by the present invention is that of ensuring the integrity of a position fix generated by such a positioning device.
  • a positioning device 200 has a public key A and a private inverse key A "1
  • a trusted server 202 has a public key B and an inverse private key B "1 .
  • the mobile device 200 registers its device ID on the server 202 before use, following which the server 202 will log and retain position fixes received from the mobile device 200.
  • the mobile device 200 Once the mobile device 200 has produced a verifiable position fix, it prepares a message m containing, for example, latitude, longitude, altitude, time, velocity in local plane coordinates and device identifier ID, for example:
  • the server 202 decodes the message e by applying AB "1 thereto, giving AB 1 BA ⁇ m, which is just m.
  • message e cannot be forged because A "1 would not be known, and unauthorized decoding of e would be impossible because B "1 would not be known.
  • it is thought that it may not be so difficult to examine the encoding process (e.g. by examining instructions in the device memory) and forge a message e, or to "trick" the device 200 into encrypting a forged message.
  • GPS simulators signal generators
  • a system for registering position information representative of the position of a remote device at a time instant said remote device being arranged and configured to receive radio frequency data containing verification data corresponding to said time instant from the satellites, generate from said radio frequency data, intermediate frequency data containing said verification data, and transmit at least a sample of said intermediate frequency data across a communications network to a remote server, together with position information representative of the position of said remote device at said time instant, said server being arranged and configured to determine whether or not verification data extracted from said intermediate frequency data received from said remote device corresponds to the actual verification data generated by said satellites in respect of said time instant and, if not, to reject said respective position information as potentially unreliable.
  • an important part of the signal processing chain in GPS is the reception of the radio frequency which is transmitted by the satellites and conversion to a digitally sampled intermediate frequency, which the basis of further processing, and plays an important part in the present invention.
  • At least a sample of said IF data and/or said position information is encrypted using an encryption key prior to transmission to said server.
  • said verification data from preferably all but possibly less than all satellites, becomes readily accessible to said server at some period of time following the generation and transmission of the IF data containing said verification data by said satellites.
  • the verification data may be extracted by the server using its own GPS receiving apparatus, or it may be obtained from a trusted source.
  • the server is beneficially arranged and configured to determine a time difference between said time instant and a time of transmission of said verification data from said remote device to said server and, if said time difference is greater than same predetermined amount, to identify said respective position information as potentially unreliable.
  • the verification data which becomes readily accessible shortly after it is generated and transmitted, is collected and used to generate a position information message, the position information would still be rejected as unreliable because it would have been transmitted too late after the time instant to which the verification data relates.
  • the verification data may be an unpredictable random or pseudo random number.
  • the verification data is beneficially transmitted in the form of elements of sub-frames of data, the transmission times of which are staggered in respect of each satellite.
  • a method for registering position information representative of the position of a remote device at a time instant comprising receiving at said remote device radio frequency (RF) data containing verification data corresponding to said time instant from the satellites, generating from said radio frequency data, intermediate frequency (IF) data containing said verification data, transmitting at least a sample of said intermediate frequency data from said remote device across a communications network to a remote server, together with position information representative of the position of said remote device at said time instant, determining at said server whether or not said verification data received from said remote device corresponds to the actual verification data generated by said satellites in respect of said time instant and, if not, rejecting said position information as potentially unreliable.
  • RF radio frequency
  • IF intermediate frequency
  • Figure 1 is a schematic block diagram of a GPS system
  • Figure 2 is a schematic block diagram illustrating a position fix verification system according to the prior art
  • Figure 3 is a schematic flow diagram illustrating a method (server logic) according to an exemplary embodiment of the present invention
  • Figure 4 is a schematic diagram illustrating a transmission cycle in respect of a system according to an exemplary embodiment of the present invention
  • Figure 5 is a schematic diagram illustrating a scheme for allocation of position of verification bits in a system according to an exemplary embodiment of the present invention.
  • Figure 6 is a schematic diagram illustrating how IF data can be produced from RF data.
  • a method according to an exemplary embodiment of the present invention can be applied in a GPS (or similar) system of typical configuration.
  • Such a method and system is adapted to provide proof that a GPS (or similar) positioning device obtained in respect of a remote device (102) a position/time/velocity fix at a certain location at a certain time.
  • Satellites (100) transmit continuously varying verification bits, and during a verifiable position fix, the remote device (102) sends a sample of IF data (so containing the verification data) in real time (or very close thereto) to a trusted server (106).
  • a forger of such verification data would need to acquire the verification bits, e.g.
  • a position fix message m can be generated including radio front end information such as sampling rate, center frequency, image sign, and possibly some additional information such as estimated clock error, maximum frequency error, maximum noise magnitude, etc.
  • verification data is generated by the satellites and transmitted in the RF signal to the remote device.
  • the verification data should vary per repetition of the sub-frame in which it is transmitted and be unrevealed in advance, although it is preferably freely published shortly after it has been used.
  • At least a sample of the IF data is transmitted together with the position fix message m to (and received by) the server and, being derived from the RF data, the IF data will contain the verification data.
  • the server receives IF data, position fix information (and auxiliary information) m from a mobile device, and accordingly records the time (tip) at which the IF data was received.
  • the transmitted IF data, IF R and/or the position fix message m may be encrypted, as described above in relation to Figure 2 of the drawings. This just makes it even more difficult for a potential forger if the encryption key A "1 is not known in advance.
  • the server processes the received IF data and obtains therefrom the position fix (position and time) M 1F and extracts from the IF data the verification data it contains.
  • the server compares (at step 304) the fix M 1F it contains with the fix message m, and if the fixes do not match, it rejects the fix (at step 306). If the fixes do match, the server secondly compares (at step 308), the time (ti F ) of reception of the IF data with the time O MIF ) obtained in the fix produced from it. If the time difference is outside a tight tolerance, which allows for transport time from mobile device to server, then the fix is rejected (at step 310).
  • the server thirdly obtains, at step 312, the true values of the verification data V from a trusted source, or from its own GPS receiving and processing apparatus, and compares it (at step 314) with verification data V IF extracted from the received IF data. Note that, at the location of the server, not all satellites seen by the mobile device will necessarily be visible, and secure data from some other trusted receiving stations will typically be beneficial, if not essential, as otherwise only the verification data of a subject of the satellites seen by the mobile device could be checked.
  • the server checks as accurately as it can that the correct verification data is present throughout the period when it should be transmitted, and that the verification data is not only present after a short period of noise or other data at the start of the verification data transmission slot, as this would indicate a forger making a quick switch from not knowing to knowing what verification to supply in a forged data stream, after decoding the verification data very quickly, within the verification data slot time. If all verification data items correspond, then the position fix information is logged (at step 318) as authentic, otherwise it is rejected (at step 316). Rejected fixes may also be logged in a separate section, so that they can be investigated, possibly for attempted fraud.
  • the IF data in order for the position fix information to be accepted, the IF data must be received by the server within a predetermined time of the relevant time instant, less than the time period that would be required by a forger to gather and use the IF data once it has been published and is freely available. If the position fix information is reliable, the IF sample would typically have been sent almost simultaneously as it is received at its position. A forger, on the other hand, not knowing the IF data in advance of its publication, would require a few seconds, or perhaps a fraction of a second, to extract this data and then generate a forged message for the location being simulated. As such, this data would be available significantly later than the genuine data, or else the message will be received in time but accompanied by the wrong verification data. So, if the server receives the position fix, including time of fix, and IF data too late, it will not accept the position fix as genuine, even if everything else is consistent.
  • sub-frames 4 and 5 have 25 different pages, and a frame only contains one page at a time, so a complete transmission cycle (a master frame), takes 12!/2 minutes.
  • a frame contains 1500 bits of information, and a sub-frame contains 300 bits of information.
  • all sub-frames contain the time;
  • sub-frames 2 and 3 contain the ephemeris (accurate, but short-term, orbital information) of the satellite transmission;
  • sub-frames 4 and 5 in a master cycle, contain the almanacs (rough, long-lasting), orbital information
  • the present proposal would also be possible with the following variation.
  • the bit position could be advanced by 0.1 seconds per subsequent satellite. So, if all satellites are considered, every 0.1 second there would be a new bit of verification data.
  • a good view of the sky might contain 10 satellites, so there would be a new bit of data at a receiver every 0.3 seconds. Every 3 seconds there would be 10 new bits of data, so a forger would be unlikely to supply IF data with the correct data by accident.
  • the data rate of verification bits can be increased by allocating more bits for this purpose.
  • Satellites transmit random or pseudo-random data in certain data fields in the transmission cycle. We call this verification data.
  • the data fields for this are staggered so that there is always some very recent unpredictable data.
  • the satellites can generate the verification data on board from some secure pseudo-random sequence generator, or the data can be generated on earth and constantly uploaded via a secure, encrypted link.
  • the positioning device registers itself using an identifier ID with a server.
  • the server is regarded as secure.
  • the positioning device provides radio front end information such as the sampling rate, center frequency, image sign, and perhaps some helping information such as maximum clock error, maximum frequency error, maximum noise magnitude etc.
  • the positioning device captures IF data via its front end and transmits it and its ID, encrypted, to the server. It performs a fix and transmits that too, encrypted, to the server.
  • the server decrypts the data and uses the IF sample to confirm the fix, and records the fact. It also obtains the (now historical and known) verification data bits for that time of fix from a database and checks that they are present as expected in the IF sample. If not, then the IF sample is a forgery.
  • the server has a clock, and if any IF data is supplied for a fix later than some threshold period after the time of fix, then it is rejected or flagged up as possibly spoof.
  • the confirmed fixes can be published, or kept in reserve in case required, e.g. in a court case. Confirmed fixes may be immediately supplied to some authorized organization, e.g. the emergency services.
  • Proof of position could be useful in many circumstances, including: Proof of delivery, or at least of presence at the delivery point. It is relevant to, for example: deliveries of home shopping; and international (e.g. food aid) deliveries. As an alibi in court. Tagging of offenders. - Supporting evidence of a genuine emergency call (the caller would at least have to be at the location claimed).

Landscapes

  • Engineering & Computer Science (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Position Fixing By Use Of Radio Waves (AREA)

Abstract

A method and system for providing proof that a GPS (or similar) positioning device obtained in respect of a remote device (102) a position/time/velocity fix at a certain location at a certain time. Satellites (100) transmit continuously varying verification bits, and during a verifiable position fix, the remote device (102) sends a sample of IF data (so containing the verification data) in real time (or very close thereto) to a trusted server (106). A forger of such verification data would need to acquire the verification bits, e.g. by decoding the signals from the satellites, then generate forged data, which would result in an extra few seconds, or a fraction of a second, of delay relative to a genuine position fix, and the server would reject the data as too late. Thus, only a real device (102) in the location claimed can produce this verification data at the time it was received by the server (106).

Description

SYSTEM AND METHOD FOR VERIFYING GLOBAL POSITION INFORMATION
FIELD OF THE INVENTION
This invention relates generally to a method and system for generating and recording position information in relation to a mobile device having global positioning capability, and for verifying the integrity of such position information.
BACKGROUND OF THE INVENTION
Referring to Figure 1 of the drawings, a typical Global Positioning System (GPS) comprises a plurality of satellites 100 orbiting the Earth, which transmit signals. These signals are received by the receiver of a mobile device 102 and a processor therein demodulates the received signals, finds the phase of a pseudo random noise (PRN) code at the time of reception so as to measure the time of flight against a local clock by means of a known correlation technique, decodes the data which contains satellite orbit information, etc., and solves the equations for position and local clock error. Measured Doppler shifts also give velocity and clock drift information. Data representative of the resultant position fix is transmitted across a communications network 104 to a server 106 where the data is logged and retained.
The principles of GPS are well known, and described in, for example, "Understanding GPS Principles and Applications", Elliott D. Kaplan (Editor), Artech House Publishers, ISBN 0-89006-793-7.
An important part of the signal processing chain is the reception of the radio frequency (RF) which is transmitted by the satellites and its conversion to a digitally sampled intermediate frequency (IF), which is the basis of further processing. Referring to Figure 6 of the drawings, there is shown an example of how IF data may be obtained from an RF signal. In the illustrated example, 1-bit sampling is chosen, together with a sampling frequency of 5.265 GHz on an intermediate frequency of 1.185 GHz, although higher precision sampling is possible and is well-known, and other intermediate frequencies and sampling frequencies are possible and are used. The RF signal from the satellites (that all transmit at 1575.42 GHz) is received by an antenna 600 and mixed by a mixer 602 with a signal generated from a local oscillator 604 at a frequency of 21.06 GHz, which frequency has been multiplied by a specific factor (75, in the illustrated example) in a multiplier 606, resulting in a frequency of 1579.5 GHz. The result of this mixing is a signal at the frequency difference of the two input signals to the mixer, namely 4.08 GHz in the illustrated example. This signal is sampled in an analogue to digital (AfD) converter 608, at a specific sampling frequency, which (at 5.265 GHz in this example) is actually greater than the mixer output frequency. This sampling frequency is generated from the frequency of the local oscillator which has been divided by 4 in our example. This produces a bit stream at a data rate of the sampling frequency. The effective intermediate frequency (IF) that is sampled is equal to the frequency difference of the A/D input signal and sampling frequency (= 1.185 GHz in this example). Any portion of this data stream will hereinafter be referred to as "IF data". It is the raw digital data that is processed by a microprocessor 610 with ROM memory 612 and RAM memory 614. Devices that have satellite positioning capability typically include mobile phones, laptops/personal computers, and stand-alone devices. The problem to be addressed by the present invention is that of ensuring the integrity of a position fix generated by such a positioning device. In a system such as that described in US Patent Application Publication No. US 2003/0212893 Al, this is attempted to be achieved by the use of public key cryptography techniques. Referring to Figure 2 of the drawings, a positioning device 200 has a public key A and a private inverse key A"1, and a trusted server 202 has a public key B and an inverse private key B"1. The mobile device 200 registers its device ID on the server 202 before use, following which the server 202 will log and retain position fixes received from the mobile device 200. Once the mobile device 200 has produced a verifiable position fix, it prepares a message m containing, for example, latitude, longitude, altitude, time, velocity in local plane coordinates and device identifier ID, for example:
Lat=51.5 Lon=-0.166 Alt=7.00 Date=23/09/2005 Time=16:03 VelNorth=0.07 VelEast=-0.01 VelUp=0.01 DeviceID=1234567
The message m is then encrypted to produce encrypted message e, as follows: e = BAΛm The server 202 decodes the message e by applying AB"1 thereto, giving AB 1BA^m, which is just m. In theory, message e cannot be forged because A"1 would not be known, and unauthorized decoding of e would be impossible because B"1 would not be known. However, in practice, it is thought that it may not be so difficult to examine the encoding process (e.g. by examining instructions in the device memory) and forge a message e, or to "trick" the device 200 into encrypting a forged message. Furthermore, there are GPS simulators (signal generators) which can simulate satellite signals as received at any point on or near the earth, for a stationary or moving receiver. SUMMARY OF THE INVENTION
It is therefore an object of the present invention to provide a system and method for generating and registering a position fix in respect of a remote, mobile device wherein the integrity of the position fix can be verified and ensured.
In accordance with the present invention, there is provided a system for registering position information representative of the position of a remote device at a time instant, said remote device being arranged and configured to receive radio frequency data containing verification data corresponding to said time instant from the satellites, generate from said radio frequency data, intermediate frequency data containing said verification data, and transmit at least a sample of said intermediate frequency data across a communications network to a remote server, together with position information representative of the position of said remote device at said time instant, said server being arranged and configured to determine whether or not verification data extracted from said intermediate frequency data received from said remote device corresponds to the actual verification data generated by said satellites in respect of said time instant and, if not, to reject said respective position information as potentially unreliable.
Thus, as explained above, an important part of the signal processing chain in GPS is the reception of the radio frequency which is transmitted by the satellites and conversion to a digitally sampled intermediate frequency, which the basis of further processing, and plays an important part in the present invention.
In an exemplary embodiment, at least a sample of said IF data and/or said position information is encrypted using an encryption key prior to transmission to said server. Preferably, said verification data from preferably all but possibly less than all satellites, becomes readily accessible to said server at some period of time following the generation and transmission of the IF data containing said verification data by said satellites. The verification data may be extracted by the server using its own GPS receiving apparatus, or it may be obtained from a trusted source.
The server is beneficially arranged and configured to determine a time difference between said time instant and a time of transmission of said verification data from said remote device to said server and, if said time difference is greater than same predetermined amount, to identify said respective position information as potentially unreliable. Thus, even if the verification data, which becomes readily accessible shortly after it is generated and transmitted, is collected and used to generate a position information message, the position information would still be rejected as unreliable because it would have been transmitted too late after the time instant to which the verification data relates.
The verification data may be an unpredictable random or pseudo random number. The verification data is beneficially transmitted in the form of elements of sub-frames of data, the transmission times of which are staggered in respect of each satellite.
Also in accordance with the present invention, there is provided a method for registering position information representative of the position of a remote device at a time instant, the method comprising receiving at said remote device radio frequency (RF) data containing verification data corresponding to said time instant from the satellites, generating from said radio frequency data, intermediate frequency (IF) data containing said verification data, transmitting at least a sample of said intermediate frequency data from said remote device across a communications network to a remote server, together with position information representative of the position of said remote device at said time instant, determining at said server whether or not said verification data received from said remote device corresponds to the actual verification data generated by said satellites in respect of said time instant and, if not, rejecting said position information as potentially unreliable.
These and other aspects of the present invention will be apparent from, and elucidated with reference to, the embodiments described herein.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described by way of examples only and with reference to the accompanying drawings, in which:
Figure 1 is a schematic block diagram of a GPS system;
Figure 2 is a schematic block diagram illustrating a position fix verification system according to the prior art;
Figure 3 is a schematic flow diagram illustrating a method (server logic) according to an exemplary embodiment of the present invention;
Figure 4 is a schematic diagram illustrating a transmission cycle in respect of a system according to an exemplary embodiment of the present invention; - Figure 5 is a schematic diagram illustrating a scheme for allocation of position of verification bits in a system according to an exemplary embodiment of the present invention; and
Figure 6 is a schematic diagram illustrating how IF data can be produced from RF data. DETAILED DESCRIPTION OF THE INVENTION
Referring back to Figure 1 of the drawings, a method according to an exemplary embodiment of the present invention can be applied in a GPS (or similar) system of typical configuration. Such a method and system is adapted to provide proof that a GPS (or similar) positioning device obtained in respect of a remote device (102) a position/time/velocity fix at a certain location at a certain time. Satellites (100) transmit continuously varying verification bits, and during a verifiable position fix, the remote device (102) sends a sample of IF data (so containing the verification data) in real time (or very close thereto) to a trusted server (106). A forger of such verification data would need to acquire the verification bits, e.g. by decoding the signals from the satellites, then generate forged data, which would result in an extra few seconds, or a fraction of a second, of delay relative to a genuine position fix, and the server would reject the data as too late. Thus, only a real device (102) in the location claimed can produce this verification data at the time it was received by the server (106).
Referring to Figure 3 of the drawings, on registering a remote device with the server, a position fix message m can be generated including radio front end information such as sampling rate, center frequency, image sign, and possibly some additional information such as estimated clock error, maximum frequency error, maximum noise magnitude, etc. In accordance with the invention, verification data is generated by the satellites and transmitted in the RF signal to the remote device. The verification data should vary per repetition of the sub-frame in which it is transmitted and be unrevealed in advance, although it is preferably freely published shortly after it has been used. At least a sample of the IF data is transmitted together with the position fix message m to (and received by) the server and, being derived from the RF data, the IF data will contain the verification data. Thus, at step 300, the server receives IF data, position fix information (and auxiliary information) m from a mobile device, and accordingly records the time (tip) at which the IF data was received.
The transmitted IF data, IFR and/or the position fix message m may be encrypted, as described above in relation to Figure 2 of the drawings. This just makes it even more difficult for a potential forger if the encryption key A"1 is not known in advance.
At step 302, the server processes the received IF data and obtains therefrom the position fix (position and time) M1F and extracts from the IF data the verification data it contains. First, the server compares (at step 304) the fix M1F it contains with the fix message m, and if the fixes do not match, it rejects the fix (at step 306). If the fixes do match, the server secondly compares (at step 308), the time (tiF) of reception of the IF data with the time OMIF) obtained in the fix produced from it. If the time difference is outside a tight tolerance, which allows for transport time from mobile device to server, then the fix is rejected (at step 310). If any time difference is within this tight tolerance, the server thirdly obtains, at step 312, the true values of the verification data V from a trusted source, or from its own GPS receiving and processing apparatus, and compares it (at step 314) with verification data VIF extracted from the received IF data. Note that, at the location of the server, not all satellites seen by the mobile device will necessarily be visible, and secure data from some other trusted receiving stations will typically be beneficial, if not essential, as otherwise only the verification data of a subject of the satellites seen by the mobile device could be checked. The server checks as accurately as it can that the correct verification data is present throughout the period when it should be transmitted, and that the verification data is not only present after a short period of noise or other data at the start of the verification data transmission slot, as this would indicate a forger making a quick switch from not knowing to knowing what verification to supply in a forged data stream, after decoding the verification data very quickly, within the verification data slot time. If all verification data items correspond, then the position fix information is logged (at step 318) as authentic, otherwise it is rejected (at step 316). Rejected fixes may also be logged in a separate section, so that they can be investigated, possibly for attempted fraud. It can be seen from the above that in order for the position fix information to be accepted, the IF data must be received by the server within a predetermined time of the relevant time instant, less than the time period that would be required by a forger to gather and use the IF data once it has been published and is freely available. If the position fix information is reliable, the IF sample would typically have been sent almost simultaneously as it is received at its position. A forger, on the other hand, not knowing the IF data in advance of its publication, would require a few seconds, or perhaps a fraction of a second, to extract this data and then generate a forged message for the location being simulated. As such, this data would be available significantly later than the genuine data, or else the message will be received in time but accompanied by the wrong verification data. So, if the server receives the position fix, including time of fix, and IF data too late, it will not accept the position fix as genuine, even if everything else is consistent.
Referring to Figure 4 of the drawings, in the transmission cycle of a typical GPS system, e.g. NAVSTAR, sub-frames 4 and 5 have 25 different pages, and a frame only contains one page at a time, so a complete transmission cycle (a master frame), takes 12!/2 minutes.
A frame contains 1500 bits of information, and a sub-frame contains 300 bits of information. In NAVSTAR, in particular: all sub-frames contain the time; sub-frames 2 and 3 contain the ephemeris (accurate, but short-term, orbital information) of the satellite transmission; and sub-frames 4 and 5, in a master cycle, contain the almanacs (rough, long-lasting), orbital information
Assuming a similar scheme, the present proposal would also be possible with the following variation. There are one or more bits of verification data per subframe. We take 2 bits as an example. This data will be staggered within and over satellites, as illustrated schematically in Figure 5 of the drawings. The bit position could be advanced by 0.1 seconds per subsequent satellite. So, if all satellites are considered, every 0.1 second there would be a new bit of verification data. A good view of the sky might contain 10 satellites, so there would be a new bit of data at a receiver every 0.3 seconds. Every 3 seconds there would be 10 new bits of data, so a forger would be unlikely to supply IF data with the correct data by accident. If required, the data rate of verification bits can be increased by allocating more bits for this purpose.
In summary, the proposed exemplary method is as follows: Satellites transmit random or pseudo-random data in certain data fields in the transmission cycle. We call this verification data. The data fields for this are staggered so that there is always some very recent unpredictable data. The satellites can generate the verification data on board from some secure pseudo-random sequence generator, or the data can be generated on earth and constantly uploaded via a secure, encrypted link. Once the verification data has been transmitted in a sub-frame, and given, say, 6 seconds to extract it, it is effectively known, and can be published. - The positioning device registers itself using an identifier ID with a server. The server is regarded as secure. The positioning device provides radio front end information such as the sampling rate, center frequency, image sign, and perhaps some helping information such as maximum clock error, maximum frequency error, maximum noise magnitude etc. The positioning device captures IF data via its front end and transmits it and its ID, encrypted, to the server. It performs a fix and transmits that too, encrypted, to the server.
The server decrypts the data and uses the IF sample to confirm the fix, and records the fact. It also obtains the (now historical and known) verification data bits for that time of fix from a database and checks that they are present as expected in the IF sample. If not, then the IF sample is a forgery.
The server has a clock, and if any IF data is supplied for a fix later than some threshold period after the time of fix, then it is rejected or flagged up as possibly spoof.
If required, the confirmed fixes can be published, or kept in reserve in case required, e.g. in a court case. Confirmed fixes may be immediately supplied to some authorized organization, e.g. the emergency services.
Proof of position could be useful in many circumstances, including: Proof of delivery, or at least of presence at the delivery point. It is relevant to, for example: deliveries of home shopping; and international (e.g. food aid) deliveries. As an alibi in court. Tagging of offenders. - Supporting evidence of a genuine emergency call (the caller would at least have to be at the location claimed).
As a lifestyle item, proving to your friends that you really did climb that mountain or go to that exotic place.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word "comprising" and "comprises", and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

1. A system for registering position information representative of the position of a remote device (102, 200) at a time instant, said remote device (102, 200) being arranged and configured to receive radio frequency data containing verification data corresponding to said time instant from satellites (100), generate from said radio frequency data, intermediate frequency data containing said verification data, and transmit at least a sample of said intermediate frequency across a communications network (104) to a server (106, 202), together with position information representative of the position of said remote device (102, 200) at said time instant, said server (106, 200) being arranged and configured to determine whether or not verification data (VIF) extracted from said intermediate frequency data received from said remote device (102, 200) corresponds to the actual verification data (V) generated by said satellites (100) in respect of said time instant and, if not, to reject said respective position information as potentially unreliable.
2. A system according to claim 1, wherein said at least a sample of said intermediate frequency data and/or said position information is encrypted using an encryption key prior to transmission to said server (106, 202).
3. A system according to claim 1, wherein said verification data becomes readily accessible to said server (106, 202) at some period of time following its generation and transmission by said satellites (100).
4. A system according to claim 1, wherein said server (106, 202) is arranged and configured to determine a time difference between the time instant of reception of said intermediate frequency data at said server (106, 202) and a time of transmission of said radio frequency data, from which said intermediate frequency data is derived, by said satellites (100) and, if said time difference is greater than same predetermined amount, to identify said respective position information as potentially unreliable.
5. A system according to claim 1, wherein said verification data is transmitted from said satellites (100) to earth in the form of sub-frames or elements of sub-frames of data, the transmission times of which are staggered in respect of each satellite (100).
6. A system according to claim 1, wherein said verification data may be an unpredictable random or pseudo random number.
7. A system according to claim 1, wherein said satellites are part of a Global Positioning System.
8. A server (106, 202) for use in a system for registering position information representative of the position of a remote device (102, 200) at a time instant, said remote device (102, 200) being arranged and configured to receive radio frequency data containing verification data corresponding to said time instant from satellites (100), generate from said radio frequency data, intermediate frequency data containing said verification data, and transmit at least a sample of said intermediate frequency across a communications network (104) to the server (106, 202), together with position information representative of the position of said remote device (102, 200) at said time instant, said server (106, 200) being arranged and configured to determine whether or not verification data (VIF) extracted from said intermediate frequency data received from said remote device (102, 200) corresponds to the actual verification data (V) generated by said satellites (100) in respect of said time instant and, if not, to reject said respective position information as potentially unreliable.
9. A method for registering position information representative of the position of a remote device (102, 200) at a time instant, the method comprising: receiving at said remote device (102, 200) radio frequency data containing verification data corresponding to said time instant from satellites (100), generating from said radio frequency data, intermediate frequency data containing said verification data, transmitting at least a sample of said intermediate frequency data from said remote device (102, 200) across a communications network (104) to a remote server (106, 202), together with position information representative of the position of said remote device (102, 200) at said time instant, - determining at said server (106, 202) whether or not verification data (VIF) extracted from said intermediate frequency data received from said remote device (102, 200) corresponds to the actual verification data (V) generated by said satellites (100) in respect of said time instant and, if not, rejecting said position information as potentially unreliable.
PCT/IB2007/050152 2006-01-20 2007-01-17 System and method for verifying global position information WO2007083270A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06300048.3 2006-01-20
EP06300048 2006-01-20

Publications (1)

Publication Number Publication Date
WO2007083270A1 true WO2007083270A1 (en) 2007-07-26

Family

ID=38055213

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/050152 WO2007083270A1 (en) 2006-01-20 2007-01-17 System and method for verifying global position information

Country Status (1)

Country Link
WO (1) WO2007083270A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013036541A3 (en) * 2011-09-05 2013-05-02 The Boeing Company Authentication based on random bits in satellite navigation messages
US9606218B2 (en) 2013-07-26 2017-03-28 Here Global B.V. Route verification from wireless networks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5754657A (en) * 1995-08-31 1998-05-19 Trimble Navigation Limited Authentication of a message source
US20030212893A1 (en) * 2001-01-17 2003-11-13 International Business Machines Corporation Technique for digitally notarizing a collection of data streams

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5754657A (en) * 1995-08-31 1998-05-19 Trimble Navigation Limited Authentication of a message source
US20030212893A1 (en) * 2001-01-17 2003-11-13 International Business Machines Corporation Technique for digitally notarizing a collection of data streams

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DENNING D E ET AL: "Location-based authentication: grounding cyberspace for better security", COMPUTER FRAUD AND SECURITY, OXFORD, GB, February 1996 (1996-02-01), pages 12 - 16, XP002117683, ISSN: 1361-3723 *
KUHN M G: "An asymmetric security mechanism for navigation signals", INFORMATION HIDING. 6TH INTERNATIONAL WORKSHOP, IH 2004. REVISED SELECTED PAPERS (LECTURE NOTES IN COMPUTER SCIENCE VOL.3200) SPRINGER VERLAG BERLIN, GERMANY, 2004, pages 239 - 252, XP002436414, ISBN: 3-540-24207-4 *
SCOTT L.: "Anti-Spoofing & Authenticated Signal Architectures for Civil Navigation Systems", PROCEEDINGS ION GPS/GNSS 2003 SEPTEMBER 9-12, 2003, PORTLAND, OREGON, vol. 2003, 2003, pages 1543 - 1552, XP002436415 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013036541A3 (en) * 2011-09-05 2013-05-02 The Boeing Company Authentication based on random bits in satellite navigation messages
CN103782195A (en) * 2011-09-05 2014-05-07 波音公司 Authentication based on random bits in satellite navigation messages
JP2014532163A (en) * 2011-09-05 2014-12-04 ザ・ボーイング・カンパニーTheBoeing Company Authentication based on random bits in satellite navigation messages
US8930556B2 (en) 2011-09-05 2015-01-06 The Boeing Company Authentication based on random bits in satellite navigation messages
US9488731B2 (en) 2011-09-05 2016-11-08 The Boeing Company Authentication based on random bits in satellite navigation messages
RU2623998C2 (en) * 2011-09-05 2017-06-30 Зе Боинг Компани Authentication based on arbitrary bits in satellite navigation messages
US9606218B2 (en) 2013-07-26 2017-03-28 Here Global B.V. Route verification from wireless networks

Similar Documents

Publication Publication Date Title
Scott Anti-spoofing & authenticated signal architectures for civil navigation systems
CN105492926B (en) The satellite radio navigation signals of digital signature
Günther A survey of spoofing and counter‐measures
CN102933980B (en) Method of providing an authenticable time-and-location indication
US5754657A (en) Authentication of a message source
EP2151086B1 (en) Method for establishing a random number for security and encryption, and a communications apparatus
US8930706B2 (en) Method, device and network for authenticating the position of a navigation receiver
Papadimitratos et al. Protection and fundamental vulnerability of GNSS
EP3491420B1 (en) Method and system for radionavigation authentication
US10180500B2 (en) Signal processing
CN104603637B (en) The verification of satellite navigation signals
WO2010065253A2 (en) System and method for protecting against spoofed a-gnss measurement data
JP2011041038A (en) Method and system for authenticating position information using secret encryption code
Hinks et al. Signal and data authentication experiments on NTS-3
US20200204340A1 (en) Method and system for processing a gnss signal using homomorphic encryption
Caparra et al. Feasibility and limitations of self-spoofing attacks on GNSS signals with message authentication
US11889312B2 (en) Validation of position, navigation, time signals
WO2015001483A1 (en) Method and apparatus for authenticating a satellite navigation signal using the signal of the galileo commercial service
Motallebighomi et al. Cryptography is not enough: Relay attacks on authenticated GNSS signals
WO2007083270A1 (en) System and method for verifying global position information
Margaria et al. A first-of-a-kind spoofing detection demonstrator exploiting future Galileo E1 OS authentication
ES2749180T3 (en) Georeferencing certification method and system for mobile devices
Kor et al. A proposal for securing terrestrial radio-navigation systems
Torán-Martí et al. The ESA SISNeT Project: Current Status and Future Plans
Hernández Snapshot And Authentication Techniques For Satellite Navigation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07700615

Country of ref document: EP

Kind code of ref document: A1