DESCRIPTION

The present invention relates to a method implemented by a computer configured to authenticate geographic coordinates estimated by a satellite receiver device by means of receiving satellite navigation signals generated by 10 a global navigation satellite system (GNSS).

The invention also relates to an architecture for authenticating geographic coordinates estimated by a satellite receiver device, configured to actuate the aforesaid authentication method.

It is well known that global navigation satellite systems (GNSS) are 15 increasingly gaining relevant importance in the mass market receiver segment, e.g., smartphones and Internet-of-Things (loT) devices. GNSS technology is present today in location-based applications such as road transport and automotive, aviation, maritime, agricultural or emergency tracking. In this context, spoofing is becoming an increasing threat to GNSS signal integrity, 20 whereby a malicious user intends to imitate authentic GNSS signals so as to alter a victim’s navigation information.

In particular, this technique consists of intercepting the satellite receiver device of a given victim and forcing it to calculate a false position, dissimilar to the true position of the receiver itself, with potentially harmful consequences in the 25 context of GNSS-based applications with a high degree of criticality in terms of safety and reliability.

This situation raises serious concerns for such applications, thus hindering the spread of GNSS in key emerging sectors.

As a countermeasure, Galileo will soon implement the Open Service 30 Navigation Message Authentication (OSNMA) service in its E1-B signal.

Such service, in particular, consists of a mechanism which uses cryptographic data to verify the authenticity of the navigation message (l/NAV) transmitted precisely by means of the E1-B signal.

Based on the Time Efficient Stream Loss Tolerant (TESLA) protocol, OSNMA 35 authentication data are transmitted in a series of predictable symbols and, more importantly, symbols of an unpredictable nature which, as such, make spoofing attacks of the type described above difficult.

However, even with the introduction of this unpredictability feature of OSNMA data, advanced spoofers could still succeed by means of what are known as Security Code Estimation and Replay (SCER) attacks.

In fact, with such an SCER technique, the attacker intercepts the signals sent by the satellites broadcasting OSNMA data and makes an estimation of the unpredictable symbols. In particular, as long as the attacker estimates the unpredictable symbols, the same attacker transmits a random symbol, so as to transmit an altered signal with practically no delay or even in advance with respect to the authentic signal. When the estimation is finished, the attacker transmits the estimated symbols. Therefore, in the SCER attack, the symbol transmitted by the attacker is divided into two parts: the first part is random, while the second part consists of estimated symbols. Thereby, the attacker can reconstruct authentic OSNMA data on a signal with a counterfeit l/NAV navigation message, and thus falsify the position received by the victim’s satellite receiver device.

For most GNSS receivers, one way to curb such SCER attacks, as well as other less refined types of attacks, is to operate by means of symbols with demodulated data provided in output. The reason for this is that in the presence of an SCER attack, or other less refined spoofing attacks, there is a non-negligible probability that the spoofer will incur errors when estimating unpredictable symbols from the authentic GNSS signal. Furthermore, even in the case of correct estimation, the first part of the symbol transmitted by the spoofer is random; the longer this part of the symbol, the higher the probability that the victim’s satellite receiver device will demodulate an incorrect symbol. Therefore, errors due to a spoofing attack, whether SCER or other less refined types, manifest themselves as an unusual increase in the symbol error rate (SER) at the victim’s satellite receiver device, with respect to when operating under nominal conditions without spoofing. This is a sign of a potential spoofing attack. Therefore, the exploitation of such unusual errors at the symbol level becomes of paramount importance for the detection of advanced or less advanced spoofing attacks.

However, it is equally well known that continuous GNSS signal detection is often not feasible in most portable receiver devices, e.g., smartphones, due to the strict power consumption limits imposed by the use of batteries with limited autonomy. In such circumstances, “snapshot” processing approaches are instead adopted, in which the receiver front-end is periodically turned on for a few milliseconds, while it remains in a stand-by state (i.e., inactive) for the rest of the time. The disadvantage of receiver devices operating in “snapshot” mode is that navigation messages cannot be decoded. Consequently, such receiver devices cannot have access to all OSNMA data, especially the unpredictable ones, but only to a small part thereof, thus hindering the implementation of the aforesaid OSNMA service for authenticating the geographic coordinates of the receiver devices themselves.

The present invention is intended to overcome the aforesaid drawbacks of the prior art.

In particular, a first object of the invention is to define a method for authenticating the geographic coordinates of a satellite receiver device, which can be actuated on satellite receiver devices operating in “snapshot” mode.

In particular, it is the object of the invention to propose a geographic coordinate authentication method configured to be implemented on satellite receiver devices with limited computational and energy resources.

It is further the object of the invention to propose a geographic coordinate authentication method which can be implemented on satellite receiver devices which do not have access to all OSNMA data.

The aforementioned objects are achieved by implementing the geographic coordinate authentication method in accordance with the main claim to which reference will be made.

Further features of the geographic coordinate authentication method are described in the dependent claims.

The authentication architecture according to claim 14 is also part of the invention.

The aforesaid objects, together with the advantages that will be mentioned below, will be better highlighted during the description of a preferred embodiment of the invention which is given, by way of non-limiting example, with reference to the attached drawings, where:

- fig. 1 shows the flow sheet of the authentication method of the invention in schematic form;

- fig. 2 shows the authentication architecture configured to run the method of the invention in schematic form.

The aforesaid method of the invention implemented by means of a computer and the related operating steps, according to a preferred embodiment, are schematically depicted in fig. 1 .

In such fig. 1 , the method implemented by means of a computer, configured to authenticate geographic coordinates estimated by a satellite receiver device 200, is indicated overall with the reference 1.

The aforesaid preferred embodiment of the method 1 of the invention includes running a receiving step, indicated in fig. 1 with 2, whereby the aforesaid satellite receiver device 200 implements, at time intervals of a predetermined period T _n , a “snapshot” -type satellite signal receiving logic. In particular, such a type of “snapshot” reception, as indicated above, envisages that the front-end of the satellite receiver device 200 be switched on for each of the aforesaid periods for a receiving time window t of a predetermined duration, while it remains in a stand-by state (i.e., inactive) for the rest of the time.

In particular, it should first be noted that the method 1 of the invention, in order to be implemented, requires that each of the aforesaid satellite navigation signals comprise one or more portions of unpredictable authentication symbols within the message sent.

Preferably, each of the aforesaid navigation satellite signals is a Galileo E1-B navigation satellite signal with an l/NAV navigation message, and the aforesaid portions of unpredictable authentication symbols in such a message are encrypted OSNMA authentication data.

It is not excluded, however, that in alternative embodiments to the preferred one described here such unpredictable authentication symbols are implemented in a dissimilar manner with respect to the encrypted OSNMA authentication data.

That being said, according to the preferred embodiment of the invention, the aforesaid method 1 implemented by means of a computer, at each of such periods T^, includes opening such a receiving time window tm, in which the satellite receiver device 200 is active, at time instants corresponding to the reception of one or more of such portions of the satellite navigation messages related to the aforesaid unpredictable authentication symbols; such satellite navigation messages are sent by satellites belonging to the aforesaid global navigation satellite system (GNSS) and visible by the same satellite receiver device 200 at a precise time instant tx.

Such reception is run simultaneously for all satellite navigation messages sent from such visible satellites by the same satellite receiver device 200 at the time instant tx.

Once such one or more portions of unpredictable symbols have been received, the method 1 of the invention includes running a processing step 3 of the aforesaid one or more portions of unpredictable authentication symbols received, in order to estimate the geographic coordinates of the satellite receiver device 200 and also to estimate the actual unpredictable authentication symbols transmitted in such portions.

Advantageously, therefore, the fact of exploiting, for each period T _n , a single receiving time window t , both to estimate the geographic coordinates of the satellite receiver device, and to estimate the unpredictable authentication symbols, allows the same satellite receiver device 200 to be activated the minimum necessary and at the same time still obtain the estimate of the aforesaid data.

It is not excluded, however, that according to different embodiments of the invention separate receiving time windows are envisaged for the estimation of the geographic coordinates of the satellite receiver device and for the estimation of the unpredictable authentication symbols.

Returning to the preferred embodiment of the invention, it is envisaged that such a time period T _rx be chosen within the time interval 5-60 seconds, preferably 15-45 seconds, even more preferably that it be chosen around 30 seconds.

Such a value, advantageously, could allow to obtain a fair compromise between a substantially rapid continuous updating of the estimation of the satellite receiver device’s geographic coordinates and the unpredictable authentication symbols and a limited power consumption by the satellite receiver device itself.

It is not excluded, however, that such a time period 7 _x can also be chosen as a few minutes or tens of minutes, based on the type of application.

With regard to the receiving window t of the satellite receiver device 200, its duration, preferably, is chosen within the interval 2-50 milliseconds, more specifically within the interval 4-36 milliseconds, even more preferably around 20 milliseconds.

In fact, since it is known that the propagation time of the Galileo E1-B signals can differ by 5 symbols between the different visible satellites, corresponding to 20 milliseconds of time, since the symbol period in Galileo E1-B is T = 4 milliseconds, it is potentially possible, for example, to acquire at least 5 unpredictable symbols from all the visible satellites, activating the receiver at the correct time instant for an interval of only 20 milliseconds. It is thereby possible to acquire a sufficient number of unpredictable symbols for the implementation of the method 1 of the invention, and at the same time limit the power consumption of the satellite receiver device 200.

According to the invention, the activation of the satellite receiver device 200 for each period T _rx is delayed by a latency time tp and a centring time tc with respect to the start instant of sending a satellite navigation message by the satellites. In particular, the latency time tp is dependent on the actual distance between the satellite receiver device 200 and the visible satellites; a distance which is calculated from the geographic coordinates authenticated for the satellite receiver device 200 during the previous period T _n .

Alternatively, the latency time tp can be estimated as the average value of the distance of the visible satellites with respect to the satellite receiver device 200

As regards the centring time tc, it is proportional to the distance between the start of the navigation message and the start of the portion containing the largest number of unpredictable authentication symbols within the same message.

In fact, it is known that the implementation of the OSNMA service envisages that the aforesaid portions of unpredictable authentication symbols have a constant position and length within the aforesaid messages sent by means of such satellite signals.

At the end of the receiving time window , the method 1 of the invention envisages deactivating the satellite receiver device 200 until the next time period T^. Such a step is indicated with 4 in fig. 1 .

The method 1 of the invention includes an acquisition step by a processing device 300, distinct from the satellite receiver device 200, of the full and true satellite navigation message transmitted by each of the satellites at a precise time instant tx. Such a step is indicated with reference 5 in fig. 1 . Such a step, as will be detailed shortly, could include the processing device 300 directly acquiring the messages sent by the visible satellites.

Alternatively, the processing device 300 could obtain the messages of the satellites and thus the unpredictable symbols indirectly, for instance by acquiring them from specific archives accessible from the Internet.

To this end, according to the invention, the authentication method 1 envisages that, at each period Trx, the satellite receiver device 200, following the estimation of the one or more portions of unpredictable authentication symbols and the estimation of the geographic coordinates at the time instant tx, to be authenticated, proceeds to send such unpredictable authentication symbols, of the aforesaid geographic coordinates to be authenticated and the value of the instant tx to the aforesaid processing device 300. Such a step is indicated with reference 6 in fig. 1 .

Additionally, the method 1 envisages verifying the correspondence of said one or more portions of unpredictable authentication symbols estimated by the satellite receiver device 200 with the corresponding unpredictable authentication symbols belonging to the navigation satellite signal acquired by the processing device 300. Step indicated with reference 7 in fig. 1.

If there is a substantial correspondence between such two groups of unpredictable symbols, the method 1 envisages validating the authenticity of the geographic coordinates estimated by the satellite receiver device 200.

Otherwise, if no such substantial correspondence is found between the two groups of unpredictable authentication symbols, the method 1 envisages reporting a probable spoofing attack which occurred on the satellite receiver device 200.

According to the preferred embodiment of the invention, the method 1 envisages that said verification step 7 is run by the processing device 300, separate from the satellite receiver device 200, and that the result of such a verification is sent to the same satellite receiver device 200, as indicated by reference 8 in fig. 1 , so that the latter can accept as valid or discard the previously estimated geographic coordinates for its own navigation purposes. This last step of the method 1 of the invention is indicated by the reference 9 in fig. 1. Such an implementation, advantageously, avoids the computation required to run such a verification step 7 from being actuated by the satellite receiver device 200, with considerable benefits from the point of view of the energy consumption of the satellite receiver device 200 itself.

It is not excluded, however, that according to an alternative embodiment of the method 1 of the invention such a verification step is run directly by the satellite receiver device after the processing device has sent the entire satellite navigation message, or at least the portion of bits corresponding to the unpredictable symbols acquired by the latter, as described above.

As regards, in particular, the verification step 7, according to the preferred embodiment of the invention, this includes running a statistical test in turn comprising two operations:

- a first comparison operation, which includes running the actual comparison between the aforesaid one or more portions of unpredictable authentication symbols estimated by the satellite receiver device 200 and the corresponding unpredictable authentication symbols belonging to the satellite navigation message acquired by the processing device 300, based on the geographic coordinates estimated for the time instant tx in particular, since the processing device 300 has the symbols of the entire navigation message available, and since it knows the geographic coordinates to be authenticated by the satellite receiver device 200 at the time instant tx, the same processing device 300 is configured to extract, from all the aforesaid symbols, the portion or portions of unpredictable symbols which the satellite receiver device 200 should have received. Precisely such portions of unpredictable symbols are those used by the processing device 300 to run the aforesaid first comparison operation;

- a second comparison operation, which includes comparing the results obtained by means of the first comparison operation with a suitably chosen detection threshold, so as to discriminate the authenticity or otherwise of the aforesaid geographic coordinates estimated for the time instant tx.

Even more precisely, according to the preferred embodiment of the invention, the first comparison operation includes calculating the Hamming distance between such one or more portions of unpredictable authentication symbols estimated by the satellite receiver device 200 and the corresponding unpredictable authentication symbols belonging to the satellite navigation signal acquired by the processing device 300.

As regards the second comparison operation, according to the preferred embodiment of the invention, the aforesaid threshold is set equal to the maximum number of erroneous unpredictable symbols which can reasonably be expected in an authentic satellite signal under certain operating conditions. Such a statistical approach is a consequence of the logic implemented in the preceding steps of the method 1 of the invention.

In fact, since the entire message acquired by the satellite receiver device 200 is not available, but only some portions of the unpredictable symbols, it is not possible to carry out a cryptographic comparison, as instead envisaged for standard-type OSNMA receiver devices, and as described for example in the document ‘A Real-time OSNMA-ready Software Receiver’ by Montella Beatrice et AL.

Instead in the case of the invention, the only way to be able to estimate the authenticity of the symbols received, thus of the message, and consequently of the geographic coordinates, is precisely by implementing a statistical approach as described in detail above.

Clearly, according to the authentication method 1 of the invention, the estimation of the unpredictable symbols and the estimation of the geographic coordinates by the satellite receiver device 200, the acquisition of the entire acquired satellite navigation message by the processing device 300, and the steps of verification and acceptance or non-acceptance of the geographic coordinates by the satellite receiver device 200 itself are carried out, at each period Trx, for each of the satellite signals sent by each satellite visible by the satellite receiver device 200 at the precise time instant tx.

Alternatively, if the number of unpredictable symbols for each satellite is small, the method 1 of the invention could envisage carrying out the aforesaid two comparison operations, putting together all the unpredictable symbols coming from all the satellites. In other words, such two comparison operations would only be carried out once for each period 7^.

As mentioned above, the authentication architecture 100 of the estimated geographic coordinates for a satellite receiver device in a given time instant tx by executing the method 1 of the invention just presented is also part of the invention.

As schematically depicted in fig. 2, such an authentication architecture 100 comprises at least one satellite receiver device 200, e.g., a smartphone, and at least one processing device 300, preferably a remote server 301 , operatively connected to such a satellite receiver device 200. Such an authentication architecture 100 envisages that the satellite receiver device 200, for each period Trx, is configured to activate upon receipt of a satellite signal for at least one receiving time window t , so as to receive a precise portion of the same signal corresponding to the unpredictable authentication symbols present in the message transmitted by the aforesaid signal. This is implemented by the satellite receiver device 200 by means of a receiver block, indicated in fig. 2 with 201. In particular, the satellite receiver device 200 is configured to activate such a receiver block 201 delayed by a latency time tp and a centring time tc with respect to the start instant of sending satellite navigation messages by the satellites belonging to the global navigation satellite system (GNSS) 400. In particular, as mentioned above, the latency time tp depends on the actual distance between the satellite receiver device 200 and the visible satellites; such a distance is calculated from the geographic coordinates authenticated for the satellite receiver device 200 during the previous period T _n . On the other hand, the centring time tc is proportional to the position of the one or more portions of the unpredictable authentication symbols which are intended to be estimated, within the message carried by such a satellite navigation signal.

From an implementation point of view, this receiver block 201 corresponds to the front-end of the GNSS receiver responsible for the analogue processing and radio frequency (RF) signal conditioning, i.e., the conversion of the captured band-pass signal into baseband, and further the input in the discrete time domain. The main operations therefore include low-noise amplification (LNA), filtering, baseband down-conversion frequency and analogue-to-digital conversion (ADC).

Following such reception, the satellite receiver device 200 is configured to deactivate the receiver block 201 at the end of the receiving time window , until the next time period Trx, and to estimate, by processing such a portion of the acquired symbols, the geographic coordinates related to the time instant tx and also the unpredictable authentication symbols related to such a received portion. Such latter operations are run by the satellite receiver device 200, by means of a first processing block, indicated with 202 in fig. 2. Such a first processing block 202, according to the preferred embodiment of the invention, once such estimates have been run, is configured to send the aforesaid unpredictable authentication symbols and the geographic coordinates to be authenticated and related to the instant tx to the aforesaid server 301.

From an implementation point of view, such a first processing block 202 runs the estimation of what is known as “observables”, e.g., the pseudorange, the Doppler shift, and the carrier phase, so as to identify the geographic coordinates of the satellite receiver device 200.

Additionally, the satellite receiver device 200, according to the authentication architecture 100 of the invention, comprises a second processing block 203 configured to receive the results of the verification step run by the remote server 301, as will be described shortly, so that the same satellite receiver device 200 may eventually accept or not accept the estimated geographic coordinates.

With regard to the processing device 300, in particular the remote server 301, it comprises a processing block 302 configured to receive from the satellite receiver device 200 the geographic coordinates for the instant tx estimated and to be authenticated, and the estimation of the unpredictable authentication symbols.

Subsequently, such a processing block 302 is configured to acquire the entire satellite navigation message, or at least to acquire the portion of bits corresponding to the unpredictable symbols, in such a time instant tx.

To this end, the remote server 302 hosts a repository 303, in which the set of all unpredictable authentication symbols transmitted by the satellites visible by the receiver 304 up to the current instant is available. This repository 303 is supported by a receiver 304 capable of continuously receiving signals coming from the aforesaid satellites.

Once the authentic messages have been retrieved, the remote server 301, for each of them, is configured to retrieve the portions of unpredictable bits which the satellite receiver device 200 should have received at the time instant tx if it were truly at the location of the geographic coordinates estimated and to be authenticated.

Furthermore, the remote server 301 is configured, by means of a verification block 305, to verify the correspondence of the one or more portions of unpredictable authentication symbols estimated by the satellite receiver device 200 with the corresponding portions of unpredictable authentication symbols retrieved from the satellite navigation message acquired by the same remote server 301.

Such a verification block 305 is thus configured to validate the authenticity of the geographic coordinates estimated by the satellite receiver device 200, if there is a substantial correspondence between the unpredictable symbols estimated by the satellite receiver device 200 and the corresponding unpredictable symbols belonging to the satellite navigation message acquired by the same remote server 301. In the opposite case, such a comparison block 305 is configured to signal a probable spoofing attack on the satellite receiver device 200.

Finally, the remote server 301 comprises a sending block 306 configured to send the result of such a verification to the aforesaid second processing block 203 of the satellite receiver device 200.

Preferably, such a sending is performed by sending a binary flag to the satellite receiver device 200, adapted to precisely assume two alternative values, one equivalent to the authenticity of the data received and the other equivalent to the non-authenticity of the data received.

It is not excluded, however, that such a sending is performed in an alternative manner with respect to the binary flag, as long as it is of a known type. Based on the above, it is understood that the method of the invention achieves all the above-mentioned objects.

In particular, the object to define a method for authenticating the geographic coordinates of a satellite receiver device, which can be actuated on satellite receiver devices operating in “snapshot” mode, is achieved.

The object of proposing a geographic coordinate authentication method configured to be implemented on satellite receiver devices with limited computational and energy resources is also achieved.

Lastly, the object of proposing a geographic coordinate authentication method which can be implemented on satellite receiver devices which do not have access to all OSNMA data is also achieved.