Proposal Protocol for DME and Airplane Communication
Proposal Protocol for DME and Airplane Communication
Proposal Protocol for DME and Airplane Communication
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Proposal</strong> <strong>Protocol</strong> <strong>for</strong> <strong>DME</strong> <strong>and</strong> <strong>Airplane</strong> <strong>Communication</strong><br />
1 Introduction<br />
Dan Boneh <strong>and</strong> Frank Wang<br />
Department of Computer Science, Stan<strong>for</strong>d University<br />
{dabo,frankw}@cs.stan<strong>for</strong>d.edu<br />
In this report, we provide 2 different authentication protocols <strong>for</strong> communication between airplanes<br />
<strong>and</strong> <strong>DME</strong> towers. The first one, solely using signatures, is much simpler <strong>and</strong> does not require any<br />
knowledge of the data ahead of time but requires more authentication (512) bits to be transmitted<br />
to the airplane. The second one using message authentication codes (MACs) <strong>and</strong> signatures has<br />
more a detailed authentication scheme <strong>and</strong> requires knowledge of data one time interval ahead of<br />
time but requires half (256) the number of bits <strong>for</strong> the same level of security as the the first scheme.<br />
2 General Setup<br />
Both schemes have the same initial setup. The following keys <strong>and</strong> certifications must be generated<br />
be<strong>for</strong>e either of the authentication schemes can be initiated:<br />
• Every aviation authority (e.g FAA) generates a public <strong>and</strong> secret key pair (P KF AA, SKF AA).<br />
For simplicity, the schemes only consider one aviation authority, but they can easily be extended<br />
to include many authorities.<br />
• Every plane contains all the public keys (P KF AA) <strong>for</strong> every authority, which is manually<br />
installed on all planes. For each public key there is an associated geographic region of <strong>DME</strong>s<br />
where the public key can be used to certify <strong>DME</strong>s. The plane also has a certification revocation<br />
list to revoke compromised <strong>DME</strong> secret keys.<br />
• Every <strong>DME</strong> generates a public <strong>and</strong> secret key pair (P K<strong>DME</strong>, SKF AA) <strong>and</strong> has it signed by<br />
the appropriate authority. The <strong>DME</strong> has the following,<br />
(P K<strong>DME</strong>, SKF AA, CERTF AA)<br />
where CERTF AA contains (id, position, P K<strong>DME</strong>, <strong>and</strong> signature of the FAA on these fields).<br />
The certificate on the P K<strong>DME</strong> is generated manually <strong>and</strong> sent to the <strong>DME</strong>.<br />
If the any SK<strong>DME</strong> is stolen or compromised, the FAA generates a signed certificate revocation<br />
list <strong>and</strong> distributes it to all active <strong>DME</strong>s. If the SKF AA is stolen or compromised, a new public <strong>and</strong><br />
secret key pair needs to be generated. The public key has to be manually installed in all airplanes.<br />
3 Signature Scheme<br />
This scheme is simple <strong>and</strong> uses 512 bits <strong>for</strong> authentication. The general idea is that we sign all<br />
the messages individually <strong>and</strong> provide the key <strong>for</strong> verify the signatures. Each packet contains the<br />
1
following 3 parts: data, P K<strong>DME</strong>, <strong>and</strong> an aggregated (combination of multiple signatures) signature.<br />
The aggregated signature contains the signature of the FAA on the CERTF AA <strong>and</strong> the signature<br />
of the <strong>DME</strong> on the data. The <strong>DME</strong> signs the data using its SK<strong>DME</strong>, <strong>and</strong> the plane verifies the<br />
signature using P K<strong>DME</strong>. It is important to note that this scheme tolerates packet loss because each<br />
packet is individually signed <strong>and</strong> does not require any previous or future packets <strong>for</strong> authentication.<br />
The proof of security <strong>and</strong> specifics of aggregated signatures are described in Boneh et al. [1].<br />
The signatures are done using 256-bit elliptic curves [2]. There<strong>for</strong>e, the P K<strong>DME</strong> <strong>and</strong> signature<br />
are 256 bits each. The authentication requires 512 bits. However, this number can be reduced by<br />
using lower bit curves, but this also leads to a lower security.<br />
This scheme can be written with a small amount of code ( 100 lines) assuming that we have a<br />
library that can do elliptic curve cryptography. In terms of speed, it takes about 3 milliseconds to<br />
generate a 256-bit elliptic curve signature <strong>and</strong> about 70 milliseconds to verify it.<br />
4 Hash Mac Scheme<br />
The scheme has a more detailed authentication protocol, but it only requires 288 bits. When the<br />
first approaches the <strong>DME</strong>, it has to wait 10 seconds (or time intervals) be<strong>for</strong>e we can determine<br />
if the data is authenticated or not. The key setup is the same as the signature scheme. However,<br />
additional calculations <strong>and</strong> setups have to be done daily <strong>and</strong> hourly. We describe the daily setup<br />
of the <strong>DME</strong>, the <strong>DME</strong> transmission over a 24 hour period, <strong>and</strong> then the verification done by the<br />
plane over this 24 hour period.<br />
4.1 <strong>DME</strong> Hash Chain Generation<br />
At a specified time at night (preferably when there is low air traffic), the <strong>DME</strong> generates a hash<br />
chain of keys to be used during each time interval during the day. Similar one-way chains have<br />
been used in other broadcasting protocols [3]. In this report, our chain will be 86,400 keys long,<br />
<strong>and</strong> we will assume each time interval is 1 second. To generate this chain, we start with the nth key<br />
(Kn). This key should be r<strong>and</strong>omly generated. The 0th key is found by applying a one-way (hash)<br />
function H n times (e.g. K0 = H n (Kn)). In our implementation, we use Secure Hash Algorithm<br />
(SHA) 256, which is a one way, collision resistant function that outputs 256 bits. <strong>and</strong> 128 bit keys.<br />
We take the least significant 128 bits be<strong>for</strong>e we apply the one way function. Given a key, Kj, Ki =<br />
H j−i (Kj) <strong>for</strong> j > i.<br />
The keys are used in reverse order. In other words, time interval 0 uses K0, time interval 1<br />
uses K1, etc. Knowing any previous key allows to see if a future key was generated from the same<br />
previous key. A one way function means that there is no known inverse function, so it would be<br />
very difficult to find Kj knowing Ki <strong>for</strong> j > i. We need some way to store this chain. We can<br />
calculate it all at once <strong>and</strong> store it, which would require O(n) space but constant time <strong>for</strong> retrieval.<br />
We can just calculate K0 <strong>and</strong> recompute the chain every time, which would require O(n) time but<br />
constant space. Re-generating the hash chain every time would be computationally expensive. For<br />
a chain with 86,400 keys, it takes about 135 milliseconds. Jakobsson [4], <strong>and</strong> Coppersmith <strong>and</strong><br />
Jakobsson [5] describe a method <strong>for</strong> computing the next value in the chain with n elements that<br />
requires O(log n) space <strong>and</strong> O(log n) time <strong>for</strong> each retrieval.<br />
4.2 Transmission of the <strong>DME</strong> over a 24 hour period<br />
Every 10 minute window contains 600 time intervals. Let Kw be the first key from the hash chain<br />
associated with the current 10 minute time window.<br />
2
At the beginning of each 10 minute time window, the <strong>DME</strong> generates SIG<strong>DME</strong>, which is the<br />
signing of Kw using SK<strong>DME</strong> <strong>and</strong> an aggregated signature (AggSig) using the same method as above<br />
containing SIG<strong>DME</strong> <strong>and</strong> the FAA signature on CERT<strong>DME</strong>. There<strong>for</strong>e, we have the following<br />
signature:<br />
SIGOV ERALL = (P K<strong>DME</strong>, AggSig, Kw)<br />
This is total of 640 bits because the public key is 256 bits, the aggregated signatures is 256 bits,<br />
<strong>and</strong> the key is 128 bits. This signature defines a polynomial F over GF(2 64 ) of degree 9. The<br />
importance of the polynomial is described below.<br />
4.2.1 Transmission every time interval<br />
At time interval i, the <strong>DME</strong> sends datai. It computes the following:<br />
ti+1 = MAC[Ki+1, datai+1 —— (32-bit time)]<br />
Note that this MAC requires one time interval advance knowledge. Our implementation uses<br />
HMAC-SHA256. We take the least significant 64 bits. The 32-bit time is included in the MAC<br />
calculation to prevent replay attacks, but datai may only contain the 16 least significant time<br />
bits. The 16 most signification bits are known to both the <strong>DME</strong> <strong>and</strong> the plane <strong>and</strong> need not be<br />
transmitted because it is within the 24 hour window.<br />
The <strong>DME</strong> sends the following:<br />
[datai, Ki, ti+1, F(i)]<br />
Ki is 128 bits, ti+1 is 64 bits, <strong>and</strong> F(i) is 64 bits. There<strong>for</strong>e, the authentication requires 256 bits.<br />
It is important to note that the polynomial changes every 600 time intervals. Any 10 packets are<br />
sufficient to recover F which gives the plane SIGOV ERALL <strong>and</strong> allows it to verify the signatures.<br />
This in<strong>for</strong>mation dispersal allows <strong>for</strong> packet loss.<br />
4.2.2 Last 16 time intervals in 24-hour period<br />
<strong>DME</strong> sends the following:<br />
[datai, Ki, ti+1, F’(i)]<br />
Everything represents the same as above except F’ is the polynomial <strong>for</strong> the first SIGOV ERALL in<br />
the next 24 hour chain<br />
4.3 Important Notes about the <strong>DME</strong> transmission<br />
4.3.1 24 hour chain<br />
When switching between chains, the transition is smooth unless there is a burst of packet loss, in<br />
which the plane ill need to wait a few seconds until it receives a new complete signature. Increasing<br />
chain length would make this event less frequent, but will increase the time to first build the chain<br />
<strong>and</strong> access the chain. The hash chain ensures that palnes can recover from a burst packet loss by<br />
dropping no more than on packet. However, if an attacker is able to block every other packet, the<br />
plane will be unable to authenticate any packet. We will show why this is the case in the plane<br />
verification section below.<br />
3
4.3.2 10 minute window<br />
Signature is used <strong>for</strong> 10 minutes, but this time is variable. Increasing the window size will make it<br />
harder <strong>for</strong> to verify key Ki it receives in current packet because it has to per<strong>for</strong>m the hash function<br />
to get that key. Shrinking this window reduces the opportunity <strong>for</strong> recovering the signature.<br />
4.3.3 Last 16 packets in 24 hour window<br />
Sending the signature on the new K0 in last 16 packets of current chain. Increasing the number<br />
reduces the possibility of packet loss, but makes it more difficult <strong>for</strong> new planes coming into contact<br />
with the <strong>DME</strong> to verify the end of the previous chain because the signature is <strong>for</strong> the new chain.<br />
New planes joining at the end of a chain will, in the worst case, need to wait 16 seconds be<strong>for</strong>e<br />
they can authenticate data (as opposed to 10 seconds normally). Planes currently using <strong>DME</strong> are<br />
unaffected by change of chain, unless there is packet loss during the change of chain.<br />
4.4 Plane Verification Process<br />
4.4.1 First Contact with the <strong>DME</strong><br />
The plane collects 10 packs from the <strong>DME</strong> <strong>and</strong> reconstructs SIGOV ERALL as described above.<br />
After reconstructing, it verifies the signatures. At this point, the plane has authenticated Kw <strong>for</strong><br />
the current 10 minutes time window. This means that the plane knows the <strong>DME</strong> is the <strong>DME</strong> it<br />
claims to be. When the next packet P , which contains [datai, Ki, ti+1, F(i)], is received, the plane<br />
checks that H(H(H..H(Ki)..)) = Kw, otherwise reject the packet if not. The plane can do this<br />
because it knows what time P was transmitted <strong>and</strong> when Kw was created. After that, the plane<br />
checks verifies that ti (from the previous packet) is equal to MAC(Ki, [datai —— (32-bit time)]).<br />
If it is equal, then output valid, <strong>and</strong> reject the packet otherwise. If it is valid, that means the datai<br />
is authenticated <strong>and</strong> can be used securely.<br />
4.4.2 Subsequent contact<br />
The method is the same as above. If there is a gap in chain due to packet loss, the plane waits until<br />
the next packet is received. It ignores that packet but saves ti+1 from it. Then, when the next<br />
packet is received, the plane per<strong>for</strong>ms the MAC check described above. It is important to mention<br />
that if an attacker is able to block every other packet, the plane will be unable to authenticate any<br />
packet because we could never get the keys or data from the next packet to authenticate the MAC<br />
field from the previous packet. If the packets happen to be the last packets in 24 hour chain, the<br />
plane collects SIGOV ERALL on the new K0. The plane verifies the signatures <strong>and</strong> then starts using<br />
the new chain. No interruption in the service is expected. If packet loss occurs <strong>and</strong> prevents the<br />
acquisition of the signature on K0 from last 16 packets of previous chain, then use signatures on<br />
the new chain to verify K0 as if the packets did not come.<br />
This method is more involved but has less bits. It can be written in about 500 lines of code.<br />
The signature verification is the same speed as above.<br />
References<br />
[1] D. Boneh, H. Shacham, <strong>and</strong> B. Lynn. Short signatures from the Weil pairing. J. of Cryptology<br />
17(4): p.297-319, 2004.<br />
4
[2] D. Freeman. Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. Algorithmic<br />
Number Theory: p. 452-65, 2006.<br />
[3] A. Perrig, R. Canetti, J.D. Tygar, <strong>and</strong> D. Song. The TESLA Broadcast Authentication <strong>Protocol</strong>.<br />
RSA Cryptobytes 5: p.2002, 2002.<br />
[4] M. Jakobsson. Fractal hash sequence representation <strong>and</strong> traversal. In Proceedings of the 2002<br />
IEEE International Symposium on In<strong>for</strong>mation Theory, p. 437-44, July 2002.<br />
[5] D. Coppersmith <strong>and</strong> M. Jakobsson. Almost optimal hash sequence traversal. In Proceedings of<br />
the Fourth Conference on Financial Cryptography, 2002.<br />
5