Galileo Open Service Authentication: A Complete Service Design and Provision Analysis

GNSS authentication, and in particular Navigation Message Authentication (NMA), has been already studied in the scientific literature. However, not many references that analyse the assets at risk, existing threats, mitigation actions, and residual risks through standard risk assessment processes, are available. In this paper, we outline how to use such processes to justify the design and selection of some configurable options for the service specification and operational procedures of GNSS Navigation Message Authentication (NMA) using the Galileo Open Service signals. The proposed NMA scheme is based on the TESLA protocol as proposed in [1]. To motivate the design of the service, we first identify the categories of users and associated risks of attack. We then summarize the mitigation capability against these attacks provided by the TESLA solution referred herein. We define the cryptographic parameters to use for the service in the foreseeable future. We also identify further mitigations that the receiver manufacturer or service user might need to consider to ensure security of the position and/or the time fixes according to their risk aversion. These might include a trusted local clock reference, a process to verify or challenge digital certificates and statistical analysis of symbol recovery. We then define crypto parameters and procedures that affect the quality of service for different users, as a function of several system performance scenarios. We show that, for the selected parameters, multi-constellation NMA can be achieved in environments with a masking angle up to 40 degrees. We also show that authentication using only validated signals presents good performance at 5 degrees masking angle, for users requiring four satellites transmitting NMA. This performance may increase through an optimized downlink strategy.