Mapping Bit to Symbol Unpredictability in Convolutionally Encoded Messages with Checksums, with Application to Galileo OSNMA

This paper investigates the distribution of unpredictable symbols in the OSNMA scheme, which introduces cryptographic elements into the “Reserved 1” field of the odd page of the Galileo I/NAV message. The primary purpose of this cryptographic data is to provide authentication of the contents of the I/NAV (and other) messages, through a delayed release symmetric key scheme based on the TESLA protocol. A secondary benefit of this approach is that the navigation messages are not predictable, preventing a spoofer from, for example, generating a spoofed navigation message today and broadcasting it tomorrow. Prior work has described an attack, the Forward Estimation Attack (FEA) [1], that takes advantage of the forward error correction (FEC) employed by the Galileo E1 OS in order to ensure that a spoofed receiver correctly decodes the I/NAV message, even if it has been generated with some errors in some symbols. FEA exploits the fact that the FEC can correct symbol errors on those symbols that are not known a priori by the spoofer, or “unpredictable” symbols, thereby ensuring the correct decoding of the navigation message. At the same time, this attack does not break the NMA scheme, in that it does not make the receiver vulnerable to spoofed navigation messages, but rather makes it more likely that the receiver will decode the correct message, even if a spoofed message, arriving in delay or even in advance, is broadcast. In order to defend against such an attack and some other attacks altering the signal time of arrival, the receiver can re-encode the navigation message into symbols once it has been successfully decoded and compare the symbol error rates for those symbols that are predictable and those that were not. In order to perform this comparison in a meaningful way, it is first necessary to know which symbols are predictable and which are not. This paper presents in full detail, for the first time to the knowledge of the authors, how this can be achieved, and proposes a simple implementation in the receiver. This method takes also into account the impact of the CRC in the symbol unpredictability. Given this information it is then straightforward to design and implement a FEA detection mechanism.