Timed Efficient Stream Loss-Tolerant Authentication (TESLA)

When considered as a security solution for ADS-B, asymmetric-key encryption has two major drawbacks. The first issue is that current asymmetric-key schemes have no compact encryption implementations, and would result in an increase of the transmitted ADS-B message length. The second problem is that unique encrypted ADS-B messages would be required for each recipient. To maintain a fully-connected network of n nodes would necessitate (n2 − n) unique broadcasts rather than n in the current system [15], which obviously does not scale well as the size of the network increases.

As a possible answer to these two drawbacks, Costin et al. [3] have suggested what they term a “lightweight” PKI solution. In the lightweight PKI approach, node A transmits its digital signature over n messages, so that after every n messages, the surrounding nodes have received A’s digital signature. The recipients keep the messages until the entire digital signature has been transmitted and they can authenticate the buffered messages. The authors suggest that the PKI key distribution necessary for this scheme could be done during an aircraft’s scheduled maintenance cycle [13].

A security scheme called Timed Efficient Stream Loss-Tolerant Authentication (TESLA) is a variation on traditional asymmetric cryptography that has been proposed for use on broadcast networks [19], [20]. With TESLA, senders retroactively publish their keys which are then used by receivers to authenticate the broadcast messages. A broadcasting node produces an encrypted message authentication code (MAC) which is included with every message. After a designated time interval or number of messages, the key to decrypt the sender’s MAC is published. Listening receivers who have buffered the sender’s previous messages can then decrypt the messages that were broadcast. When applied to ADS-B, this technique imposes a time delay on the broadcast due to the need to buffer messages, but it provides integrity and continuity of messages sent over the network.

TESLA is an adaption of the TESLA protocol designed for use on wireless sensor networks. The TESLA protocol requires nodes in the network to be loosely time synchronized, with each node having an upper bound on the maximum clock synchronization error. As discussed earlier, asymmetric encryption schemes have high computation and communication overhead, which limit their usefulness as security approaches on the bandwidth-constrained ADS-B network. The TESLA protocol overcomes this problem by employing asymmetric-key encryption through a delayed disclosure of symmetric keys, which results in an efficient broadcast authentication scheme. When one considers the bandwidth and interference limitations on the ADS-B frequency channel, the TESLA design adaptations identify this protocol as a viable scheme for providing security in ADS-B.

However, there are two obstacles to applying TESLA to ADS-B. The primary issue is that, while sufficiently good time synchronization could be provided via GPS, it would require modification to the protocol to accommodate the GPS timestamp field. The second problem is that in order for TESLA to be used for verifying the identity of a network node, it needs to be reinitialized which leaves it susceptible to memory- based DoS attacks. In spite of these drawbacks, TESLA is a promising security scheme for integrating into ADS-B.

B. Aircraft Address Message Authentication Code

The cryptographic solutions PKI and TESLA both have shortcomings in that they require modifications to the current ADS-B protocol. The Aircraft Address Message Authentication Code (AA-MAC) security solution utilizes a standard hash algorithm such as MD5 or SHA and a secret authentication key to perform message integrity [21]. The AA-MAC message source integrity scheme would require a slight modification to the existing protocol in that it would replace the current Aircraft Address (AA) field with the MAC, but the ADS-B message is otherwise unchanged. The AA-MAC approach proposes a different aircraft identification strategy, assigning a unique identifier to each aircraft that is good for the duration of a particular flight. As with PKI cryptographic approaches, the distribution of the secret key presents challenges for AA-MAC. Since MAC requires just one key which is used to uniquely identify a sender on the network, the simplest approach would be to distribute the secret key only when an aircraft intends to enter the air traffic control system and ADS-B network.

The purpose here is to demonstrate a compatible security scheme that will mitigate threats posed by message injection and modification attacks, which are among the most critical vulnerabilities in the current ADS-B implementation. While AA-MAC does not provide data integrity, it is highly compatible with the existing 1090ES protocol and can be implemented at low cost relative to other security proposals, offering a feasible partial security solution for ADS-B.

4.1.2. Non-Cryptographic Schemes

As we have seen, cryptographic security schemes are difficult to implement in a way that are not compatible with the existing infrastructure, primarily due to the problem of key distribution and management. Non-cryptographic approaches to network security avoid the challenge of key management and instead involve either some form of fingerprinting on the physical layer, or a frequency modulation scheme such as spread spectrum.

A. Fingerprinting

Schemes such as fingerprinting encompass various methods for authentication and identification, either based on hardware or software imperfections or characteristics of the frequency channel which are hard to replicate. Identifying signatures for legitimate nodes on the network provides data useful for the implementation of systems to detect network intrusions [22].

Software-Based Fingerprinting schemes attempt to isolate distinct characteristics of the software operating on network equipment. The development teams for different network equipment manufacturers often take widely varied paths when implementing software on a given device. These differences can be cataloged and later exploited to tell apart dissimilar network devices, and can be used to verify their continuity up to a certain degree.

Hardware-Based Fingerprinting approaches seek to identify and catalog unique network hardware differences. Some of these differences can be used for radiometric fingerprinting, which takes advantage of differences in the modulation of a radio signal to catalog unique device signatures. Clock skew is another identifiable hardware feature that can be used to establish uniqueness between wireless devices. Since no two clocks are perfectly synchronized, time difference can be used to create signatures and enable identification.

A third category of fingerprinting is Channel/Location-Based Fingerprinting. This fingerprinting method tries to exploit natural characteristics of the communications channel. Various approaches utilizing received signal strength (RSS), channel impulse response (CIR) and the carrier phase have shown that this can be a viable alternative to more traditional authentication and verification measures.