Crystal Oscillators in OSNMA-Enabled Receivers: An Implementation View for Automotive Applications

To ensure the authenticity of navigation data, Galileo Open Service navigation message authentication (OSNMA) requires loose synchronization between the receiver clock and the system time. This means that during the period between clock calibrations, the receiver clock error needs to be smaller than a pre-defined threshold, currently up to 165s for OSNMA. On the other hand, relying on the PVT solution to steer the receiver clock or correct its bias may not be possible since this would depend on the very same signals we intend to authenticate. This work aims to investigate the causes of the frequency accuracy loss leading to clock errors and to build a model that, from the datasheet of a real-time clock (RTC) device, allows to bound the error clock during a certain period. The model's main contributors are temperature changes, long-term aging, and offset at calibration, but it includes other factors. We then apply the model to several RTCs from different manufacturers and bound the maximum error for certain periods, with a focus on the two-year between-calibration period expected for the smart tachograph, an automotive application that will integrate OSNMA.

Improving Galileo OSNMA Time To First Authenticated Fix

Galileo is the first global navigation satellite system to authenticate their civilian signals through the Open Service Galileo Message Authentication (OSNMA) protocol. However, OSNMA delays the time to obtain a first position and time fix, the so-called Time To First Authentication Fix (TTFAF). Reducing the TTFAF as much as possible is crucial to integrate the technology seamlessly into the current products. In the cases where the receiver already has cryptographic data available, the so-called hot start mode and focus of this article, the currently available implementations achieve an average TTFAF of around 100 seconds in ideal environments. In this work, we dissect the TTFAF process, propose two main optimizations to reduce the TTFAF, and benchmark them in three distinct scenarios (open-sky, soft urban, and hard urban) with recorded real data. Moreover, we evaluate the optimizations using the synthetic scenario from the official OSNMA test vectors. The first block of optimizations centers on extracting as much information as possible from broken sub-frames by processing them at page level and combining redundant data from multiple satellites. The second block of optimizations aims to reconstruct missed navigation data by using fields in the authentication tags belonging to the same sub-frame as the authentication key. Combining both optimizations improves the TTFAF substantially for all considered scenarios. We obtain an average TTFAF of 60.9 and 68.8 seconds for the test vectors and the open-sky scenario, respectively, with a best-case of 44.0 seconds in both. Likewise, the urban scenarios see a drastic reduction of the average TTFAF between the non-optimized and optimized cases, from 127.5 to 87.5 seconds in the soft urban scenario and from 266.1 to 146.1 seconds in the hard urban scenario. These optimizations are available as part of the open-source OSNMAlib library on GitHub.

Implementation Considerations for ACAS and Simulation Results

The Assisted Commercial Authentication Service (ACAS) is a semi-assisted signal authentication concept currently being defined for Galileo, based on the E6-C encrypted signal. Leveraging the assumption that the true E6-C encrypted signal always arrives before any inauthentic signal, we define user concepts for signal detection, including vestigial signal search. We define three mitigation levels, each level defending against an increasing set of threats, incorporating the described concepts and additional checks. The concepts are analyzed and implemented in a simulation environment, and tested in both nominal conditions and under advanced spoofing attacks. The results suggest that even advanced attacks can be detected and mitigated by ACAS receivers.

Semi-Assisted Signal Authentication based on Galileo ACAS

A GNSS signal authentication concept named semi-assisted authentication is proposed. It is based on the re-encryption and publication of keystream sequences of some milliseconds from an already existing encrypted signal. Some seconds after the keystreams are transmitted in the signal-in-space, the signal broadcasts the key allowing to decrypt the sequences and the a-posteriori correlation at the receiver. The concept is particularized as Galileo Assisted Commercial Authentication Service, or ACAS, for Galileo E1-B, with OSNMA used for the decryption keys, and E6C, assumed to be encrypted in the near future. This work proposes the ACAS cryptographic operations and a model for signal processing and authentication verification. Semi-assisted authentication can be provided without any modification to the signal plan of an existing GNSS, without the disclosure of signal encryption keys, and for several days of receiver autonomy, depending on its storage capabilities.