Can GPS be Trusted? Part 2
October 23, 2018
In my previous blog post, Can GPS be Trusted? Part 1, I explained why commercial GPS position, navigation and timing (PNT) cannot be trusted for critical systems. This blog explains how a trusted PNT system can still use a GPS as the primary PNT source.
Adding Trust with A-PNT
Assured Position, Navigation and Timing (also known as A-PNT) is an Army initiative that attempts to provide soldiers and systems with a reliable and accurate source of position, navigation and time even during compromised, denied or spoofed GPS transmissions.
A-PNT is a set of goals that are driven by the Army’s Direct Reporting Program Manager PNT (PM PNT) and the PNT System of Systems Architecture (SoSA). They derive from technologies developed by the Army’s Communications Electronics Research, Development and Engineering Center (CERDEC) and generally follow COTS (Commercial Off-The-Shelf) technological improvements.
A-PNT’s goals can be summarized by the following:
- Harden – resilience to denial, both from enemy and friendly jamming
- Trust – immunity to spoofing
- Complement – redundancy to failure by complementing GPS with multiple non-GPS PNT sensor
Hardening the GPS Signal Against the Enemy: Pseudolites
As mentioned in Part 1, GPS satellite signals are very weak due to their high orbit. Newer GPS satellites offer higher power, but to get the best signal they need to be closer - something impractical for the existing GPS constellation. However, it is possible to complement the satellites with terrestrial transmitters, called Pseudolites (“pseudo satellites”). Placed on the ground or in the air, Pseudolites appear to the receiver as a non-orbiting “satellite” with a very strong signal. Military receivers are already capable of receiving these strong signals (with a software update to remove orbit tracking) while encryption denies enemy access.
To operate correctly, Pseudolites need to know their current position and the GPS Time (the common GPS time base that all satellites use). To help with this, anti-jam antennae are used to provide signal filtering and directional features to make the best of the weak GPS signal while blocking any jamming signal.
Unlike ground-based Pseudolites, which are prone to line of site issues due to the terrain, airborne Pseudolites, placed in HALE (High Altitude Long Endurance) UAVs (Unmanned Aerial Vehicles) or balloons, give wide area visibility while having better GPS satellite jamming immunity.
Trusting the GPS Signal
As discussed my previous post, the low-power GPS satellite signal makes it vulnerable to jamming, which can deny systems a GPS fix. But more importantly, an enemy can spoof the signal and provide false positional and timing information.
GPS satellites communicate range and time using multiple pseudo-random bit streams, called “codes”, which are phase modulated onto the carrier frequency to form a spread spectrum. The receiver compares these codes to internally generated versions to both identify the satellite and determine the time delay or range. Commercial systems utilize an unencrypted “C/A-code” (Course/Acquisition code or Civilian Access code) output of the GPS satellites and a similar L2C-code used for surveying. The US military controls an additional encrypted channel called “P(Y)-code” or encrypted Precision code, which has been in operation since 1994. Receivers that use P(Y)-code are called SAASM receivers (Selective Availability / Anti-Spoofing Module).
It’s the P(Y) code that provides the Anti-Spoofing through code encryption using a secret “red” key. A properly keyed SAASM receiver can decrypt the GPS P(Y)-code using an unrestricted, but encrypted, “black” key. Each SAASM receiver has secret crypto software loaded into its Key Data Processor (KDP) which can decrypt the “black” key and use it to then decrypt the P(Y)-code. When successfully decrypted, the SAASM receiver knows to trust the GPS signal.
It’s interesting to note that through a satellite feature called “Selective Availability” (SA), the DoD intentionally degraded the commercial C/A-code by adding a clocking error equivalent to a range error of 300 feet. This, and a higher bit rate for the P(Y)-code, was intended to restrict high accuracy navigation to the US military only. A presidential order discontinued the SA error function in May 2002, and receiver technology improvements have since mitigated the higher bit rate advantage, leaving anti-spoofing as the only unique GPS military feature in place today.
As I mentioned in Part 1, the commercial sector is also heavily reliant on GPS, and this has led to pressure to implement a commercial authentication system for anti-spoofing. Currently all Global Navigation Satellite Systems (GNSS), such as the US GPS and European Galileo systems, do not provide this, however, there is a drive to add a feature called NMA (Navigation Message Authentication), which has the potential to bring trust to the commercial sector within the next few years.
The military advantages of P(Y)-code have been eroded as commercial demands on GPS grow. But GPS is moving on to something new: M-Code.
Hardening the GPS Signal against Attack: M-code
In the never-ending Electronic Warfare (EW) battle, the warfighter not only needs a GPS system that is immune to enemy jamming and spoofing, but also one that operates when the enemy is being jammed or spoofed.
What makes this counter-intuitive scenario feasible is a new GPS signaling technology called M-code. This military-only ranging code is being adopted with the upcoming GPS Block IIIA (or GPS III) satellite launches and will be available late 2019. Like P(Y)-code, M-code is an encrypted signal. But the similarities end there. It uses a different phase modulation which makes it appear in two lobes of the spread spectrum around the center carrier frequency. This allows transmission at higher powers without interfering with the commercial C/A-code (positioned at the carrier frequency), something that has been impossible for P(Y)-code.
The lobed spectrum of M-code also provides the ability to do selective jamming. By jamming the enemy’s commercial C/A-code at only the carrier frequency of each satellite, the M-code can remain unharmed and available for US military use.
M-code allows jamming of commercial GPS while protecting military PNT
Blue Force Electronic Attack (BFEA) utilizes M-code to deny commercial GPS for hundreds of miles while continuing military GPS reception. BFEA can even be mounted in Pseudolites, simultaneously enhancing friendly military GPS and denying enemy commercial GPS.
Unfortunately, since this selective jamming also jams much of the P(Y)-code signal, it can render the older SAASM receivers inoperable. To address this issue, as of 2017, all new military GPS receivers are required to support M-code.
Complementing GPS: Atomic Clocks, INS and More
Complementing GPS requires the use of other Position, Navigation and Timing systems to supplement a compromised GPS. Such sources are:
Position and Navigation
- Low Earth Orbit (LEO) commercial satellite systems, such as Satelles, Inc.'s STL (Satellite Time and Location) adaptation of the Iridium satellite communications network. STL's lower orbit produces encrypted time and range signals that are 1,000 times stronger than GPS
- Other GNSS satellites, such as the European Galileo constellation, especially when the authentication from NMA becomes available
- Inertial Navigation Systems (INS) using accelerometers and compasses to determine rotation and movement. Their accuracy deteriorates over time due to drift errors but can be reset whenever GPS is re-acquired
- Ground based PNT systems, such as eLoran
- Commercial broadcasting tower location fixes, such as cell towers, TV stations, etc.
- Ancient celestial navigation
- Chip Scale Atomic Clocks (CSACs). These are the size of a box of matches and have a time drift of around 50 microseconds a day. For perspective, a quartz crystal-based clock has an accuracy of only 2 seconds a day (40,000 times worse)
- Rubidium-based Miniature Atomic Clocks, slightly larger and higher power than a CSACs, but very stable and 20 or more times less drift
Fast deployment of advanced A-PNT systems is critical to the safety and efficacy of military operations. CERDEC is targeting A-PNT for both vehicles and infantry systems.
- MAPS (Mounted Assured PNT System) is for vehicles
- DAPS (Dismounted Assured PNT System) is for infantry
DAPS will require hand-held A-PNT systems, which will be necessarily limited in features and a simpler network topology.
In contrast, the larger platform of MAPS will be capable of hosting a diversity of PNT sensors to provide a very high degree of PNT assurance with a wide choice of cost/benefits to match particular vehicle requirements. However, traditional Vetronics implementations have had a dedicated GPS for each vehicle subsystem (e.g. C4ISR, EW, communication, mapping, navigation and mission systems), which increases system complexity and SWAP-C (Size Weight, Power and Cost). This has severely hindered deployment of the potently larger and higher cost A-PNT systems.In my next blog, I will discuss VICTORY, a standard that brings order to complex A-PNT C4ISR systems.