Protection Method for Data Communication between ADS-B Sensor and Next-Generation Air Traffic Control Systems

Communications, Navigation, Surveillance/Air Traffic Management (CNS/ATM) systems utilize digital technologies, satellite systems, and various levels of automation to facilitate seamless global air traffic management. Automatic Dependent Surveillance-Broadcast (ADS-B), the core component of CNS/ATM, broadcasts important monitoring information, such as the location, altitude, and direction of aircraft, to the ground. However, ADS-B data are transmitted in an unencrypted (or unprotected) communication channel between ADS-B sensors and Air Traffic Control (ATC). Consequently, these data are vulnerable to security threats, such as spoofing, eavesdropping, and data modification. In this paper, we propose a method that protects the ADS-B data transmitted between ADS-B sensors and ATC using Simple Public Key Infrastructure (SPKI) certificates and symmetric cryptography. The SPKI certificates are used to grant transmission authorization to the ADS-B sensors, while symmetric cryptography is used to encrypt/decrypt the ADS-B data transmitted between the ADS-B sensors and ATC. The proposed security framework comprises an ADS-B sensor authentication module, an encrypted data processing module, and an ADS-B sensor information management module. We believe that application of the OPEN ACCESS Information 2014, 5 623 proposed security framework to CNS/ATM will enable it to effectively obviate security threats, such as ground station flood denial, ground station target ghost injection, and ADS-B data modification.


Introduction
Communication, Navigation, Surveillance/Air Traffic Management (CNS/ATM), which is based on the concept that safe aircraft navigation is ensured by the use of satellites, sensors, and data communication technology, is the next-generation Air Traffic Control (ATC) system being promoted by the International Civil Aviation Organization (ICAO) [1].Automatic Dependent Surveillance-Broadcast (ADS-B), one of the core components of CNS/ATM, broadcasts information about aircraft, such as location, altitude, and speed, in real time [2][3][4].CNS/ATM uses 4-D Trajectory Modeling [5,6], which can accurately predict the flight path of an aircraft on the basis of ADS-B and aircraft performance data, and therefore ensures safe navigation of more aircraft in limited air space.
However, recently, the number of security issues in the wireless environment has been increasing.As a result, a number of solutions to correspond to consequential security threats have been proposed [7][8][9].However, even with these proposed measures, data from ADS-B, one of the core components of CNS/ATM are still vulnerable to security threats.ICAO is currently still examining security issues, and has been delaying selection and implementation of effective technologies to countermeasure the threats [10][11][12][13][14][15].An example of the threats involved was outlined at the 2012 Defcon Hacking Conference [16,17], where it was demonstrated that ADS-B data could be hacked by aircraft target ghost injection.In this scenario, aircraft target ghost injection generates ADS-B data for 50 virtual aircraft and broadcasts the data, which are then received at the surveillance system and displayed at the Controller Working Position (CWP), which may result in hacking at the ATC.
In this paper, we propose a method that protects the ADS-B data transmitted between ADS-B sensors and ATC using Simple Public Key Infrastructure (SPKI) certificates and symmetric cryptography.The proposed security framework periodically authenticates the ADS-B sensors using lightweight SPKI certificate and encrypts the ADS-B data transmitted from the ADS-B sensors to ATC.The remainder of this paper is organized as follows: Section 2 gives an overview of ADS-B, describes the security vulnerabilities present, and discusses the lightweight SPKI certificates utilized in the proposed security framework.Section 3 outlines the proposed ADS-B security framework, which utilize SPKI certificates and XML digital signatures to countermeasure security threats.Section 4 concludes this paper.

ADS-B
2.1.1.Overview ADS-B is the next-generation surveillance system of CNS/ATM that allows the sharing of aircraft information, such as position, altitude, etc., among aircrafts and ATC [2][3][4].ADS-B features two service modes as shown in Figure 1."Step 1: ADS-B OUT" provides broadcasting of surveillance information (e.g., position, altitude, velocity, identification, emergency information) [18] from aircrafts to ATC or to other aircrafts."Step 2: ADS-B IN" displays transmitted ADS-B information to cockpits of the aircrafts and ATC CWP to show identification of other aircrafts [2,3].ADS-B features higher accuracy of identification than current Primary Surveillance Radar (PSR) provides because Global Positioning System (GPS) is used in acquisition of the aircraft position.Therefore, superior air traffic control featuring higher degree of accuracy, safety, and efficiency is possible in a controlled airspace [2][3][4].

Security Threats
Because ADS-B does not contain a suitable security countermeasure, anyone can view aircraft flight information using ADS-B data receiver occurred to possible security threats [10][11][12][13][14][15][16][17].[10] shows the analysis of the security vulnerability of ADS-B data in the ADS-B data link.
-Eavesdropping -Jamming -Message Injection -Message Modification -Message Deletion Particularly, there is strong possibility of increase of security vulnerability concerning Message Injection and Message Modification.Message Injection can interfere air traffic control by using Ground Station Flood Denial, Ground Station Target Inject, Ground Station Multiple Ghost Inject, and Message Modification can be used in Virtual Aircraft Hijacking [10,11].An example, Ground Station Target Inject and Aircraft Target Ghost Inject were demonstrated in 2012 Defcon Hacking Conference [16,17].

SPKI
Public Key Infrastructure (PKI) generates security tokens to provide encrypted signatures using a public key algorithm.More specifically, it authenticates users and encrypts data using a public/private key pair for encryption/decryption.Because PKI can only be applied to sensor groups and resource groups, rather than specific users, a universal user authentication/authorization mechanism is used in grid environments instead [19].The most recently presented mobile network anonymous authentication mechanism [20] satisfies the low-volume data and fast processing speed of ADS-B, but it does not yet clearly recognize ADS-B.As a consequence, we adopted the lightweight SPKI certificate for out proposed method.
The SPKI certificate is the standard proposed for the application of the PKI certificate.An SPKI certificate binds the authority of a user with the public key and provides access control.An SPKI certificate is also called an "authority certificate".It is published by a server to a client, who is then permitted to use the resources provided by a server in accordance with the access policy granted to the SPKI certificate it possesses.An SPKI certificate has the following features, which contrast those possessed by an X.509 user certificate [21,22].
-AN SPKI certificate indicates the issuer and subject using the hash-value of the public key or the public key.Therefore, user anonymity is guaranteed.-An SPKI certificate operates without modifying the server database; authorization is easily delegated to the user.-An SPKI certificate can operate independently of any specific service.
-Publication and management of SPKI certificates are relatively easy.Therefore, maintenance cost is expensive.-Restrictions and multiple delegations can be easily applied using an SPKI certificate.
In this paper, two versions of SPKI certificates are used for ADS-B sensor identification and authorization, respectively [22].

ADS-B Sensor Identification Certificate
An ADS-B sensor identification certificate is used to get an ADS-B sensor authorized by ATC and connects the unique identification codes of the ADS-B sensor to its public keys.

ADS-B Sensor Authorization and Symmetric Keys Exchange Using the Proposed ADS-B Framework
The structure of the ADS-B security framework proposed in this paper is depicted in Figure 2.For the messages exchanged between the ADS-B sensor and ATC in Steps 1-5, an XML signature is used.
-Step 1: The ADS-B sensor generates a private/public key pair, and generates ADS-B sensor identification certificates signed with the private key in the data, and including ADS-B sensor identification information and the public key, then transmits them to ATC.An examples of the SPKI four tuple certificate generated in Figure 3 shown below:

<ADS-B Sensor 1, ADS-B Sensor 1's Public Key Info, ADS-B Sensor ID, 10/Oct/2014> Signature (ADS-B Sensor 1's Private Key)
ATC compares the ADS-B sensor identification certificates with ADS-B sensor information to validate them.

XML Signature Module
The XML signature module is the core module used to authenticate the ADS-B sensor, and is installed in both the ADS-B sensor and ATC.As illustrated in Figure 4, the XML signature module is composed of a unit or parsing and creation of XML signatures, a key and certificate status verification unit, and a unit for certificate request message creation.Data flow and the data in each module are controlled in the execution environment.

XML Signature Creation and Verification for Authentication
Figure 5 depicts the XML signature generation module, which generates signatures using the ADS-B sensor data (the ADS-B sensor data includes ADS-B sensor identification certificates, SPKI four tuple ADS-B sensor identification certificates and SPKI six tuple sensor authorization certificates) and certificate.The ADS-B sensor data are used to create a value for verification through hashing and then combined with the XML signature value and the encrypted private key of the sensor to from the authentication request in the XML signature generation process.The series of steps executed in the process is outlined below.

Conclusion
Recently, as a result of the rapid increase in air traffic, the construction of the CNS/ATM next-generation ATC system has been accelerated.To ensure the safe navigation of more aircraft in limited air space, CNS/ATM has to predict accurate traffic flows on the basis of flight plans and accurate positioning of aircraft.ADS-B is able to provide accurate navigation information, such as the location, altitude, and identification information of aircraft; consequently, it is the core technology in CNS/ATM.However the transmission of ADS-B data between ADS-B sensor and ATC is carried out in an unencrypted (or unprotected) communication channel; therefore, it is vulnerable to security threats such as spoofing, eavesdropping, and data modification.
The ideal method of countering this security threat toward ADS-B would be to issue X.509 certificates to all planes and provide a certificate based security service, but this is difficult in reality.
In this paper, we proposed a method that protects the ADS-B data transmitted between the ADS-B sensor and ATC.In the proposed method, the ADS-B sensor is identified using SPKI four tuple certificates and further authorized to transmit ADS-B data to ATC using SPKI six tuple certificates.An authorized ADS-B receives symmetric keys from ATC and utilizes them to encrypt the ADS-B data.We believe that application of the method proposed in this paper to the next-generation ATC system will facilitate an effective response to the security threats to ADS-B data transmitted between ADS-B sensors and ATC, such as spoofing, eavesdropping, and data modification.
Our future research direction is to implement the proposed security framework, improve it through validation at the laboratory level, analyze the benefits of application to CNS/ATM, and ultimately obtain valid test results by linking the actual data with an actual ATC system in operation.
<Issuer, Localname (Public Key Info), Subject (ADS-B ID), Validity (10/OCT/2014) > Signature (Issuer) -Issuer: The SPKI certificate issuer; the issuer signs the SPKI certificate with private keys.-Localname:This comprises the SPKI certificate issuer's public key and one or more identifiers.-Subject:The subject of the SPKI certificates issue, including the unique identifiers of the ADS-B sensor.-Validity: Indicates the expiration date of the SPKI certificate.2.2.2.ADS-B Sensor Authorization CertificateAn ADS-B sensor authorization certificate is used to receive ADS-B sensor authorization from ATC.This certificate grants authorization to transmit ADS-B data received by the ADS-B sensor to ATC.The ADS-B sensor authorization certificate comprises the following six tuples: <Issuer, Subject (ADS-B ID), SubjectPublicKeyInfo, Delegation, Authorization, Validity (10/Oct/2014)>Signature (Issuer) -SubjectPublicKeyInfo: SPKI certificate subject public key information.-Delegation: Indicates the existence of authorization to transmit ADS B-data with a value of True/False.-Authorization: Specifies the authorization granted by ATC to the ADS-B sensor.

Figure 2 .
Figure 2. Proposed ADS-B security framework structure and operation.

Figure 4 .
Figure 4. Structure and operation of the authentication module.

( 1 )
Create document by collecting ADS-B sensor data.(2) Sign with private key of ADS-B sensor certificate and add digest value.(3) Public key data for signature verification creates <KeyInfo> which includes SPKI certificate for the ADS-B sensor.(4) Create XML signature containing the value obtained from the above process.

Figure 6
Figure 6 depicts the module used to examine the validity of the XML signature and extract the ADS-B sensor data following the request for authentication.The series of steps utilized in the process is as follows: (1) Separate XML signature of each attribute tag using a parser.(2) Examine the validity of the certificate contained in the <KeyInfo> tag through communication with the CA and acquire the public key value.(3) Verify the signature by decoding the signature value contained in the XML signature.(4) Verify the integrity of the signature by comparing the digest value contained in the XML signature with the hash value created through signature verification.(5) Acquire the ADS-B sensor data in the request for authentication.

Figure 7 .
Figure 7. Composition and operation of SPKI certificate requesting unit.