My strong impression is that the Y code (XORed with the P code,
although sometimes it is said that Y is sent instead of P) is a
symmetric key (a 10.23 Mchip/s pseudo-noise sequence), and is shared
among the satellites and all DOD-authorized receivers. One of the
consequences of Anti-Spoofing (AS) being turned on is that all but DOD
"authorized users" cannot directly observe the P code. (There are
some squaring techniques to track carrier phase (see the Ashtech Z-12
receiver, for example), but I believe these do not enable normal
de-spreading and measurement of pseudo-ranges.)
There is a CRC or something similar on the C/A code, and this is all
publicly documented. I'm quite sure there is nothing that would
qualify as 'authentication' in any strong sense. One of the
challenges is that there is a very narrow data stream from each
satellite - 50 bits per second. Each satellite transmits information
about its own orbital parameters every 30 seconds ('ephemeris'), in
addition to interleaving coarser information about the others
('almanac'). In 1500 bits, even 320 for a signature would be a lot.
DOD certainly has the capability to jam, probably with incorrect
signals in addition to just noise. There have been public notices for
various areas over the last few years. (If they couldn't do this,
they would not have turned SA off.) There are devices for
testing/etc. called 'pseudolites' (stationary GPS 'satellites') which
can be used to augment a poor constellation in a local area. A
misconfigured pseudolite and a spoofing jammer are probably
indistinguishable.
There's a body of work called Receiver Autonomous Integrity Monitoring
(RAIM). This is more aimed at aircraft navigation and guarding
against failures rather than intentional jamming. By monitoring more
satellites than necessary, having an error model and perhaps coupling
with INS data, one can detect a bad satellite. However, if all
satellites were jammed and then slowly steered away, I don't see how
RAIM techniques could work.
If I were worried about integrity of timing signals, I'd use a
GPS-disciplined rubidium oscillator. I think most of the available
devices like this are not quite as concerned with integrity as phase
noise reduction in the normal case, so some tweaking of the
disciplining scheme is probably in order. In addition, the GPS timing
receiver should do RAIM-like things, so the adversary has to keep the
fake signals consistent. I think having two receivers a few km apart
might be a good defense; I'm not sure it's possible to produce jamming
signals faking 6 satellites at once that pass RAIM checks in two
locations (unless the jammers are on board the satellites). Having SA
off is helpful, since the expected errors are smaller and thus more
cases can be declared attacks without falsing. (All of the above
assumes that your threat model does not include DOD. If so, I think
you are out of luck!)
Greg Troxel <[EMAIL PROTECTED]>
