>Dorothy Denning wrote an interesting paper on authenticating location using
>GPS signals... I think it's reachable from her home page as well as the
>following citation:
>
>D. E. Denning and P. F. MacDoran, "Location-Based Authentication: Grounding
>Cyberspace for Better Security," Computer Fraud and Security, Feb. 1996
>
>Ian :)
The article, at
http://www.cs.georgetown.edu/~denning/infosec/Grounding.txt,
describes a commercial product from International Series Research,
Inc. of Boulder, Colorado called CyberLocator, for achieving
location-based authentication. But it is short on details.
Apparently a user to be authenticated sends a received GPS signal
"signature" to the host which has its own GPS receiver and compares
the signature with the GPS signal it received. The scheme took
advantage of selective availability to some extent. I wonder if it
being turned off has hurt them.The company has a white paper on
CyberLocater: http://www.CyberLocator.com/WP_LBA.doc It is not clear
if they have a shippable product yet.
Their scheme does not seem directly applicable to the problem of
getting authenticated time from GPS since they assume a trusted host
site. Also, if GPS had authentication features built into the
unencrypted signals, I think they would have taken advantage of those
features and mentioned them.
I can think of some non-cryptographic ways to authenticate GPS time.
One way would be to use an electronically steerable antenna and track
the satellites. A related approach might be to use two or more GPS
receivers connected to directional antennas pointing in different
directions. Given knowledge of the satellites orbits, it should be
possible to predict the variations in received signal strength during
each orbital pass. The antennas could be concealed in an RF
transparent enclosure, preventing an attacker from knowing their
orientation.
A third technique might be to use one or more local clocks. The
various PC clocks on a network might do. Any attack other than a a
very slow time drift would trigger an alarm.
A fourth might be to use several GPS receivers scattered around a
building, campus or city. Creating a spoof that produced the correct
location for all the receivers might be hard.
Arnold Reinhold
