As you say, there are two coded GPS signal streams: C/A (Clear/Access
or Coarse/Acquision, depending on the reference) and P
(Precision). These are in turn placed on two L-band RF frequencies, L1
and L2.
The C/A and P signal structures are fully documented in the open
literature. See:
http://www.navcen.uscg.mil/gps/geninfo/gpsdocuments/icd200/default.htm
However, the P-code is normally XORed with a classified cryptographic
sequence, the Y-code; this is "anti spoof". As far as I can tell from
the open literature, this is conventional symmetric cryptography with
keys shared by the satellite and all "authorized" users. Security
relies entirely on the controlled distribution and physical security
of the receivers.
In normal operation, L1 carries both C/A and P/Y, while L2 carries
only P/Y. The configuration of these two carriers, along with the
state of anti-spoof (Y) on the P code, is indicated by bits in the
50bps navigation message from each satellite.
As an aside, there are "reserved" fields in the navigation messages
that started carrying apparently random data several years ago. A good
guess is that these control periodic key changes in the military
Y-code receivers.
Some high-end civilian receivers can still make use of the L2 signal
by "squaring" it to remove the (unknown) modulation so that the
carrier phase can be extracted.
Since the C/A format is fully documented and unencrypted, it's
actually quite simple to spoof. There are commercial GPS "satellite
simulators" on the market that do precisely this. They can make a GPS
receiver display any time and location you want. They have legitimate
uses in laboratory testing, e.g., to verify GPS receiver operation
through a week 1024 rollover (we bought one at Qualcomm some time ago,
since we rely heavily on GPS timing in our CDMA systems).
It doesn't take much imagination to realize what could happen if you
connected one of these simulators to a power amplifier and antenna.
The GPS satellite signals are pretty weak at the earth's surface, so
they're easy to jam or spoof, at least over a small area.
The original GPS design for a military receiver used the C/A code only
for initial acquisition (hence the Coarse/Acquision term), followed by
a transition to the P/Y code. (Civilian receivers simply stay on the
C/A code).
Several years ago, the NRC report on GPS policy recommended that DoD
turn off Selective Availability and develop a capability to regionally
jam the L1 signal (the only one carrying C/A) during a war. This would
render mass-market GPSes unusable. So that the US military could still
use GPS in the area, the NRC recommended the development of a GPS
receiver that could acquire using only on the P/Y code on the L2
carrier. This was a challenge since the P code is not only 10x the
chip rate of the C/A code, but it also repeats only once per week (as
opposed to once every millisecond for C/A). This requires a highly
stable oscillator that can run continuously and accurately in a
hand-held unit under battlefield conditions.
It's been pretty obvious for some time that the DoD has been
conducting GPS jamming tests. There have been regular NOTAMs (Notices
to Airmen) that GPS signals would be "unreliable" in the vicinity of
such-and-such military base during such-and-such hours. This was most
often Fort Huachuca, near Yuma AZ, where there is an "electronic
proving ground".
They must have succeeded, which is why SA was finally turned off.
So while the military has themselves covered, there's not much we
civilian users can do beyond looking for strength in numbers by having
lots of GPS receivers in lots of places all exchanging observations
with NTP. Spoofing this network would require spoofing nearly all of
the GPS receivers in the network to keep the receivers from detecting
that something fishy is going on.
Phil
