Functional Analysis & Allocation

Allocating performance requirements, design requirements, and constraints to functions is the next step in the development process. This is best visualized via Table 2. A brief discussion on the impact of the allocated requirements upon the functions is warranted.

Table 2. Functional Allocation

Function Perf Reqts / Design Reqts / Constraints

FR-1 ID Anonymization CR-1 Interoperable

CR-2 Remain broadcast, no contract DR-2 No change to phy layer

PR-1 P(Collision) ≤ 0.1

PR-2 ≥ 6.2 messages/second throughput

FR-2 Data Obfuscation CR-1 Interoperable

CR-2 Remain broadcast, no contract DR-2 No change to phy layer

DR-3 NIST recommended DR-4 No key distribution

PR-2 ≥ 6.2 messages/second throughput PR-3 Brute-force safe ≥25 years

FR-3 Mode Selection FR-3 Manually selectable between all three PR-4 Select Clear, No ID, and No ID or Pos PR-5 RA & ≤2 NM & ≤2000 ft, Pos Clear FR-4 Baseline Mode S-ES CR-1 Interoperable

DR-1 IAW DO-181 and DO-260 3.7.1 Identification Anonymization.

Each aircraft participating in ADS-B has a globally unique 24-bit ICAO address that is used in every Mode S packet transmitted. These addresses are assigned to national govern- ments in blocks by ICAO. In turn, most governments abide by the provision stipulated by ICAO that an address be permanently assigned to an airframe. Some exceptions are made for military aircraft which have hardware or software programable addresses that are taken from a block assigned to a specific military service or unit by their government [93]. Each nation keeps a database matching addresses to registration, which often includes personal or corporation names and contact information. This database is generally made available to the public.

To anonymize this address while keeping it unique requires random selection of a ses- sion address from a uniform distribution. To ensure this selection does not collide with

existing addresses, a block of addresses must be set aside for use within this anonymization scheme. While the choice of block is a policy decision, [94] states that “aircraft addresses starting with bit combinations 1011, 1101 and 1111 have been reserved for future use.” A randomly selected ephemeral address is henceforth described as a session unique ICAO address (SUIA).

CR-1: Interoperability is maintained because valid 24-bit addresses are used.

CR-2: The lack of an acknowledgement channel may impact the ability of the system to avoid collisions among SUIAs. See PR-1 below.

DR-2: The address change does not impact compliance with physical layer specifications. PR-1: Assume a growth to 20,000 aircraft airborne globally. Using the block 1111 11 allows

an 18-bit SUIA. Therefore P(collision) =20000₂18 =_266214420000 =0.0763 ≤ 0.1. This worst

case assumes every aircraft is using the security features and that there is no isolation between regions.

PR-2: Once a SUIA is generated, using it will likely incur no additional throughput limita- tions over an assigned address (depending on transponder implementation).

3.7.2 Data Obfuscation.

Robust encryption provides a secure way to obfuscate data. The requirements and con- straints severely restrict which ciphers and cryptosystems are available for implementation. A cryptographic solution:

CR-1: Requires FPE of some type.

CR-2: Requires key distribution or key generation on the broadcasting platform. DR-3: Requires the use of a NIST recommended cipher.

DR-4: Requires the use of a public-key or hybrid encryption system. PR-2: Requires the use of symmetric encryption.

FF1 is the designation for the only NIST recommended FPE cipher. A draft version of FF1 was previously validated for use in ADS-B in [21], [22], and [95]. Unfortunately, using FF1 on its own requires key distribution. To meet all requirements, FF1 must be used within a hybrid cryptosystem.

Generally, hybrid cryptosystems use public key technology to agree upon a shared se- cret which can be used as a symmetric key, removing the requirement for symmetric key distribution. Unfortunately, hybrid cryptosystems often rely on certificate based systems to distribute public/private key pairs, thereby requiring significant two-way connectivity. CR-2 compliance requires the innovation of a modified hybrid cryptosystem. This is en- abled by the CIA decomposition discussed in Chapter II. It is possible to encrypt a message with a public key and have it decrypted with a private key without requiring a signature or key agreement algorithm. This allows the combination of key transport using public key encryption with FPE, discussed further below.

NIST SP 800-38G METHODS FOR FORMAT-PRESERVING ENCRYPTION

prerequisites are omitted from the above notation, such as the underlying block cipher, the designation of CIPHK, and the base for the numeral strings.

4.5 Feistel Structure

FFX schemes, including FF1 and FF3, are based on the Feistel structure. The Feistel structure consists of several iterations, called rounds, of a reversible transformation. The transformation consists of three steps: 1) the data is split into two parts; 2) a keyed function, called the round function, is applied to one part of the data in order to modify the other part of the data; and 3) the roles of the two parts are swapped for the next round. The structure is illustrated in Figure 1 below, for both encryption and decryption. Four rounds are shown in Figure 1, but ten rounds are actually specified for FF1, and eight rounds for FF3.

u!characters! v!characters! u!characters! v!characters!

A0! B0! A4!! B4! B1!←!C0! A1!←!B0! FK! +! n,!T,!0! FK! +! n,!T,!1! A2!←!B1! B2!←!C1! B3!←!C2! A3!←!B2! FK! +! n,!T,!2! B3!←!A4! A3!! FK! _! n,!T,!3! n,!T,!2! A2!! B2!←!A3! FK! _! n,!T,!1! B1!←!A2! A1! FK! _! FK! +! ! n,!T,!3! ! 1 FK! _! n,!T,!0! A4!←!B3! B4!←!C3 A0! B0!←!A Encryption! Decryption!

Figure 1: Feistel Structure

10

3.7.3 Mode Selection.

Mode selection, discussed further in design synthesis, is a simple exercise in loading message registers with different data based on the selected mode. Criteria for automatic mode selection (PR-5) can be implemented along with a user interface for manual mode selection (FR-3).

The multitude of flight management systems (FMSs) and transponders in use across the global aircraft fleet would require significant discussion of user interfaces and their design. Most deployed devices have the capability to change their user interface via firmware or software updates. An analysis of user experience and human factors is beyond the scope of this research.

3.7.4 Baseline Mode S.

The discussion on implementing currently ratified Mode S standard is not directly re- lated to this research. Additional interoperability considerations arise in design synthesis; further discussion on baseline Mode S can be found in [8] and [9].