[Cryptography] improved identification of non-targets

John Denker jsd at av8n.com
Mon Jan 13 01:35:32 EST 2020


On 1/12/20 2:44 PM, Peter Fairbrother wrote:

>> to the military, it is more important to shoot down the enemy than
>> to avoid collateral damage.

Agreed.  The captain of the Vincennes got a medal for his
service.

>> You don't want a hierarchical universal generic design really - you
>> want your own people to issue your own version of
>> get-out-of-being-shot-down cards, nobody else.

Agreed!  The idea of a global root CA is just ridiculous.  As
I said previously:  I trust certificates that I issue myself.

A long international flight will need to acquire multiple
certificates, one for each jurisdiction along the way.


On 1/12/20 4:30 PM, John-Mark Gurney wrote:

> This already exists.

I disagree; see below.

> Most of the cases (all?) of the civilian airliners that have been 
> shot down in the last 30 years or so have had functional IFF 
> systems,

Much depends on *TRUST*.

It does not matter whether *you* think a plain present-day
ATC transponder counts as "IFF";  it only matters whether
the guy with the missile launcher thinks it does.  Which
he doesn't.

> the problem is the systems around the missiles (including humans) 
> that are the problem.

Without upgrading the airline equipment, there is no feasible
upgrade to the missile systems (including humans) that will
make a dent in the problem.

Missile crews do not trust present-day ATC transponders, and
there is no reason why they should, because squawk codes are
trivially easy to falsify.  Just find an airliner that is 27
minutes behind schedule and clone its assigned 12-bit code.

On 1/12/20 3:20 PM, Jerry Leichter wrote:

>> Anyone shooting down such a plane, or a combatant broadcasting such
>> a signal, would be committing a war crime.

That is 99.9% irrelevant.  Iran just spent two years fighting
ISIS, who committed war crimes 24×7.  Torture is a war crime,
but that didn't stop the US from adopting it as policy, or even
deter Darth Cheney from bragging about it on TV.  The colonials
in 1776 often didn't play by the established rules.  The attack
on Pearl Harbor was a war crime.  Any act of war outside of a
declared war is a war crime ... which means that any low-intensity
conflict is a war crime from start to finish.

>> Anyone engaging in combat not wearing uniform is classified as a 
>> spy and can be shot on sight.

Not helpful.  Approximately none of the combatants in Afghanistan
wear uniforms.  Guerillas don't wear uniforms.

Again it comes down to *TRUST*.  No missile crew is going to
assume that such-and-such can't happen just because it would
be illegal.  We need a solution that provides a rich, flexible
semantics:  Whom do I trust today?


On 1/12/20 6:37 AM, Michael Kjörling wrote:

> Don't forget the timing issue.

Agreed, that's definitely an issue ... but I assume that the
existing military "mode five" EFF embodies a solution (Mode 5
with a five is not to be confused with Mode S with an ess.)
Here is an obvious possibility, which may serve as an existence
proof:  Daisy chain the nonces.  That is, send a interrogation
pulse #1 which contains a nonce labeled #2 and does not require
a reply.  Then come back a couple seconds later with pulse #2
which repeats nonce #2 and expects a reply, which the aircraft
has already had plenty of time to compute.  Pulse #2 also
carries nonce #3, needed for later, and so on.  There are
ways to make this much fancier using clocks and/or PRNGs, as
embodied in widely-used 2FA dongles.  I haven't worked out all
the details, but I'm pretty confident that good solutions exist.

> A simple NOTAM (Notice to Airmen) closing the relevant airspace to 
> traffic could potentially have prevented the PS752 disaster.

Iran is not going to do that, because it would cause economic
harm to themselves.

As the proverb says:  Between two stools one sits in the ashes.
There are rules that make sense in peacetime, and there are
rules that make sense in a hot war, but the world has not figured
out how to handle low-intensity conflicts.

The Buk and Tor missile systems were clearly designed to work in
a hot war situation.  They are inappropriate to a low-intensity
conflict.  So Iran at present has to choose between:
 -- missiles disabled, which provides no air defense, or
 -- missiles enabled, which provides inappropriate air defense.

The Ukrainian and Canadian civilians would be better off if Iran
had a third option, namely a *TRUSTED* way for air defense to
identify friendly airliners.

On 1/12/20 9:23 PM, Paul Wouters wrote:

>> You are forgetting the airlines that should be shot down.  How to 
>> identify the difference between the two?  The only difference is
>> which humans are operating them. I don't think you can fix this by
>> adding a technical box to the system.

I absolutely did not forget that.  I discussed it near the end
of the original post.  Enemy airliners are not allowed into my
airspace.  ATC will tell them to go away.  If they come anyway,
they will be forced down.

There is always the possibility of trojans, e.g. when an erstwhile
friend decides to turn against you, and uses a regularly-scheduled
cargo flight to send a planeload of heavily-armed commandos into
your capital ... but that's irrelevant, because they can do that
already.  We are not trying to solve all the world's problems at
once.

This is a WYTM issue.  The assigned problem is how to avoid shooting
down airliners that you didn't want to shoot down.  We should be
able to do that without making the trojan problem worse.

==============================

Here's another ingredient I'd like to add to the mix:

There should be a mechanism, and a procedural requirement, so that
an aircraft can verify that its IFF is working *before* it becomes
a critical issue.
 -- This includes a pre-takeoff check at the departure airport,
  pertaining to the local jurisdiction.
 -- This includes an airborne check for each new jurisdiction
  along the way, so that the aircraft knows they have been
  positively and favorably identified *before* entering the
  new airspace.

This should be easy to do, since ATC radar already has lots of
military radar functionality.  (The converse is not true; a big
part of the problem is that the Vincennes, the Buk launcher,
and the Tor launcher were not integrated with ATC.)


More information about the cryptography mailing list