[Cryptography] improved identification of non-targets

John Denker jsd at av8n.com
Wed Jan 15 09:32:47 EST 2020 

Hi Folks --

Executive summary: It feels like this "should" be a
solvable problem, but AFAICT there is still much work
that needs doing.

====================

As a general principle, in cryptology and more generally,
there is a huge difference between adversarial and non-
adversarial situations.  Consider the following contrasts:
 1a) A very simple RNG may be good enough for an atomic
  physics Monte Carlo integration.  The atoms are not
  adversarial.  To paraphrase Einstein, the atoms are
  subtle, but they're not out to get you.
 1b) A vastly stronger RNG is needed for adversarial
  situations, e.g. high-stakes gaming, serious crypto,
  et cetera.

 2a) Consider the classic crypto situation of an embassy
  or a military unit sending a message back to HQ.  The
  message is subject to attack enroute, but the classic
  assumption is that the endpoints are on the same team
  and want to keep the message secure.
 2b) Compare that to copyright protection.  This is much
  muuuuch more challenging, because one of the endpoints
  has little if any motivation to cooperate.

I mention this because:

 3a) Ordinary ATC is a non-adversarial situation.
  Airliners have no incentive to steal each others'
  squawk codes.
 3b) Military IFF is something else entirely.  It is a
  seriously adversarial situation.  By definition.  As
  it says on the tin:  there are friends and foes.

THEREFORE please do not make shallow naïve analogies
between ATC and IFF.  The amount of crypto required
is not the same.  The level of secure authentication
required is not the same.  Not even close.

As a mostly-separate matter:  Do not assume that missile
launchers are part of an integrated air defense network.
They often aren't.  For example:
 -- IR655:  The Vincennes was not listening to ATC,
  and had no means of doing so, and might not have
  trusted what Iranian ATC was saying even if they
  had heard it.
 -- MH17:  The Buk launcher was not listening to ATC,
  and had no means of doing so, and might not have
  trusted what Ukrainian ATC was saying.
 -- PS752:  The Tor launcher was not listening to ATC,
  and had no means of doing so.

This is not surprising.  Keep in mind that Iraq under
Saddam Hussein built an elaborate integrated air defense
network, but the communication links were destroyed in
the first few seconds of the war.  They were verrrry
high on the list of targets for the first US bombs and
missiles.  For this reason among others, we should not
be surprised to learn that missile launchers are designed
to operate autonomously.

We must also keep in mind the various use-cases.  A
system that is suitable for one purpose may be wildly
unsuitable for another purpose.
 -- Peacetime ATC is a solved problem, if you think
  there is any such thing as "peacetime" any more.
 -- IFF in the context of low-intensity conflict is
  not a solved problem.  Saying "ATC does such-and-such
  all the time" is *not* a solution to the shoot-down
  problem.  If you don't believe me, there are some
  Canadians and some Ukrainians who can explain it
  to you.

In more detail:
			peacetime	low-intensity	all-out
					conflict	hot war
			-----------	------------	-----------
Civil ATC		works fine	exists		no

airspace		open		open		closed

nonlethal remedies	yes		sometimes	rarely
for infractions				not

*trusted* IFF on	no		no		mostly
all friendlies

Integrated air		exists		has trust	probably
defense network				issues		destroyed

autonomous  		should be	active		active
missile launchers	forbidden

------------------------------------------------------------------

The middle column is highly problematic.  There are various steps
that can be taken, alone or in combination, that might alleviate
the problem.

*) One could add *trusted* IFF to airliners, which is where this
 thread started.

*) One could almost imagine closing the airspace in which autonomous
 missile launchers are active, but this doesn't entirely solve the
 problem.  The Vincennes did not have legal authority to close the
 nearby airspace (and wouldn't have had a mechanism for doing so
 even if they wanted).  Also this would be open to abuse, as a
 slimy way of imposing a de-facto air blockade.

*) Conversely, one could imagine requiring all missile launchers
 to be at least lurking on ATC, so they would at least know the
 nominal squawk code and radio contact frequencies for airliners.
 Require this *even if* they do not 1000% trust the information.

 The point is to enable non-lethal measures.  Hypothetically, the
 missile crew could contact the airliner on an *appropriate*
 frequency, e.g. "Iran Air 655 this is US Navy Warship Vincennes.
 Turn left immediately or you will be fired upon.  Turn left
 immediately heading 180."

 This would be a major departure from previous practice.  In the
 real world, non-hypothetically, the Vincennes was not physically
 capable of communicating with IR655.

 Implementation is not easy.  It is nontrivial for missile crews
 on the surface to lurk on both sides of the ATC conversation.
 Hint: line-of-sight propagation physics.  There are also major
 trust issues.  Integrating ATC with Soviet-era Buk and Tor
 launchers would be a very heavy lift.  Integrating it with
 Stinger-class MANPADs would be next to impossible.

*) ADS-B could have a role to play here.  ADS-B-out discloses the
 aircraft's unique ICAO ID.  ADS-B-in could give the missile crew
 a way to command the aircraft to turn away.

 Retrofitting this onto Soviet-era Buk and Tor launchers would be
 complicated but maybe not impossible.  Stingers are more iffy.

 Some details on ADS-B extended squitter message format can be
 found here:
    https://upcommons.upc.edu/bitstream/handle/2117/167221/memoria.pdf

*) There is *still* a need for crypto.  There is a need for good
 authentication.  Otherwise there is the risk of protocol failure,
 where some bad guy uses the communication channel to trick an
 airliner into doing something it shouldn't.

*) More about non-lethal remedies:  At the procedural level, it
 would be nice if missile launchers had a buffer zone, so that an
 airliner could be enough to elicit a warning without being so
 close that they get shot down.

 For example, Washington DC is essentially a low-intensity war
 zone, and has been ever since 9/11.  NORAD has implemented
 a buffer zone with non-lethal warnings, namely flashing
 red-red-green laser signals:
   https://www.youtube.com/watch?v=U89v6BwuR44

 The signals don't reach aircraft in or above clouds, but
 they're better than nothing.

More information about the cryptography mailing list