[Cryptography] improved identification of non-targets
John Denker
jsd at av8n.com
Wed Jan 15 09:32:47 EST 2020
Hi Folks --
Executive summary: It feels like this "should" be a
solvable problem, but AFAICT there is still much work
that needs doing.
====================
As a general principle, in cryptology and more generally,
there is a huge difference between adversarial and non-
adversarial situations. Consider the following contrasts:
1a) A very simple RNG may be good enough for an atomic
physics Monte Carlo integration. The atoms are not
adversarial. To paraphrase Einstein, the atoms are
subtle, but they're not out to get you.
1b) A vastly stronger RNG is needed for adversarial
situations, e.g. high-stakes gaming, serious crypto,
et cetera.
2a) Consider the classic crypto situation of an embassy
or a military unit sending a message back to HQ. The
message is subject to attack enroute, but the classic
assumption is that the endpoints are on the same team
and want to keep the message secure.
2b) Compare that to copyright protection. This is much
muuuuch more challenging, because one of the endpoints
has little if any motivation to cooperate.
I mention this because:
3a) Ordinary ATC is a non-adversarial situation.
Airliners have no incentive to steal each others'
squawk codes.
3b) Military IFF is something else entirely. It is a
seriously adversarial situation. By definition. As
it says on the tin: there are friends and foes.
THEREFORE please do not make shallow naïve analogies
between ATC and IFF. The amount of crypto required
is not the same. The level of secure authentication
required is not the same. Not even close.
As a mostly-separate matter: Do not assume that missile
launchers are part of an integrated air defense network.
They often aren't. For example:
-- IR655: The Vincennes was not listening to ATC,
and had no means of doing so, and might not have
trusted what Iranian ATC was saying even if they
had heard it.
-- MH17: The Buk launcher was not listening to ATC,
and had no means of doing so, and might not have
trusted what Ukrainian ATC was saying.
-- PS752: The Tor launcher was not listening to ATC,
and had no means of doing so.
This is not surprising. Keep in mind that Iraq under
Saddam Hussein built an elaborate integrated air defense
network, but the communication links were destroyed in
the first few seconds of the war. They were verrrry
high on the list of targets for the first US bombs and
missiles. For this reason among others, we should not
be surprised to learn that missile launchers are designed
to operate autonomously.
We must also keep in mind the various use-cases. A
system that is suitable for one purpose may be wildly
unsuitable for another purpose.
-- Peacetime ATC is a solved problem, if you think
there is any such thing as "peacetime" any more.
-- IFF in the context of low-intensity conflict is
not a solved problem. Saying "ATC does such-and-such
all the time" is *not* a solution to the shoot-down
problem. If you don't believe me, there are some
Canadians and some Ukrainians who can explain it
to you.
In more detail:
peacetime low-intensity all-out
conflict hot war
----------- ------------ -----------
Civil ATC works fine exists no
airspace open open closed
nonlethal remedies yes sometimes rarely
for infractions not
*trusted* IFF on no no mostly
all friendlies
Integrated air exists has trust probably
defense network issues destroyed
autonomous should be active active
missile launchers forbidden
------------------------------------------------------------------
The middle column is highly problematic. There are various steps
that can be taken, alone or in combination, that might alleviate
the problem.
*) One could add *trusted* IFF to airliners, which is where this
thread started.
*) One could almost imagine closing the airspace in which autonomous
missile launchers are active, but this doesn't entirely solve the
problem. The Vincennes did not have legal authority to close the
nearby airspace (and wouldn't have had a mechanism for doing so
even if they wanted). Also this would be open to abuse, as a
slimy way of imposing a de-facto air blockade.
*) Conversely, one could imagine requiring all missile launchers
to be at least lurking on ATC, so they would at least know the
nominal squawk code and radio contact frequencies for airliners.
Require this *even if* they do not 1000% trust the information.
The point is to enable non-lethal measures. Hypothetically, the
missile crew could contact the airliner on an *appropriate*
frequency, e.g. "Iran Air 655 this is US Navy Warship Vincennes.
Turn left immediately or you will be fired upon. Turn left
immediately heading 180."
This would be a major departure from previous practice. In the
real world, non-hypothetically, the Vincennes was not physically
capable of communicating with IR655.
Implementation is not easy. It is nontrivial for missile crews
on the surface to lurk on both sides of the ATC conversation.
Hint: line-of-sight propagation physics. There are also major
trust issues. Integrating ATC with Soviet-era Buk and Tor
launchers would be a very heavy lift. Integrating it with
Stinger-class MANPADs would be next to impossible.
*) ADS-B could have a role to play here. ADS-B-out discloses the
aircraft's unique ICAO ID. ADS-B-in could give the missile crew
a way to command the aircraft to turn away.
Retrofitting this onto Soviet-era Buk and Tor launchers would be
complicated but maybe not impossible. Stingers are more iffy.
Some details on ADS-B extended squitter message format can be
found here:
https://upcommons.upc.edu/bitstream/handle/2117/167221/memoria.pdf
*) There is *still* a need for crypto. There is a need for good
authentication. Otherwise there is the risk of protocol failure,
where some bad guy uses the communication channel to trick an
airliner into doing something it shouldn't.
*) More about non-lethal remedies: At the procedural level, it
would be nice if missile launchers had a buffer zone, so that an
airliner could be enough to elicit a warning without being so
close that they get shot down.
For example, Washington DC is essentially a low-intensity war
zone, and has been ever since 9/11. NORAD has implemented
a buffer zone with non-lethal warnings, namely flashing
red-red-green laser signals:
https://www.youtube.com/watch?v=U89v6BwuR44
The signals don't reach aircraft in or above clouds, but
they're better than nothing.
More information about the cryptography
mailing list