The QLX3Gx chip makes secure, authenticated positioning a standard feature
Qualinx has integrated support for the Galileo OSNMA (Open Service Navigation Message Authentication) on its QLX3Gx Series ultra-low-power GNSS receiver.
Developed with the support of the European Union Agency for the Space Programme (EUSPA), the integration makes the QLX3Gx a GNSS receiver purpose-built for ultra-low-power markets to deliver hardware-native OSNMA support as a standard feature across the entire product family.
Qualinx has embedded OSNMA support directly into the QLX3Gx hardware architecture from the ground up, enabling a fully optimized design with zero trade-offs in power consumption, cost or performance.
“Authenticated positioning has for too long been out of reach for the devices that need it most,” said Qualinx CEO Tom Trill. “By building OSNMA support into the QLX3Gx at the hardware level from day one, we’re making trusted positioning the default — not a premium option — for the wearables, asset trackers and IoT devices that make up the bulk of the GNSS market.”
The partnership with EUSPA reflects a shared commitment to disseminating Galileo’s advanced security capabilities across the widest possible range of applications and markets. EUSPA identifies OSNMA as a strategic priority for improving resilience against spoofing and signal manipulation
According to the EU Space Market Report 2026, global GNSS revenues are projected to grow from €300 billion in 2024 to €580 billion by 2034 with mass-market devices accounting for the largest share of shipments and representing the greatest growth potential.
Through Qualinx’s digital radio-frequency technology, the QLX3Gx delivers up to 10× lower power consumption than conventional GNSS solutions. By integrating OSNMA natively in hardware, the chip eliminates the processing overhead typically associated with authentication, ensuring security adds no meaningful cost to the power budget.
The chip’s reconfigurable digital RF architecture enables capabilities to be updated over time without hardware replacement — extending device lifecycles, cutting electronic waste, and lowering overall energy consumption. The result is a platform that makes connected devices more secure and sustainable.
The QLX3Gx chip is available for sampling, with mass production planned for the second half of this year. Developers and OEMs can register interest in the Qualinx QLX3Gx Evaluation Kit to secure hands-on evaluation of the QLX3Gx for upcoming consumer, industrial and mobility applications. Contact [email protected] to register interest and request a sample, or learn more at Qualinx.io.
In 2022, the Galileo GNSS continued to provide the world’s most precise satellite navigation information, to a user base that stands at more than 3.5 billion worldwide. Furthermore, provided services continue to improve and expand, with plans for high-accuracy positioning and signal authentication now reaching fruition.
The European Union Agency for the Space Programme (EUSPA) and the European Space Agency (ESA) continue to enjoy an effective collaboration on the many development, deployment, and evolution activities of the Galileo Programme — each according to their respective responsibilities for service provision and system development with the European Commission (EC) acting as the program manager.
Ranging accuracy performance from January to September 2022.
Positioning-related MPLS from January to October 2022.
New Services Launched in 2022
Excellent Performance
Service delivery operations and maintenance of operational systems are managed by EUSPA, which supervises many contracts that carry out the day-to-day activities from dedicated control and monitoring centers throughout Europe. In 2022, Galileo timing, navigation, and SAR/Galileo services were delivered with excellent performances that continue to exceed the formal declarations for minimum performance levels (MPL), which were increased in January, both in terms of absolute accuracy and overall service availability. The entry into service of two additional satellites in May and August, have further consolidated the overall service availability to end users.
Galileo FOC Batch 3 satellite under testing.
Expansion of Service Portfolio
The service provision teams have been able to focus on improvements to, and expansion of, the service portfolio.
The I/NAV improvement will positively impact end users by enabling a faster time to first fix, and updates to the data validity status flags will lead to better protection of users against expired navigation data. These changes are implemented in updates of the onboard software of the satellites being rolled out across the constellation. At present, seven operational satellites have been successfully updated; the complete software upgrade campaign is planned to be completed this summer.
Galileo’s new High Accuracy Service will provide free precise point positioning (PPP) corrections, in the Galileo E6-B data component and by terrestrial means, for Galileo and GPS (single and multi-frequency) to achieve real-time user position improved by up to 10 times. The infrastructure to support an initial service (Phase 1) is nearing completion, and the formal declaration of the service capabilities is planned for early this year.
To provide users with a method of authenticating the received Galileo signals, especially the satellites ephemerides and the Galileo timing parameters, the new Open ServiceNavigation Message Authentication (OSNMA) service enables a receiver to confirm that a navigation message originated from the EU Galileo infrastructure. Many application areas are expected to benefit from this capability, including smart tachographs, telematics and logistics, UAVs, location-based services, and timing services. Having successfully demonstrated the technology behind the service in 2022, including a public observation phase, the roll-out of the Initial Service is planned to take place by the end of the year.
A fourth Medium Earth Orbit Local User Terminal (MEOLUT) in La Réunion will extend the SAR/Galileo Forward Link Service Coverage Area over the Indian Ocean as part of the SAR/Galileo full operational capability (FOC) declaration expected in the first quarter of 2023. The Cospas-Sarsat commissioning of this new station was completed in September 2022, and operational data is already being distributed to Cospas-Sarsat.
Reference documents for the above services can be found at the EUSPA European GNSS Service Centre website, including technical notes, interface control documents and service declaration documents.
SAR/Galileo-related metrics from January to October 2022.
Extension of the SAR/Galileo Forward Link Service Coverage Area over the Indian Ocean.
FOC Infrastructure Development Nears Completion
Satellite Production
The production of the third batch of Galileo FOC satellites advanced further in 2022 with the completion of the environmental tests and the system compatibility test campaigns at the European Space Agency Test Centre in Noordwijk, The Netherlands. After 10 years of successful testing, on Oct.18, 2022, the last Galileo FOC satellite (flight model number 34) left the test center to return to the premises of the satellite manufacturer, OHB Systems, in Germany. Testing of the remaining 10 satellites has confirmed that they have been correctly built and will perform well in orbit. The acceptance review of the last couple of satellites will take place this summer.
At the beginning of 2023, the plan is to start in-orbit testing of a quasi-pilot signal on the E5 frequency using the Galileo GSAT201/202 satellites in elliptical orbit. The provision of a signal offering coarse acquisition in Galileo E5-A/GPS L5 can be a distinguishing feature for Galileo with respect to all other constellations to further improve the capability to acquire the E5 signal at low complexity. Following in-orbit testing, the strategy for roll-out of this capability will be assessed with the involvement of receiver manufacturers.
New SAR Galileo MEOLUT facility in Réunion island.
Access to Space
The discontinuation of Soyuz launch services from the Kourou Space Centre in French Guiana, because of the Russia-Ukraine conflict, has caused delays in the two Galileo launches that had been planned for 2022. The Launch 12 campaign had to be interrupted and in March 2022 the FM25 and 26 satellites were put in storage at the Kourou launch base, then returned to Europe in November.
Ariane 6 is the baseline launcher for Galileo satellites to ensure European independent access to space. The remaining Batch 3 satellites will be launched with the Ariane 62 launcher vehicle, the two strap-on solid booster variants of Ariane 6, now undergoing the final stages of development led by prime contractor Ariane Group. Ariane 6’s maiden flight is scheduled to take place in the fourth quarter of 2023.
Ground Segment
An upgrade of the ground control segment, in charge of command and control of the satellite constellation, is being developed by the industrial consortium led by GMV. The upgrades will address resolution of hardware and software obsolescence including cyber security, operability improvements, and a security monitoring overlay.
With the planned increase in the number of satellites in orbit, an additional telemetry tracking and control facility (TTCF) is being deployed in Kourou leading to seven operational TTCF stations in early 2023.
The ground mission segment, in charge of navigation control, is undergoing a complete technological refresh, including hardware/software virtualization performed by an industrial consortium led by Thales France. This upgrade will provide additional robustness, including a system extended contingency mode resilient to outages lasting up to seven days and a new state-of-the-art cyber security monitoring system. It will also provide ranging authentication through encrypted codes on the E6-C signal component for the implementation of the Commercial Authentication Service. Global coverage will be further increased with the introduction of two Galileo sensor stations in Wallis (Pacific Ocean) and Bonaire (Caribbean Sea), for a total of 15 sites around the globe.
OSNMA-related metrics from January to October 2022.
G2G Development Started
Galileo’s second generation (G2G) will introduce many innovative technologies to offer unprecedented precision, robustness, and flexibility.
2022 was a key year for the evolution of G2G activities with the fast development cycles of the first batch of G2 satellites, beginning development of the associated G2G in orbit validation (IOV) ground segment and system test beds, and the consolidation of the G2G final system capabilities — including the coordination of the mission/service roadmaps with the EC, EUSPA, and the EU Member States delegates.
Ariane 62 launcher.
G2G Satellite Manufacturing
From the satellite development point of view, the two parallel contracts to develop and manufacture each of the six G2G batch one (G2SB1) satellites are progressing in a fast development environment, with the first hardware units ready for integration and testing.
Following the completion of preliminary design review, these two contracts (for six satellites each) are preparing for unit-level validation/testing, which will lead to the critical design review.
These satellites will provide the following key innovations:
Reconfigurable fully digital navigation payload
Point-to-point connection between satellites by inter-satellite-link for command and control, and ranging functionalities
Electric propulsion for orbit-raising capabilities
Advanced jamming and spoofing protection mechanisms to safeguard.
The Galileo signals will improve with:
On-board authentication capabilities
Increased ground-to-space data rate
Improved time reference (number of clocks and advanced clock monitoring functions).
G2G IOV Procurements
2022 was also the year in which two key events took place with respect to G2G in-orbit validation (IOV) ground segment and system test bed procurements:
Finalization of the procurement cycle, now in the final evaluation/award phase, to be kicked off in the first quarter of this year
Confirmation of the IOV design through different coordinated actions with the EC and EUSPA, including the G2 system preliminary design review.
The contracts will provide Europe with the following capabilities:
G2SB1 satellite launch and early orbit phase, in-orbit testing and enhanced legacy services provision
G2 new capabilities in-orbit validation, including prototyping and validation of all the novel technologies that can exploit the full capabilities of the G2SB1 satellites.
Eleven contracts will be issued to manage in synchrony all the G1 and G2 assets for the coming years:
G2 IOV ground control segment (G2 GCS) for satellites monitoring and control
G2 IOV ground mission segment/secured facility (G2 GMS-GSF) for the production, dissemination and monitoring of all enhanced legacy services and the dissemination of new G2 advanced capabilities for validation
G2 IOV security monitoring (G2 SECMON), for the cyber/security monitoring of the system
G2 filling device (G2 FD), to ensure proper initialization of system assets
G2 system test bed (G2STB), to generate and monitor new G2 capabilities for validation of the G2G mission/services
G2 PRS test bed (G2PRSTB), similar to G2 system test bed but focused on advanced PRS capabilities for validation purposes
G2 security chain (G2SC), a test bed to ensure proper satellite-ground segment qualification before launch
Four system engineering support contracts (G2 SETA), where the main GNSS technical experts from different industries in Europe provide their support to ESA and EUSPA in their different fields of expertise.
These contracts are complemented by a significant set of system research and development and test tools, such as test user receivers and radio frequency constellation simulators.
G2G batch number one (G2SB1) satellites.
Galileo Second Generation System PDR
The Galileo Programme is not only focusing on short-term G2G development activities, but also looking forward to the future in terms of the consolidation and definition of G2G final operation capabilities. During the second half of 2022, more than 200 public representatives from the EC, EUSPA, ESA and Member States held countless meetings in the frame of the G2G system preliminary design review, which concluded in early December 2022.
As part of this review, the long-term implementation (G2G in orbit capability, or IOC, and final operational capability, or FOC) was reviewed and an agreement was reached on future steps. The evolution of Galileo capabilities will not only provide better services through advanced technical solutions, but will also ensure continuity of service and enhanced backward compatibility for first-generation legacy users.
Conclusions
The efforts of ESA and EUSPA continue with the aim of providing users continuous and stable services and evolving space and ground infrastructure to maintain Galileo competitiveness with the other global navigation satellite systems.
For analogous updates on the other three GNSS constellations, please see:
Receiver maker Septentrio, based in Leuven, Belgium, has made a series of announcements this year that push the industry forward, from updating existing receivers to accepting new services to launching new product lines.
Head of the CLAS
In March, the company launched three new products that support Japan’s high-accuracy Centimeter Level Augmentation Service (CLAS). CLAS, which receives the L6 signal, transmits high-accuracy corrections from Japan’s QZSS constellation. The technology was developed in close cooperation with CORE, a leading integrator of high-accuracy positioning technology and services in Japan.
Photo: Septentrio
Septentrio now offers the mosaic-CLAS receiver for high-volume industrial applications; the AsteRx-m3 CLAS that combines PPP-RTK CLAS with dual-antenna heading functionality; and the AsteRx SB3 CLAS in a ruggedized IP68 enclosure to protect it in harsh environments.
Septentrio is simultaneously offering various receiver types to the Japanese market ensuring an optimal match between products and customer needs in various applications including robotics, precision agriculture, construction, machine control and UAV.
Stopping the Spoofs
Following the CLAS upgrade, the mosaic line received another boost in April, when Septentrio announced Open Service Navigation Message Authentication (OSNMA) functionality. OSNMA offers end-to-end authentication on Galileo’s civilian signals, protecting receivers from OSNMA attacks.
For the past two years, Septentrio has been working closely with the European Space Agency (ESA) during the test phases of OSNMA deployment. The know-how gained during this period allowed Septentrio to be one of the first to market with this advanced security feature.
OSNMA’s anti-spoofing capability complements Septentrio’s Advanced Interference Mitigation (AIM+) technology and further strengthens the overall security of Septentrio GNSS receivers, making them suitable for assured PNT solutions as well as critical infrastructure, such as 5G network synchronization.
Vertical Markets
Machine Control. In April, Septentrio launched the AsteRx-U3 ruggedized GNSS receiver, successor to the AsteRx-U for construction, mining and other machine control applications. The new receiver combines Septentrio’s latest triple-band precise positioning GNSS core with extended wireless communication features including Wi-Fi, UHF and 4G LTE. The versatile connectivity features of this receiver make it easy to fit it into any control system and enable simple and cost-effective overall design.
Photo: Septentrio
Unmanned Aerial Vehicles (UAVs). Also in April, Septentrio is collaborating with MicroPilot, maker of professional UAV autopilots. Septentrio receivers, including the small form factor mosaic modules, as well as the OEM board AsteRx-m3, will support seamless integration of positioning and orientation into MicroPilot’s autopilot ecosystem. MicroPilot chose Septentrio GNSS receivers for their resilience to radio interference such as jamming and spoofing, as well as security and robustness with high-accuracy real-time kinematic (RTK) positioning.
Marine. In May, Septentrio introduced the housed AsteRx-U3 Marine and the OEM board AsteRx-m3 Fg, two receivers for dredging, marine construction and offshore applications. Both offer accurate positioning near shore and offshore via centimeter-level real-time kinematic (RTK) or the built-in Fugro precise point positioning (PPP) sub-decimeter subscription service, delivered either over NTRIP internet or over L-band satellite.
Corrections delivered over L-band allow dredging, bathymetry or marine construction projects even in areas where there is no internet service. The AsteRx-U3 Marine receiver, enclosed in an IP68-rated housing, offers a dedicated L-band demodulator with a separate L-band RF input, which allows for the use of dedicated antennas for excellent reception of L-band signals even at high latitudes.
Septentrio has released Open Service Navigation Message Authentication (OSNMA) functionality on its mosaic GNSS receiver modules. OSNMA offers end-to-end authentication on Galileo’s civilian signals, protecting receivers from OSNMA attacks.
Spoofing is a malicious form of radio interference, where faulty positioning information is sent to a receiver. For the last two years Septentrio has been working closely with the European Space Agency (ESA) during the test phases of OSNMA deployment. The know-how gained during this period is what allowed Septentrio to be one of the first to market with this advanced security feature.
OSNMA’s anti-spoofing capability complements Septentrio’s Advanced Interference Mitigation technology, AIM+, and further strengthens the overall security of Septentrio GNSS receivers, making them suitable for assured PNT solutions as well as critical infrastructure, such as 5G network synchronization.
“We are excited to start offering the OSNMA anti-spoofing technology in our industrial GNSS receivers. Our close collaboration with ESA enabled us to get the expertise needed to implement and validate this functionality in a timely manner,” said François Freulon, head of Product Management at Septentrio. “The addition of OSNMA to Septentrio’s already strong anti-jamming and anti-spoofing technology takes our receivers to a new level as the market leader of resilient positioning and timing solutions for industrial applications and critical infrastructure.”
OSNMA is now supported by the complete mosaic receiver family including GNSS RTK positioning modules, timing modules and heading receiver modules. It will also be rolled out on Septentrio’s latest generation of OEM receiver boards, AsteRx-m3, and subsequently on the ruggedized boxed receivers. Read more here.
By Francesco Ardizzon, Nicola Laurenti, Carlo Sarto and Giovanni Gamba
To ensure the authenticity of the Galileo navigation messages, the Open Service navigation message authentication (OSNMA) mechanism requires a loose synchronization between the receiver clock and the system time.
To ensure the authenticity and the integrity of the transmitted messages, the Timed Efficient Stream Loss-tolerant Authentication (TESLA) protocol for broadcast authentication requires a loose time synchronization between the transmitter and the receiver — that is, an upper bound to the time offset between their clocks. In the context of the TESLA-based Open Service navigation message authentication (OSNMA) protocol, it is customary to assume that:
On the system side, the transmission is synchronous because the satellites are equipped with high-precision atomic clocks, the drift of which is assumed negligible with respect to those at the receiver side.
At the receiver side, commercial clocks can be found that are less accurate and less stable, which accounts for the substantial time mismatch between the transmitter and the receiver clocks accumulating over time.
To limit the impact of such mismatch on OSNMA operation, it is envisioned that clocks for authenticated tachographs onboard vehicles, such as the ones that will be employed for the position authenticated tachograph for OSNMA launch (PATROL) project, are reset and precisely realigned to system time in periodic workshop visits. However, the clock mismatch must satisfy the OSNMA constraint at all times between successive workshop resets, in the “holdover” period, and through all possible operating conditions, to ensure constant authenticity of the navigation message.
In other contexts, this task is performed by such means as network synchronization protocols.
However, we are considering a scenario where, during holdover, we cannot rely on other sources, such as an internet connection or other devices to synchronize with the reference time to assure the authenticity of our time reference and, consequently, of the PVT solution. We also cannot trust any signal received during the holdover period, thus we should not use the PVT solution to synchronize the clock.
Here, we have two goals. First, investigate the causes of the misalignment and frequency deviation in clock generators commonly found on the market for GNSS receivers. Second, relate the clock specification parameters, taken directly from the real-time clock (RTC) device datasheets, the holdover period, and the OSNMA misalignment constraints.
Atomic clocks at ESTEC’s Navigation Laboratory in The Netherlands independently validate Galileo timing performance. (Photo: ESA)
Frequency Accuracy and Stability
Two metrics are usually employed to evaluate the performance of an oscillator.
Clock frequency accuracy is the normalized difference between the frequency output and its nominal value, f0.
Clock frequency stability is the normalized instantaneous frequency deviation from its local mean.
Although devices are characterized in terms of their stability, we are interested in measuring their accuracy y(t)ΔF(t)⁄f0, where ΔF(t) is the instantaneous frequency deviation from f0 at time t. The calibration performed during each workshop reset brings the residual misalignment to a negligible value called phase calibration error. On the other hand, we will later discuss the residual frequency deviation, due to the frequency calibration error.
The loose time synchronization requirement TL states that the authenticity of the navigation message received at time t is guaranteed if |ΔT(t)|≤TL, at every t during the holdover period.
Finally, we can relate accuracy and misalignment using the bound
(1)
which allows us to upper bound the clock misalignment at any time t in terms of the frequency accuracy along the whole interval elapsed from the last calibration time t0.
Accuracy Loss for Receiver Clocks
Thanks to their affordable price and wide temperature operating conditions, quartz crystal oscillators are used for clock generation in GNSS receivers (see TABLE 1). We distinguish among simple, temperature-controlled crystal oscillators (TCXOs) and oven-controlled crystal oscillators (OCXOs). GNSS receivers typically employ TXCOs because they offer the best trade-off in terms of power consumption, price and typical accuracy.
Table 1. Summary of the main quartz crystal oscillator characteristics.
Sources of Frequency Accuracy Loss. Quartz crystals are piezoelectric materials, therefore any additional stresses and environmental changes generate an additional voltage, decreasing the clock stability. In the automotive scenario, the main sources of accuracy loss are temperature changes, long-term aging, and the residual calibration frequency offset, while the impact of accelerations, vibrations, gravity variation and supply voltage oscillation can safely be neglected as they result in changes of a few parts per billion.
Currently, no analytic relationship is known between frequency accuracy and temperature for TCXOs (or OCXOs). Therefore, as reported in datasheets, the inaccuracy induced by the temperature changes is bounded by a constant value Ytemp across the whole operating temperature range. This yields a bound on the clock misalignment that increases linearly with the time from the last calibration.
Long-term aging has significant impacts on the clock frequency accuracy and may affect the device even when it is not used for a long time (see Figure 1). A critical aspect of this effect is that it is time-variant, with the accuracy loss increasing over time.
Figure 1. Graphical representation of the model for aging accuracy loss: upper-bound (red) versus estimated model (blue). (Image: R. Filler and J. Vig)
However, datasheets typically report a single value, Yage (Tdata ), which bounds the accuracy at a fixed time Tdata.
The effect of long-term aging for both TCXOs and OCXOs was investigated in a 1993 study by R. Filler and J. Vig measuring the accuracies of oscillator models for several years. The study concluded that a logarithmic fit is better suited for long-term measurements, while a linear fit is better suited for initial measurements (t<30 days) and is a loose upper-bound for longer times. Because we are interested in establishing a prudential upper bound rather than a precise estimate, we use the constant upper bound Yage (Tdata) for all t<Tdata and a linear upper bound for t>Tdata. This leads to a linearly increasing bound on the time offset before Tdata, and a quadratically increasing bound after Tdata.
Finally, the misalignment due to the frequency calibration error accumulates over time. An off-the-shelf oscillator has an initial accuracy that depends on the frequency tolerance ftol. To improve this, a precise calibration is performed, trying to synchronize the RTC with the nominal frequency f0, such as by using PTP. The contribution to the accuracy loss given by calibration can be bounded by Ycalib, a value set a priori either by system design or during the calibration process itself, yielding again a linearly increasing bound on the clock misalignment.
Bound on the Total Misalignment. In general, the cross-correlation between the uncertainties is unknown; we can only consider the worst-case scenario where the total uncertainty is bounded by the sum of the single bounds. This choice represents a prudential and conservative approach that may yield a rather loose bound with very high probability.
Thus, considering that all terms in the clock error bound increase over time, we can bound the total misalignment as
(2)
Example Values from Datasheet Specifications
Based on the above result, we can deem a commercial oscillator suitable for OSNMA operation if B(TR )≤TL. We can then compare the requirements for different RTCs, focusing on TCXOs designed for GNSS receivers suitable for the automotive scenario, with f0=52 MHz and a target operating temperature range between –20° Celsius and +85° Celsius. We assume that devices are subject to a calibration process, such that YcalibYtemp; thus we have neglected the calibration accuracy loss. We report in Table 2 the values of the misalignment bound, B(TR ), for TR=2 years and the maximum reset period TR,max such that B(TR,max)≤TL, with a loose time synchronization requirement TL=165s, as computed form the specs found in the datasheets.
Table 2. Bound values B(TR) and TR,max computed using several RTCs’ datasheet specs with TL=165 s and TR=2 years.
Conclusions
To ensure the authenticity of the GNSS navigation message, the Galileo OSNMA protocol requires a loose synchronization between the transmitter and the receiver. The misalignment between transmitter and receiver clock needs to be lower than a threshold TL for the whole holdover period TR. In this article, we have investigated the causes of the misalignment and frequency deviation in clock generators commonly found on the market and defined a general relationship between TL ,TR and the specifications commonly found in datasheets. Finally, we examined several mass-market temperature-controlled crystal oscillator datasheets, evaluating their performance in terms of worst-case offset bound B(TR).
The bound represents a prudential conservative approach and may be rather loose. However, given the lack of a consistent statistical model, this is a reasonable solution. We conclude that most devices can satisfy the constraint B(TR)≤TL=165 s with a workshop reset period of TR = 2 years.
Acknowledgements
This study was conceived within the PATROL (Position Authenticated Tachograph foR OSNMA Launch) project, funded by the EU Agency for the Space Programme through the Fundamental Elements programme, under procurement No. GSA/OP/23/16 “Development, supply and testing of a Galileo open service authentication user terminal (OSNMA) for the GSA.”
The authors acknowledge the invaluable support provided by the PATROL technical team: Davide Marcantonio (Qascom), Fabio Pisoni, Giovanni Gogliettino and Domenico di Grazia (ST Microelectronics), Alexandre Allien and Francois Riou (FDC), Jacques Kunegel (ACTIA), Simón Cancela Díaz and Belén Villanueva Coello (GMV).
PATROL success was fostered by the commitment and support of Flavio Sbardellati (EUSPA Project Officer), Gonzalo Seco Granados and Alexander Rügamer (EUSPA external reviewers), Javier Simon (EUSPA reviewer), Ignacio Fernandez-Hernandez and Giovanni Vecchione (EC reviewers). The authors thank colleagues Giada Giorgi (UNIPD) and Lorenzo Dal Corso (Qascom) for reviewing this work.
The content of this publication does not reflect the official opinion of the European Union or of the EU Agency for the Space Programme. Responsibility for the information and views expressed therein lies entirely with the authors.
Francesco Ardizzon is a Ph.D. student and Nicola Laurenti an associate professor in the Department of Information Engineering of the University of Padova, Italy. Carlo Sarto is the head of the security engineering division and Giovanni Gamba the head of the SIGINT and EW division at Qascom S.r.l., in Bassano del Grappa, Italy.
REFERENCES
A. Perrig, R. Canetti, J. Tygar, and D. Song, “The TESLA broadcast authentication protocol,” RSA CryptoBytes, vol. 5, 11 2002.
I. Fernandez-Hernandez, T. Walter, A. Neish, and C. O’Driscoll, “Independent time synchronization for resilient GNSS receivers,” in 2020 International Technical Meeting of The Institute of Navigation, 02 2020, pp. 964–978.
I. Fernandez-Hernandez, V. Rijmen, G. Seco-Granados, J. Simon, I. Rodriguez, and J. D. Calle, “A Navigation Message Authentication proposal for the Galileo Open Service,” NAVIGATION, vol. 63, no. 1, pp. 85–102, 2016. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/navi.125
L. Cucchi, S. Damy, M. Paonni, M. Nicola, M. Troglia Gamba, B. Motella, and I. Fernandez-Hernandez, “Assessing galileo OSNMA under different user environments by means of a multi-purpose test bench, including a software-defined GNSS receiver,” in 4th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS+ 2021), 9 2021.
“IEEE standard definitions of physical quantities for fundamental frequency and time metrology—random instabilities,” IEEE Std 1139-2008, pp. c1–35, 2009.
J. Vig, “Quartz crystal resonators and oscillators for frequency control and timing applications – a tutorial,” in IEEE International Frequency Control Symposium Tutorials, 2016.
M. Lombardi, “Fundamentals of time and frequency,” in The Mechatronics Handbook, CRC Press, 01 2002, ch. 17.
R. Filler and J. Vig, “Long-term aging of oscillators,” IEEE Transactions on Ultrasonics, Ferroelectrics, and Frequency Control, vol. 40, no. 4, pp. 387–394, 1993.
W. Riley and D. Howe, Handbook of Frequency and Stability Analysis. Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, 2008-07-01 00:07:00 2008.
“Performance specification: oscillator, crystal controlled, general specification for,” MIL-PRF-55310F, 2018.
An Info Note has been published with analytical information on the Galileo Open Service – Navigation Message Authentication (OSNMA). The note is available on the European Union Agency for the Space Programme (EUSPA) website or through the European GNSS Service Centre. To contribute to the detection of GNSS jamming and spoofing attacks, EUSPA together with the European Commission is testing OSNMA.
This forthcoming service is an authentication mechanism that allows Open Service users to verify the authenticity of GNSS information, making sure that the data they receive is indeed from Galileo and has not been modified in any way.
OSNMA is authenticating data for geolocation information from the Open Service through the Navigation Message (I/NAV) broadcast on the E1-B signal component. This is realized by transmitting authentication-specific data in previously reserved fields of the E1 I/NAV message. By using these previously reserved fields, OSNMA does not introduce any overlay to the system, thus the OS navigation performance remains untouched.
Authentication is set to further strengthen service robustness by increasing the capability of detecting spoofing events. However, it should be kept in mind that authentication does not prevent the occurrence of such an event, and does not protect against jamming. Nonetheless, this added layer of protection proposes to be one step ahead of evolving technological trends by amplifying the service’s overall robustness and resilience.
In a first for any satellite navigation system, Galileo has achieved a positioning fix based on open-service navigation signals carrying authenticated data. Intended as a way to combat malicious spoofing of satnav signals, this authentication testing began at ESA’s Navigation Laboratory — the same site where the very first Galileo positioning fix took place back in 2013.
These historic first authenticated signal position, velocity and timing fixes were made using a total of eight Galileo satellites for around two hours on Nov. 18. The tests represent a first proof of concept for an eventual operational service offering positioning with authenticated data to users.
Spoofing has, for instance, been demonstrated as a means of forcing down drones or redirecting ships, while some high security locations — as well as disrupted international borders — have become notorious for spoofing signals that prevent the reliable use of satnav in their vicinity.
The Galileo Control Centres send the navigation signal to the GSC for the addition of the authentication code, which is then returned for uplink to the satellites.
“When a receiver picks up a navigation signal from a satellite, up until now it has no way of confirming that was indeed its source,” said navigation engineer Stefano Binda, overseeing the project for ESA. “This can result in spoofing — malicious people and organisations using false signals to mislead users about their actual position. This authentication service offers a way to prevent such deception.”
“In recent years, this problem has become sufficiently pronounced as a weak point that the European Commission, ESA and European GNSS Agency (GSA) decided to develop signal authentication as a differentiator for Galileo,” Binda said.
An ESA Navigation Directorate team at the Agency’s ESTEC technical centre in the Netherlands worked with its GSA counterparts at the twin Galileo Control Centres (GCCs) in Italy and Germany and the Galileo Service Centre (GSC) in Spain. “In everyday authentication you might send a document that has been digitally signed, where both sender and recipient use compatible cryptographic keys to validate the document’s source of origin,” Binda said.
“In this case we were working with a constrained amount of bandwidth within the navigation signal, so instead opted for a ‘delayed key’ approach. This means the initial data come along together a short tag which, within a short stretch of time usually not exceeding 30 seconds, is followed by a key, which is able to validate the tag and authenticate the data associated with it.”
During the test campaign, the Galileo Control Centres send the navigation signal to the GSC for the addition of the authentication code, which is then returned for uplink to the satellites, to be received and authenticated by the test receivers at ESTEC’s Navigation Lab and elsewhere in Europe, in participating laboratories.
To enabled the authentication test campaign, Thales Alenia Space in France served as prime contractor to upgrade of the Galileo Mission Segment — the world-spanning system that determines and create the navigation messages broadcast by Galileo satellites. Thales Alenia Space in Italy was responsible for the system level integration.
No modification of onboard satellite systems has been required to support Open Service Navigation Message Authentication (OSNMA), as spare bandwidth was made use of.
“We used our standard laboratory Septentrio test user receivers with a software add-on,” Binda said. “The beauty of this approach is that receivers will be able to make use of the future authenticated service without needing any new hardware, only software updates — apart from additional measures that might be mandated for operation in practice.”
ESA and GSA are continuing their authentication testing, with a view to introducing an operational Open Service Navigation Message Authentication service for users in the near future.
ESA’s Radio Frequency Systems, Payload and Technology Laboratories perform RF research for both the space and ground segments. (Photo: ESA)
OSNMA (Open Service Navigation Message Authentication) offers end-to-end authentication on a civilian signal, protecting receivers from spoofing attacks.
OSNMA is being pioneered by the Galileo Program, with Septentrio providing a testbed for this technology from the end-user point of view. The anti-spoofing capabilities of OSNMA will complement Septentrio’s already available anti-jamming technology, AIM+, and further strengthen the overall security of Septentrio GNSS receivers.
“The authentication of the Galileo signal using the OSNMA technology is yet another first that we are pleased to share with our close partner ESA [European Space Agency],” commented Bruno Bougard, R&D director at Septentrio. “Septentrio is proud and thankful to be able to contribute to the realization of one of Galileo’s key differentiators. “
With OSNMA, Galileo is the first satellite system to introduce an anti-spoofing service directly on a civil GNSS signal.
OSNMA is a free service on the Galileo E1 frequency. It enables authentication of the navigation data on Galileo and even GPS satellites. Such navigation data carries information about satellite location — if altered, it will result in wrong receiver positioning computation.
While currently in development, OSNMA is planned to become publicly available in the near future. GPS is experimenting with satellite-based anti-spoofing for civil users with its Chimera authentication system.
Within the scope of the FANTASTIC project led by GSA, OSNMA anti-spoofing protection was implemented on a Septentrio receiver.
“Septentrio is committed to providing highly accurate and secure positioning and timing solutions to industrial applications and critical infrastructure. This is another example where Septentrio demonstrates its leadership in end-to-end GNSS receiver security with its breakthrough anti-jamming and anti-spoofing technology,” said François Freulon, head of Product Management at Septentrio. “Thanks to our future proof products, we will be rolling out OSNMA in our portfolio as soon as it is available. This will further enhance the security of our receivers, ensuring robust, trustworthy and reliable operation even in the most challenging environments.”
European Galileo satellites provide an open authentication service on the E1 signal and a commercial authentication service on the E6 signal. (Image: European Space Agency)
ESA and GSA (European GNSS Agency) have now commenced the testing phase of the OSNMA authentication, which will continue during the coming months. To find out more about spoofing and OSNMA, see this article. For more information about GNSS signals and the value they bring, see Septentrio’s free webinar More GNSS signals: What’s in it for you?
