UAS Operator Privacy for RemoteID Messages
HTT Consulting
Oak Park
MI
48237
USA
rgm@labs.htt-consult.com
AX Enterprize
4947 Commercial Drive
Yorkville
NY
13495
USA
stu.card@axenterprize.com
AX Enterprize
4947 Commercial Drive
Yorkville
NY
13495
USA
adam.wiethuechter@axenterprize.com
Internet
DRIP
RFC
Request for Comments
I-D
Internet-Draft
RID
This document describes a method of providing privacy for UAS
Operator/Pilot information specified in the ASTM UAS Remote ID and
Tracking messages. This is achieved by encrypting, in place, those
fields containing Operator sensitive data using a hybrid ECIES.
Introduction
This document defines a mechanism to provide privacy in the ASTM
Remote ID and Tracking messages by encrypting, in place, those fields that
contain sensitive UAS Operator/Pilot information. Encrypting in
place means that the ciphertext is exactly the same length as the
cleartext, and directly replaces it.
An example of and an initial application of this mechanism is the 8
bytes of UAS Operator/Pilot (hereafter called simply Operator)
longitude and latitude location in the System Message. This meets
the Drip
Requirements, Priv-01.
It is assumed that the Operator registers a mission with a USS.
During this mission registration, the Operator and USS exchange
public keys to use in the hybrid ECIES. The USS key may be long
lived, but the Operator key SHOULD be unique to a specific mission.
This provides protection if the ECIES secret is exposed from prior
missions.
The actual Tracking message field encryption MUST be an "encrypt in
place" cipher. There is rarely any room in the tracking messages
for a cipher IV or encryption MAC. There is rarely any data in the
messages that can be used as an IV. A some AES modes of operation are
proposed here that can encrypt a multiple of 4 bytes.
The System Message is not a simple, one-time, encrypt the PII with
the ECIES derived key. The Operator may move during a mission and
these fields change, correspondingly. Further, not all messages
will be received by the USS, so each message's encryption must
stand on its own and not be at risk of attack by the content of
other messages.
Another candidate message is the optional Operator ID Message with
its 20 character Operator ID field. The Operator ID does not
change during a mission, so this is a one-time encryption operation
for the mission. The same cipher SHOULD be used for all messages
from the UAS and this will influence the cipher selection.
Future applications of this mechanism may be provided. The content
of the System Message may change to meet CAA requirements,
requiring encrypting a different amount of data. At that time,
they will be added to this document.
Terms and Definitions
Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they appear in all
capitals, as shown here.
Definitions
- B-RID
-
Broadcast Remote ID. A method of sending RID messages as
1-way transmissions from the UA to any Observers within
radio range.
- CAA
-
Civil Aeronautics Administration. Two CAAs are the US
Federal Aviation Administration (FAA) and European Union
Aviation Safety Agency (EASA).
- ECIES
-
Elliptic Curve Integrated Encryption Scheme. A hybrid
encryption scheme which provides semantic security against
an adversary who is allowed to use chosen-plaintext and
chosen-ciphertext attacks.
- GCS
-
Ground Control Station. The part of the UAS that the remote
pilot uses to exercise C2 over the UA, whether by remotely
exercising UA flight controls to fly the UA, by setting GPS
waypoints, or otherwise directing its flight.
- Observer
-
Referred to in other UAS documents as a "user", but there
are also other classes of RID users, so we prefer
"observer" to denote an individual who has observed an UA
and wishes to know something about it, starting with its
RID.
- N-RID
-
Network Remote ID. A method of sending RID messages via the
Internet connection of the UAS directly to the UTM.
- RID
-
Remote ID. A unique identifier found on all UA to be used
in communication and in regulation of UA operation.
- UA
-
Unmanned Aircraft. In this document UA's are typically
though of as drones of commercial or military variety. This
is a very strict definition which can be relaxed to include
any and all aircraft that are unmanned.
- UAS
-
Unmanned Aircraft System. Composed of Unmanned Aircraft and
all required on-board subsystems, payload, control station,
other required off-board subsystems, any required launch
and recovery equipment, all required crew members, and C2
links between UA and the control station.
- USS
-
UAS Service Supplier. Provide UTM services to support the
UAS community, to connect Operators and other entities to
enable information flow across the USS network, and to
promote shared situational awareness among UTM
participants. (From FAA UTM ConOps V1, May 2018).
- UTM
-
UAS Traffic Management. A "traffic management" ecosystem
for uncontrolled operations that is separate from, but
complementary to, the FAA's Air Traffic Management (ATM)
system.
The Operator - USS Security Relationship
All CAAs have rules defining which UAS must be registered to
operate in their National Airspace. This includes UAS and Operator
registration in a USS. Further, operator's are expected to report
flight missions to their USS. This mission reporting provides a
mechanism for the USS and operator to establish a mission security
context. Here it will be used to exchange public keys for use in
ECIES.
The operator's ECIES public key SHOULD be unique for each mission.
The USS ECIES public key may be unique for each operator and
mission, but not required. For best post-compromise security
(PCS), even the USS ECIES public key should be changed over some
operational window.
The public key algorithm should be Curve25519. Correspondingly, the ECIES 128
bit shared secret should be generated using KMAC as specified in
sec 5 of .
System Message Privacy
The System Message contains 8 bytes of Operator specific
information: Longitude and Latitude of the Remote Operator (Pilot
in the field description) of the UA. The GCS MAY encrypt these as
follows.
The 8 bytes of Operator information are encrypted, using the ECIES
derived 128 bit shared secret, with one of the cipher's specified
below. The choice of cipher is based on USS policy and is agreed to
as part of the mission registration. AES-CFB16 is the recommended
default cipher.
ASTM Remote ID and Tracking messages SHOULD be updated to allow Bit 2 of the Flags
byte in the System Message set to "1" to indicate the Operator
information is encrypted.
The USS similarly decrypts these 8 bytes and provides the
information to authorized entities.
Rules for encrypting System Message content
If the Operator location is encrypted the encrypted bit flag MUST
be set to 1.
The Operator MAY be notified by the USS that the mission has
entered a location or time where privacy of Operator location is
not allowed. In this case the Operator MUST disable this privacy
feature and send the location unencrypted or land the UA or route
around the restricted area.
If the Operator looses connectivity to the USS, the privacy feature
SHOULD be disabled or land the UA.
If the mission is in an area or time with no Internet Connectivity,
the privacy feature MUST NOT be used.
Rules for decrypting System Message content
An Observer receives a System Message with the encrypt bit set to
1. The Observer sends a query to its USS Display Provider
containing the UA's ID and the encrypted fields.
The USS Display Provider MAY deny the request if the Observer does
not have the proper authorization.
The USS Display Provider MAY reply to the request with the
decrypted fields if the Observer has the proper authorization.
The USS Display Provider MAY reply to the request with the
decrypting key if the Observer has the proper authorization.
The Observer MAY notify the USS through its USS Display Provider
that content privacy for a UAS in this location/time is not
allowed. If the Observer has the proper authorization for this
action, the USS notifies the Operator to disable this privacy
feature.
Operator ID Message Privacy
The Operator ID Message contains 20 bytes for Operator the ID. The
GCS MAY encrypt these as follows.
The 20 bytes Operator ID is encrypted, using the ECIES derived 128
bit shared secret, with one of the cipher's specified below. The
choice of cipher is based on USS policy and is agreed to as part of
the mission registration. AES-CFB16 is the recommended default
cipher.
ASTM Remote ID and Tracking messages SHOULD be updated to allow Operator ID Type in
the Operator ID Message set to "1" to indicate the Operator ID is
encrypted.
The USS similarly decrypts these 20 bytes and provides the
information to authorized entities.
Rules for encrypting Operator ID Message content
If the Operator ID is encrypted the Operator ID Type field MUST be
set to 1.
The Operator MAY be notified by the USS that the mission has
entered a location or time where privacy of Operator ID is not
allowed. In this case the Operator MUST disable this privacy
feature and send the ID unencrypted or land the UA or route around
the restricted area.
If the Operator looses connectivity to the USS, the privacy feature
SHOULD be disabled or land the UA.
If the mission is in an area or time with no Internet Connectivity,
the privacy feature MUST NOT be used.
Rules for decrypting Operator ID Message content
An Observer receives a Operator ID Message with the Operator ID
Type field set to 1. The Observer sends a query to its USS Display
Provider containing the UA's ID and the encrypted fields.
The USS Display Provider MAY deny the request if the Observer does
not have the proper authorization.
The USS Display Provider MAY reply to the request with the
decrypted fields if the Observer has the proper authorization.
The USS Display Provider MAY reply to the request with the
decrypting key if the Observer has the proper authorization.
The Observer MAY notify the USS through its USS Display Provider
that content privacy for a UAS in this location/time is not
allowed. If the Observer has the proper authorization for this
action, the USS notifies the Operator to disable this privacy
feature.
Cipher choices for Operator PII encryption
Using AES-CFB16
CFB16 is defined in , Section 6.3. This is the Cipher
Feedback (CFB) mode operating on 16 bits at a time. This variant
of CFB can be used to encrypt any multiple of 2 bytes of cleartext.
The Operator includes a 64 bit UNIX timestamp for the mission time,
along with its mission pubic key. The Operator also includes the
UA MAC address (or multiple addresses if flying multiple UA).
The 128 bit IV for AES-CFB16 is constructed by the Operator and
USS as: SHAKE128(MAC|UTCTime|Message_Type, 128). Inclusion of the
ASTM Message_Type ensures a unique IV for each Message type that
contains PII to encrypt.
AES-CFB16 would then be used to encrypt the Operator information.
Using a Feistel scheme
If the encryption speed doesn't matter, we can use the following
approach based on the Feistel scheme. This approach is already
being used in format-preserving encryption (e.g. credit card
numbers). The Feistal scheme is explained in .
Using AES-CTR
If 2 bytes of the Message can be set aside to contain a counter
that is incremented each time the Operator information changes,
AES-CTR can be used as follows.
The Operator includes a 64 bit UNIX timestamp for the mission time,
along with its mission pubic key. The Operator also includes the
UA MAC address (or multiple addresses if flying multiple UA).
The high order bits of an AES-CTR counter is constructed by the
Operator and USS as: SHAKE128(MAC|UTCTime|Message_Type, 112).
Inclusion of the ASTM Message_Type ensures a unique IV for each
Message type that contains PII to encrypt.
AES-CTR would then be used to encrypt the Operator information.
DRIP Requirements addressed
This document provides solution to PRIV-1 for PII in the ASTM System Message.
ASTM Considerations
ASTM will need to make the following changes to the "Flags" in
the System Message:
- Bit 2:
-
Value 1 for encrypted; 0 for cleartext (see ).
ASTM will need to make the following changes to the "Operator ID
Type" in the Operator ID Message:
- Operator ID Type
-
Value 1 for encrypted Operator ID (see ).
Security Considerations
An attacker has no known text after decrypting to
determine a successful attack. An attacker can make assumptions
about the high order byte values for Operator Longitude and
Latitude that may substitute for known cleartext. There is no
knowledge of where the operator is in relation to the UA. Only if
changing location values "make sense" might an attacker assume to
have revealed the operator's location.
CFB16 Risks
Using the same IV for different Operator information values with
CFB16 presents a cyptoanalysis risk. Typically only the low order
bits would change as the Operators position changes. Thus the
first 2 encrypted bytes would not change, and only subsequent bytes
would. The risk is mitigated due to the short-term value of the
data. Further analysis is need to properly place risk.
Crypto Agility
The ASTM Remote ID Messages do not provide any space for a crypto
suite indicator or any other method to manage crypto agility.
All crypto agility is left to the USS policy and the relation
between the USS and operator. The selection of the ECIES public
key algorithm, the shared secret key derivation function, and the
actual symmetric cipher used for on the System Message are set by
the USS which informs the operator what to do.
Standard Specification for Remote ID and Tracking
ASTM International
Feistel Scheme
This approach is already being used in format-preserving encryption.
According to the theory, to provide CCA security guarantees (CCA =
Chosen Ciphertext Attacks) for m-bit encryption X |-> Y, we should
choose d >= 6. It seems very ineffective that when shortening the
block length, we have to use 6 times more block encryptions. On the
other hand, we preserve both the block cipher interface and
security guarantees in a simple way.
m?
Enc(X, K):
1. Y <- X.
2. Split Y into 2 equal parts: Y = Y1 || Y2
(let us assume for simplicity that m is even).
3. For i = 1, 2, ..., d do:
Y <- Y2 || (Y1 ^ first_m/2_bits(E_K(Y2 || Ci)),
where Ci is a (n - m/2)-bit round constant.
4. Y <- Y2 || Y1.
5. Return Y.
Dec(Y, K):
1. X <- Y.
2. Split X into 2 equal parts: X = X1 || X2.
3. For i = d, ..., 2, 1 do:
X <- X2 || (X1 ^ first_m/2_bits(E_K(X2 || Ci)).
4. X <- X2 || X1.
5. Return X.
]]>