Tamarin

A Secure Ground Handover Protocol for LDACS

The L-band Digital Aeronautical Communications System (LDACS), the worldwide first true integrated Communication, Navigation and Surveillance (CNS) system, is in the process of being standardized at the International Civil Aviation Organization (ICAO) and the Internet Engineering Task Force (IETF). The cellular system is considered a successor to the 30-years old Very High Frequency (VHF) Datalink mode 2 system (VDLm2) and intended for communications related to the safety and regularity of flight. With the initial rollout planned in the near future, the finalization of all its aspects, including security is of utmost importance. While previous works presented a cybersecurity architecture for LDACS, including a Public Key Infrastructure (PKI), certificates, a Mutual Authentication and Key Establishment (MAKE) procedure, as well as usage of established keys for protecting its user- and control-data plane, the protocol for secure LDACS handovers between cells has not been established. The objective of this work is to present a secure handover procedure for LDACS, fulfilling all security and performance requirements for data- and voice communications via LDACS.

Advancing the Security of LDACS

The "Single European Sky" air traffic management master plan foresees the introduction of several modern digital data links for aeronautical communications. The candidate for long-range continental communications is the L-band Digital Aeronautical Communications System (LDACS). LDACS is a cellular, ground-based digital communications system for flight guidance and communications related to safety and regularity of flight. Hence, the aeronautical standards, imposed by the International Civil Aviation Organization (ICAO), for cybersecurity of the link and network layer, apply. In previous works, threat-and risk analyses of LDACS were conducted, a draft for an LDACS cybersecurity architecture introduced, algorithms proposed, and the security of a Mutual Authentication and Key Establishment (MAKE) procedure of LDACS formally verified. However, options for cipher-suites and certificate management for LDACS were missing. Also, previous works hardly discussed the topic of post-quantum security for LDACS. This paper proposes a cell-attachment procedure, which establishes a secure LDACS communication channel between an aircraft and corresponding ground-station upon cell-entry of the aircraft. Via the design of a hybrid LDACS Public Key Infrastructure (PKI), the choice of a pre-or post-quantum Security Level (SL) is up to the communications participants. With that, this work introduces a full LDACS cell-attachment protocol based on a PKI, certificates, certificate revocation and cipher-suites including pre-and post-quantum options. Evaluations in the symbolic model show the procedure to fulfill LDACS security requirements and a communications performance evaluation demonstrates feasibility, matching requirements imposed by regulatory documents.

Formal Verification of the LDACS MAKE Protocol

In our talk, we therefore present the first formal verification of the security properties of the updated LDACS 3-pass Mutual Authentication and Key Establishment (MAKE) protocol. This protocol allows AS and GS to establish shared keys via …

A Secure Cell-Attachment Procedure of LDACS

In Europe the Single European Sky air traffic management master plan foresees the introduction of several modern digital data links for aeronautical communications. The candidate for long-range continental communications is LDACS. LDACS is a …

Formal Security Verification of the Station-to-Station based Cell-attachment Procedure of LDACS

Aeronautical communications systems are currently undergoing a modernization process. Analogue legacy systems shall be replaced with modern digital alternatives, offering higher bandwidth, increasing capacity and paving the way for Unmanned …