1 A2RID - Anonymous Direct Authentication and Remote Identiﬁcation of Commercial Drones

2025-04-30 0 0 1.48MB 18 页 10玖币

侵权投诉

A2RID - Anonymous Direct Authentication and

Remote Identiﬁcation of Commercial Drones

Eva Wisse, Pietro Tedeschi, Savio Sciancalepore, and Roberto Di Pietro

Abstract—The recent worldwide introduction of RemoteID

(RID) regulations forces all Unmanned Aircrafts (UAs), a.k.a.

drones, to broadcast in plaintext on the wireless channel their

identity and real-time location, for accounting and monitoring

purposes. Although improving drones’ monitoring and situational

awareness, the RID rule also generates signiﬁcant privacy con-

cerns for UAs’ operators, threatened by the ease of tracking of

UAs and related conﬁdentiality and privacy concerns connected

with the broadcasting of plaintext identity information.

In this paper, we propose A2RID, a protocol suite for anonymous

direct authentication and remote identiﬁcation of heterogeneous

commercial UAs. A2RI D integrates and adapts protocols for

anonymous message signing to work in the UA domain, coping

with the constraints of commercial drones and the tight real-

time requirements imposed by the RID regulation. Overall, the

protocols in the A2RID suite allow a UA manufacturer to pick

the conﬁguration that best suits the capabilities and constraints

of the drone, i.e., either a processing-intensive but memory-

lightweight solution (namely, CS −A2RID) or a computationally-

friendly but memory-hungry approach (namely, DS −A2RI D).

Besides formally deﬁning the protocols and formally proving their

security in our setting, we also implement and test them on real

heterogeneous hardware platforms, i.e., the Holybro X-500 and

the ESPcopter, releasing open-source the produced code. For all

the protocols, we demonstrated experimentally the capability of

generating anonymous RemoteID messages well below the time

bound of 1second required by RID, while at the same time

having quite a limited impact on the energy budget of the drone.

Index Terms—Unmanned Aerial Vehicles; Privacy; Security;

Privacy-Enhancing Technologies; Applied Security and Privacy.

I. INTRODUCTION

Unmanned Aircrafts (UAs), a.k.a. drones, are gaining in-

creasing momentum in Industry and Academia, thanks to

the ﬂexibility and enhanced mobility features they provide

in several key application domains, e.g., surveillance, goods

delivery, and search-and-rescue, to name a few [1]. In addition,

This is a personal copy of the authors. Not for redistribution. The

ﬁnal published version of the paper accepted in IEEE Internet of Things

Journal is available through the IEEExplore Digital Library, with the DOI:

10.1109/JIOT.2023.3240477.

Eva Wisse is with the Eindhoven University of Technology (TU/e),

Department of Mathematics and Computer Science, Eindhoven, Netherlands.

e-mail: e.m.c.wisse@student.tue.nl.

Pietro Tedeschi is with the Technology Innovation Institute, Autonomous

Robotics Research Center, Abu Dhabi, United Arab Emirates. e-mail:

pietro.tedeschi@tii.ae

Savio Sciancalepore is with the Eindhoven University of Technology

(TU/e), Department of Mathematics and Computer Science, Eindhoven,

Netherlands. e-mail: s.sciancalepore@tue.nl.

Roberto Di Pietro is with the Division of Information and Computing

Technology (ICT), College of Science and Engineering (CSE), Hamad Bin

Khalifa University (HBKU), Doha, Qatar. e-mail: rdipietro@hbku.edu.qa.

leading business forecasting companies estimate the drones’

market to grow from USD 8.15 billion in 2022 to USD 47.38

billion by 2029, with a CAGR of approx. 28.58%, estimating

more than 9.64 million drones ﬂying around by the same

time [2], [3].

Such large numbers motivated recent signiﬁcant efforts

by several regional authorities to integrate UAs within the

local airspace, for trafﬁc management and safety issues. In

this context, the US-based Federal Avionics Administration

(FAA) was the ﬁrst to take action, by introducing the Remote

Identiﬁcation (RID) regulation [4]. In a nutshell, RID requires

all UAs to broadcast on the wireless channel, from take-off to

landing, information such as the identity and location of the

UA, with a minimum rate of 1msg/s (see Sec. II-A for more

details). At the same time, initiatives similar to RID are also

planned in EU and China [5], [6].

Although solving trafﬁc management and safety con-

cerns, RID regulations also introduce signiﬁcant privacy is-

sues [7], [8]. Indeed, by simply eavesdropping on the wire-

less channel, passive adversaries might easily get the unique

identity of the UA, its real-time location, and other sensitive

information, such as the location of the related Ground Control

Station (GCS). Through a longer, fully passive and stealthy

observation, the adversary can also track the drone during reg-

ular operations and infer more private information about their

operators, such as the place where they live, the usual ﬂight

source, path, and destination, as well as the location of storage

sites of large commercial delivery companies (e.g., in case of

drone-based deliveries by goods distribution companies) [9].

Such threats are also magniﬁed by recent reports, documenting

the leakage of drones identiﬁers on the public Internet [10]. In

this context, if the broadcast RID messages were anonymous,

UAs could protect the privacy of their operator(s), and make

indiscriminate tracking much more challenging. At the same

time, any solutions for anonymous remote identiﬁcation should

also guarantee the disclosure of the identity of possibly mis-

behaving UAs, i.e., when drones invade (accidentally or not)

no-ﬂy-zones. Moreover, such solutions should also cope with

the limitations of UAs, mainly in terms of available processing

and energy capabilities.

At the time of this writing, very few scientiﬁc contribu-

tions investigated anonymous remote identiﬁcation of UAs

within the framework of the RID regulation. In this context,

a conference paper [11] of ours proposed ARID, the ﬁrst

solution for anonymous remote identiﬁcation of UAs. ARID

allows UAs to broadcast anonymous RID messages, where

the long-term identity of the emitter is never revealed on the

wireless channel. At the same time, whenever the invasion of

arXiv:2210.11743v2 [cs.CR] 1 Feb 2023

a no-ﬂy area is detected, Critical Infrastructure (CI) operators

might forward the received messages to a Trusted Third-Party

(TTP), such as the FAA, to disclose the long-term identity

of the misbehaving UA and take action. However, ARID

provides a brokered message authentication. Indeed, entities

receiving ARID messages cannot directly and autonomously

verify message authenticity, but they have to interact with

the TTP to verify that received messages are neither forged

nor replayed. As a result, the deployment of ARID and its

integration into the RID framework might pose excessive

management overhead on regulatory authorities. Moreover,

being based on different entities, the networking architecture

required by ARID does not match with current standardization

activities, such as the ones carried out by the IETF WG drip,

working on the standardization of the components and the

network architecture for the integration of RID into national

airspaces.

Contribution. In this paper, we make the following contri-

butions.

•We propose A2RID (acronym for Anonymous direct Au-

thentication and Remote IDentiﬁcation), the ﬁrst protocol

suite for anonymous direct authentication and remote

identiﬁcation of heterogeneous commercial drones.

•Within the A2RID protocol suite, we propose and deﬁne

three protocols, namely: (i) CS −A2RID, for high-end

UAs equipped with regular processing and energy capa-

bilities, capable of running pairing-based cryptography

schemes on board; (ii) DS −CCA2−A2RID, for UAs

with low processing and energy availability, but equipped

with large storage space; and, (iii) DS −CP A−A2RID,

for UAs characterized by severely constrained processing,

storage, and energy availability.

•Through the protocols listed above, we provide a solution

for the UAs to broadcast anonymous RID messages,

protecting their long-term unique identity from malicious

eavesdroppers while being compliant with current RID

regulations.

•For all the protocols above listed, we provide a rigorous

protocol description within the network architecture for

UA remote identiﬁcation deﬁned by the IETF Working

Group (WG) drip, as well as a formal security proof, via

the well-known automated veriﬁcation tool ProVerif.

•To show the viability of the proposed solution, we im-

plemented the protocols in the A2RID protocol suite

on heterogeneous commercial UAs, i.e., the Holybro

X500 and the ESPcopter, characterized by very different

processing, storage, and energy capabilities. We also

released the corresponding source code as open-source, to

foster the reproducibility and re-usability of our code and

results [12], [13], as well as to stimulate further research

in the ﬁeld.

•Finally, we also report the results of an extensive exper-

imental performance assessment of our solutions when

run on real heterogeneous hardware, demonstrating that

it is possible to achieve anonymous remote identiﬁcation

of UAs in ≈0.017 seconds on the Holybro X500 and

within 0.22 seconds on the ESPcopter, i.e., well below

the time limit of 1second imposed by the RID regulation,

even with severely constrained UAs.

Roadmap. The rest of this paper is organized as follows.

Sec. II introduces preliminary notions, Sec. III reviews the

related work, Sec. IV outlines the scenario and the adversarial

model considered in our work, Sec. V provides the details of

our solution, Sec. VI discusses the security features offered

by our solution, Sec. VII provides a thorough performance

evaluation, both via simulations and a real experimentation

and, ﬁnally, Sec. VIII concludes the paper.

II. BACKGROUND AND PRELIMINARIES

In this section, we introduce background material that will

be helpful for the sequel of the manuscript. Sec. II-A provides

an overview of the RID regulation, while Sec. II-B summarizes

cryptography techniques and notions used in this manuscript.

A. RemoteID Speciﬁcation

The RID rule was published ﬁrst in April 2021 by the US-

based FAA, and it is set to become mandatory for all UAs

from September 2022 [4]. According to the RID speciﬁcation,

all UAs, almost independently from their weight and usage,

should broadcast on the wireless channel the following in-

formation: (i) unique identiﬁer, (ii) timestamp, (iii) current

location, (iv) current speed, (v) location of any GCS, and

ﬁnally, (vi) emergency status. Such information should be

broadcasted in plaintext, from take-off to landing time, with

a minimum rate of one message per second. The rule also

suggests the adoption of the WiFi standard for messages

broadcasting, due to its reasonable range and widespread

adoption. Besides the broadcast mode, RID also deﬁnes a

unicast mode, where UAs might be available on a given port

to answer requests about their identity and location. At the

same time, RID does not force UAs to integrate an Internet

connection, but only to feature a module for the broadcast

of wireless messages. When such a module is unavailable, the

manufacturer can provide dedicated external modules after the

deployment to make UAs compliant with RID.

Overall, the aim of the RID rule is to set a framework for

accountability of UA operations, as well as identiﬁcation of the

owner of any ﬂying UAs. However, note that network security

issues connected with the integration of RID are speciﬁcally

not addressed in the FAA rule. Finally, it is worth noting that

the overall problem of UAs remote identiﬁcation goes beyond

the US borders, and also other geographical airspaces such

as the EU, Russia, and China are taking initiatives toward

regulating drones’ ﬂights [5], [6].

B. Cryptography Techniques and Notions

In this section, we recall as preliminaries the main building

blocks used throughout the manuscript.

Public Key Encryption. Public Key Encryption (PKE)

schemes allow to encrypt a message Musing the public key

of the recipient pk to a ciphertext c, such that the recipient

only, in possession of the corresponding secret key sk, can

decrypt the ciphertext and recover the plaintext message M.

Deﬁnition II.1. A public key encryption algorithm P KE

consists of the following algorithms:

P KE.KGen(1k): on input a security parameter k, it outputs

a secret decryption key sk and a public encryption key pk.

P KE.Enc(pk, m): on input a plaintext message mand a

public key pk, it outputs a ciphertext c.

P KE.Dec(sk, c): on input a ciphertext cand a secret decryp-

tion key sk, it outputs the corresponding plaintext m.

Although any public-key encryption scheme can be used,

in this manuscript, we use the well-known Elliptic Curve

Integrated Encryption Scheme (ECIES) scheme [14].

Decisional Difﬁe-Hellman (DDH). The Decisional

Difﬁe–Hellman (DDH) is an assumption commonly used

in cryptography on the computational hardness of solving

discrete logarithms problems in cyclic groups. Such an

assumption is at the roots of the security of many protocols,

including Cramer–Shoup cryptosystems (see below). Assume

Gis a cyclic group of order q, with generator g, and a, b, c

are random values ∈Zq. According to the DDH assumption,

given the distributions hga, gb, gabiand hga, gb, gci, they are

computationally indistinguishable in the security parameter

n=log(q)[15].

Cramer-Shoup Cryptosystem. Assume Gis a cyclic

group of prime order q, where qis large, mis a plaintext

message encoded as an element of G, and Ha universal

family of one-way hash functions mapping bit-strings into

elements of Zq[16].

Deﬁnition II.2. A Cramer-Shoup public key encryption algo-

rithm CSC consists of the following algorithms:

CSC.KGen(G,Zq): on input a group Gof prime order q, it

generates random elements g1, g2∈G, and x1, x2, y1, y2, z ∈

Zq. Next, it computes the elements c=gx1

1gx2

2, d =

gy1

1gy2

2, h =gz

1. The generated public key is the tuple

pk = (g1, g2, c, d, h, H), and the private key is sk =

(x1, x2, y1, y2, z).

CSC.Enc(pk, m, r): on input a plaintext message m∈G,

a public key pk, and r∈Zqit outputs the ciphertext

c= (u1, u2, e, ψ), where u1=gr

1, u2=gr

2, e =hrm, α =

H(u1, u2, e), ψ =crdrα.

CSC.Dec(sk, c): on input a ciphertext c= (u1, u2, e, ψ)and

a secret key sk = (x1, x2, y1, y2, z), the decryption algorithm

computes α=H(u1, u2, e)and tests if ux1+y1α

1ux2+y2α

=ψ.

If this condition is veriﬁed, the algorithm outputs the plaintext

m=e

; otherwise it outputs ⊥.

Digital Signature Schemes. Digital Signature (DSig)

schemes allow a sender to produce a signed value σfor a

message m, demonstrating to be the actual sender of the

message.

Deﬁnition II.3. A digital signature scheme DSig consists of

the following algorithms:

DSig.KGen(1K): on input a security parameter k, it outputs

a secret signing key sk and a public veriﬁcation key pk.

DSig.Sign(sk, m): on input a message mand a signing key

sk, it outputs a signature σ.

DSig.V rf(pk, m, σ): on input a message m, a public key pk,

and a signature σ, it outputs a bit b∈0,1, where 0indicates

that σis not veriﬁed and 1indicates that σis veriﬁed.

Although any DSig scheme on elliptic curves can be used,

in this manuscript, we use the scheme proposed by Boneh,

Lynn, and Shacham [17].

Bilinear Pairings. Let Gand GTbe multiplicative groups

of prime order q, and gbe a generator of G. A map ˆe:G×

G→GTis called a bilinear map if it satisﬁes the following

properties:

1) Bilinearity: ˆe(gα, gβ) = ˆe(g, g)αβ for all α, β ∈Z∗

2) Non-degeneracy: There exist α, β ∈Gsuch that

ˆe(α, β)=1.

3) Computability: There exists an efﬁcient algorithm to

compute ˆe(α, β)for any α, β ∈G.

Several bilinear pairing types exist, i.e., Type-1 (symmetric),

Type-2, Type-3, and Type-4. In this paper, we use Type-1

pairing (G1=G2) and Type-3 pairing (G16=G2and absence

of any computable isomorphism). Interested readers can refer

to the article by the authors in [18] and [19] for more details.

Structure-Preserving Signatures on Equivalence Classes.

Structure-preserving signatures on equivalence classes allow,

among other properties, to generate unlinkable message-

signature pairs on elements of the same equivalence classes.

Deﬁnition II.4. A structure-preserving signatures on equiva-

lence classes scheme Sconsists of the following algorithms.

S.BGGen(1K): on input a security parameter k, it outputs a

bilinear group BG.

S.KGen(BG, l): on input a bilinear group BG and an integer

l, it outputs a secret key sk and a public key pk.

S.Sign(m, sk): on input a message mand a secret key sk, it

outputs a signature σ.

S.ChgRep(m, σ, ρ, pk): on input a message m, a signature σ

on m, a scalar ρ, and a public key pk, it outputs a message-

signature pair (M0, ρ0), being M0=ρ·M.

S.V rf(m, σ, pk): on input a message m, a signature σ, and a

public key pk, it outputs a bit b∈0,1, where 0indicates that

σis not veriﬁed and 1indicates that σis veriﬁed.

S.V Key(sk, pk): on input a secret key sk and a public key

pk, it outputs a bit b∈0,1, where 0indicates that the keys

are not related to each other, while a 1indicates that they are

related to each other.

In this paper, we use the structure-preserving signatures on

equivalence classes scheme reported in [20], and originally

deﬁned by the authors in [21].

Non-Interactive Zero-Knowledge Proofs. Non-Interactive

Zero Knowledge Proofs (NIZKP) schemes allow a sender to

prove a statement to a veriﬁer, while allowing the sender to

create proofs for such a statement ofﬂine, without an online

interaction with the veriﬁer.

Deﬁnition II.5. A NIZKP scheme NZ consists of the follow-

ing algorithms.

NZ.Setup(1k): on input a security parameter k, it outputs a

common reference string crs.

NZ.P roof (crs, x, w): on input a common reference string

crs, a statement x, and a witness w, it outputs a proof π.

NZ.V rf (crs, x, π): on input a common reference string crs,

a statement x, and a proof π, it outputs a bit b∈0,1, where 0

indicates that the statement is not veriﬁed, while a 1indicates

that the statement is veriﬁed.

In this paper, we use and adapt to our problem the Schnorr

NIZKP scheme [22].

Signatures of Knowledge. Signature of Knowledge

(SoK) schemes allow a sender, that has knowledge of a word,

to sign a message while allowing a receiver to verify the

knowledge of such a statement.

Deﬁnition II.6. A SoK scheme SoK consists of the following

algorithms.

SoK.Setup(1k): on input a security parameter k, it outputs a

common reference string crs.

SoK.Sign(crs, x, w, m): on input a common reference string

crs, a word x, a witness w, and a message m, it outputs a

signature σ.

SoK.V rf (crs, x, m, σ): on input a common reference string

crs, a word x, a message m, and a signature σ, it outputs a

bit b∈0,1, where 0indicates that the knowledge of the word

xis not veriﬁed, while a 1indicates that the knowledge of the

word xis veriﬁed.

In this paper, we use the SoK scheme reported in [20] and

initially deﬁned by the authors in [23].

CPA-Full and CCA2-Full Anonymity. In line with the

current literature on anonymous group signatures, in this

work, we distinguish between CPA-Full and CCA-2 Full

Anonymity [20].

Deﬁnition II.7. We deﬁne a group signature scheme as CPA-

Full Anonymous if the scheme guarantees signer anonymity

provided that the adversary cannot issue opening requests for

speciﬁc signed messages.

Deﬁnition II.8. We deﬁne a group signature scheme as CCA2-

Full Anonymous if the scheme guarantees signer anonymity

also when the adversary can issue opening requests for speciﬁc

signed messages.

It is worth noting that, without loss of generality, CCA2-

Full Anonymity is stronger than CPA-Full Anonymity, as

the former does not imply any constraints on the interac-

tions between entities in the signature scheme. At the same

time, as will become evident from our experimental evalu-

ation (Sec. VII), CCA2-Full anonymity schemes are usually

more processing-intensive and energy-hungry than CPA-Full

anonymity schemes, which might become relevant in con-

strained scenarios.

III. RELATED WORK

A few contributions investigated security and privacy issues

connected with the adoption of the RID regulation.

The authors in [24] and [25] tried to integrate the concept

of mix zones, well-known in the Vehicular Ad-Hoc Networks

(VANET) area for pseudonym exchange, within the UA re-

search domain. However, mix zones require communication

with infrastructure elements, which might not always be

available in UA operations. The authors in [26] proposed

a decentralized trafﬁc management protocol providing many

security services, including integrity and conﬁdentiality, and

mainly focus on the security of the interactions between

regulatory entities. Thus, drones’ anonymity and authenticity

are not considered. The authors in [27] propose the integration

of the Hyperledger Iroha blockchain for the management of

drones’ remote identiﬁcation. Based on the proposed system

architecture, drones register to the blockchain using their pub-

lic key and related certiﬁcate. At run-time, Internet-connected

drones provide remote identiﬁcation information directly on

the blockchain, while drones not equipped with an Internet

connection delegate the closer GCS to write such information

on the blockchain. Thus, although providing authentication

and integrity of drones’ messages, anonymity and privacy of

drones are not considered in the design of such a solution.

The authors in [28] took into account the RID regulation,

but focused on location privacy rather than anonymity. To

this aim, they integrate the Differential Privacy (DP) tool

into the RID regulation, allowing drones to broadcast an

obfuscated location, so as to preserve location privacy. Thus,

the authors did not investigated speciﬁcally anonymity and

message authenticity.

Besides scientiﬁc contributions, a few commercial solutions

for drone remote identiﬁcation are starting to appear on the

market. Examples include ScaleFyt designed by Thales [29],

the Broadcast Location and Identiﬁcation Platform (BLIP)

Management (SIAM) tool provided by RelmaTech [31]. All

these solutions rely on the authentication and anonymity

services provided by the LTE cellular technology, which is,

however, not the communication technology currently envi-

sioned by the RID regulation and the DRIP WG of the IETF.

It is worth noting that anonymity for broadcasting devices

has also been considered by a few works outside the UA

area. In the area of VANET, many contributions investigated

anonymity issues for vehicles, such as [32], [33], and [34],

just to name a few. However, such schemes either require

a persistent external connection or infrastructure elements,

which might not always be available for UA operations, e.g.,

in remote areas.

In the avionic research domain, the authors in [35] proposed

to generate pseudonyms for online aircrafts using an on-

purpose Trusted Registration Authority, assumed to be always

available online. Such an approach is not feasible for UAs, as

most of them cannot rely on a persistent external connection.

Similarly, in the maritime research domain, the authors in [36]

proposed to anonymize vessels identity using pseudonyms

generated by an online trusted authority, while the authors

in [37] proposed to adopt the IEEE P1609.02 scheme for

pseudonymous generation and disclosure. Note that standards

available for pseudonyms management, such as the IEEE

P1609.02, consider unicast scenarios, and not broadcast-type

interactions like the ones in RID.

Finally, we highlight that this contribution extends and

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

1A2RID-AnonymousDirectAuthenticationandRemoteIdenticationofCommercialDronesEvaWisse,PietroTedeschi,SavioSciancalepore,andRobertoDiPietroAbstractTherecentworldwideintroductionofRemoteID(RID)regulationsforcesallUnmannedAircrafts(UAs),a.k.a.drones,tobroadcastinplaintextonthewirelesschanneltheiridenti...

展开>> 收起<<

1 A2RID - Anonymous Direct Authentication and Remote Identiﬁcation of Commercial Drones.pdf

共18页,预览4页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

1 A2RID - Anonymous Direct Authentication and Remote Identiﬁcation of Commercial Drones

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: