I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Protected ACARS (PACARS)

Jon Salisbury

The MITRE Corporation

CNS/ATM Conference 2011

Aerospace Management Systems Division

©2011 – The MITRE Corporation

Distribution Statement A: Approved for public release: 11-2570 and 66ABW-2011-0657. Distribution Unlimited

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Overview

• Aircraft Communications Addressing and

Reporting System (ACARS)

• ACARS Message Security (AMS)

• Security Scheme

• Tools

• Session Management

• Examples

• Way Ahead

2

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

ACARS and the USAF

• ACARS is a global data link network developed by commercial

airlines in 1978

• USAF is equipping with ACARS as part of CNS/ATM

modernization program

• USAF desires ACARS message security for

– Air Traffic Service (ATS) messages

– Airline Operational Control (AOC) messages

3

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Military Use of ACARS

• ACARS provides many benefits to the USAF:

– ATS

• Direct data link connectivity between flight crew and air

traffic control

• Ability to modify flight plans en route

• Automated position reporting

• Access to preferred routes

– AOC

• Mission planning

• In transit visibility and flight following

• Dynamic asset reallocation

4

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

ACARS Security Problem

5

AOC messages are Human-readable and character-based ACARS transmissions are easy to monitor (just need a PC, RF scanner, and free software)

What may

be

disclosed?

Graphical

Position

Reports

Contact

Reports

Message

Logs

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Standardization of AMS

• Industry desire to address ACARS security

problem via standard solution

– Objective was an interoperable solution initiated

within the Airlines Electronic Engineering

Committee (AEEC)

• Expected to minimize costs to airlines,

avionics vendors, data link service providers,

civil aviation authorities and others

• Standard is ARINC 823

6

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

AMS Protection Modes

• SIGN Protection Mode

– Used only during a Public/Private Key session initiation

– Uses a Elliptic Curve Digital Signature

• AUTH Protection Mode

– Appends a message authentication code to the message

without payload encryption

• BOTH Protection Mode

– Appends a message authentication code to the message and

applies encryption to the payload

• NONE Protection Mode

– Does not apply a protection mode to the message

7

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

AMS Compression Modes

• Implementers can choose DMC, DEFLATE or both

• Dynamic Markov Compression (DMC)

– Optimization Level 0

• Employs small Markov model, better for legacy platforms with

data memory constraints

– Optimization Level 1

• Employs a large Markov model, which offers better

compression than Level 0, recommended for newer platforms

• DEFLATE

– Removes redundancies in the uncompressed data stream by

replacing recurring streams with backward references to

previous occurrences of the same strings

8

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Security

• USAF interested in:– AOC (C2) message security: End-to-End AMS

• Near term

• Character-oriented, human readable messages create largest

vulnerability

• Unable to exploit ACARS for AOC until mitigated

• Feasible as both airborne and ground end systems are

owned/controlled by USAF

– ATS message security: DSP-based AMS

• Mid/long term

• Bit-oriented, nonhuman readable messages reduce risk

• Other protections already inherent in ATS messages

• ATS providers not investing in security at this time

• Only airborne end system is owned/controlled by the USAF

9

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

AMS Architecture

10

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

KC-135 PACARS Phase History

11

­­­

Dependent on Phase II prototype testingUnfunded

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Testing Configuration

12

Broadcast

Data

Mapper

Access

Database

DM

Server

IPCABLE PC

FMC(ARINC 702)

ARINC 429

Broadcast Data

Printer

Airborne

Data

Loader

MCDU(ARINC 739)

CMU-900

ARINC 656 IPC Interface

VHF (AIR)VHF

(GROUND)

ARINC Ground

Network

BEDP1MC

(Protected

ACARS Test

Tool)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

End-to-End Protection

13

CMU-900VHF

(AIR)

VHF

(GROUND)

ARINC

Ground

Network

BEDP1MC

(Protected

ACARS

Test Tool)

Messages are protected ALL the way through the network. From

air-ground to ground-ground to ground user.

Payload Encode

Payload Compress

Payload Encrypt

Payload Decrypt

Payload

Decompress

Payload Decode

AIR UserGround

User

AMS

Libraries

(ARINC 823)

AMS

Libraries

(ARINC 823)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

System Mapping

14

CMU-900VHF

(AIR)

VHF

(GROUND)

ARINC

Ground

Network

BEDP1MC

(Protected

ACARS

Test Tool)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Prototype CMU-900

• Software only solution

– Baselined from KC-135 Block 40.5 ATS and AOC

applications

– Absolutely no change to hardware or architecture

– Simple solution to protect AMC’s largest fleet

• For Testing

– Hard coded keys for digital signature

• RCAT tail number hardcoded (160414)

– HMAC-SHA256 for Message Authentication Code

– AES Encryption

– BOTH protection mode

– DEFLATE compression

15

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Tools in RCAT

• RCAT (Reconfigurable Cockpit Avionics Testbed)

– USAF Lab hosted at MITRE Bedford

– Test facility for Data Comm capabilities on various military aircraft

• Protected ACARS Test Tool (PATT)

– Developed by ARINC

– Ground peer that incorporates ARINC 823 libraries (AMS)

– Capable of processing canned KC-135 AOC messages

• ABLE

– Rockwell Collins’ avionics simulation tool

– Used to simulate ARINC 750 (VHF) over ARINC 429 in Rockwell’s

SIL for lab demonstration

– Used in RCAT to simulate IPC and MCDU

• Connected via Condor 429 PCI card to CMU

• PC ACARS

– ACARS ground VHF monitoring tool

16

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Secure Session Initiation

17

Tanker Airlift

Control Center

(TACC)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Secure Session Initiation

18

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Secure Session Termination

19

Tanker Airlift

Control Center

(TACC)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Secure Session Termination

20

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

OOOI Reports

21

Protected

Unprotected

Out

Off

OnIn

Flight Summary

Out

Off

OnIn

Flight Summary

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

FANS During Secure Session

22

Protected AOC Message

Protected AOC Message

AFN Logon to KRCT

CPDLC Connect Confirm

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

PATT OOOI Reports

23

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Next Steps

– Complete Phase II testing & provide feedback to AMC

– Go/No-go decision on Phase III and/or acquisition• If Phase III:

– 4 node testing

» 2 CMUs

» 2 ground systems

– Ops concept studies & recommendations including

» Key generation

» Key distribution

» Key management

• If acquisition:

– Develop ops concept

– Assist platforms during procurement

– Enhance RCAT PACARS capabilities in support of acquisition &

deployment

• Modified CMU(s)

• PATT

24

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Backups

25

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Aircraft Initiated Session Initiation

26

TACC

(Ground)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Ground Initiated Session Initiation

27

TACC

(Ground)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Aircraft Secure Data Exchange

28

TACC

(Ground)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Sequence of Operations

29

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Ground Secure Session Termination

30

TACC

(Ground)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Aircraft Secure Session Termination

31

TACC

(Ground)

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

CMU-900

32

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Test Network Ground Station

33

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Dual MCDUs

34

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

War-winning Capabilities…On Time, On CostDelivering what we promised when we promised

Ground Workstation/User

35