Aerospace and Electronic Systems Magazine November 2017 - 30

Datalink Security in LDACS for Air Traffic Management

Figure 7.

Impact of fate sharing. The graph displays the probability of the security
verification to fail due to residual bit errors. The security verification
fails if there is one or more bit errors in the data covered by the security
data. The smallest proposed security coverage spans DLS fragments;
the largest security coverage spans the entire multiframe. Slot-based
and resource allocation-based security lie between these extremes. Error
recovery is performed by the DLS by retransmitting DLS fragments.
The shaded area identifies the worst-case increase in failure probability
due to fate sharing.

QUANTIFYING SECURITY OVERHEAD
Security in the DLS does not suffer from bit errors, because those
errors are corrected prior to security validation. However, DLS
overhead increases with the bit error rate, because finer fragmentation is required to achieve the desired fragment error rate of 5%
or lower. The subnetwork-based approach adds security overhead
only once to each packet. It is therefore instructive to investigate
security overhead in the datalink level-based approach against
overhead in the subnetwork-based approach.
Figure 8 displays the increase of security overhead under an
increasing residual bit error rate, assuming s = 128 bits of security
data per fragment or packet (shaded area in Figure 8). For bit error rates worse than 5 × 10−6, the security overhead of the datalink
layer-based approach increases significantly due to the smaller
fragment sizes and more frequent retransmissions.

QUALITATIVE ANALYSIS
Making LDACS more robust in the physical layer requires additional infrastructure: multiple ground stations, directed antennas,
or secondary datalinks. Having secondary datalinks as fallbacks
is the approach foreseen in the aeronautical telecommunications
network by SESAR. However, additional security functionality in
the datalink layer is still desirable to build additional layers of defense in depth.
Security at the multiframe level is problematic when it comes
to error recovery, latency requirements, and trust relationships in
the forward link. The theoretically good overhead ratio does not
compensate for these drawbacks. In addition, the reverse link cannot be protected by this approach, because multiple aircraft are
30

Figure 8.

Security overhead of subnetwork (SNDCP)-based security vs. DLSbased security. The shaded area identifies the increase of security
overhead due to DLS fragmentation and retransmissions. Nonsecurity
overhead is not displayed. For details on nonsecurity overhead, see [42].

consecutively contributing data to the multiframe structure, making it impossible for a single aircraft to secure all data prior to
its transmission. The same drawbacks hold for the slot-level approach.
Resource allocations are assigned to each aircraft separately.
Security at the resource allocation level would therefore circumvent the limited trust relationship problem. However, like the multiframe-based approach and the slot-based approach, this is not attractive due to large security validation failure probabilities caused
by residual bit errors.
Of the two remaining options, security in the DLS and security
in the subnetwork layer, the latter is more attractive due to its lower
overhead. A minor drawback of this approach is the comparably
high placement in the LDACS protocol stack. Security validation
can only happen when the subnetwork packet has been completely
received. In consequence, security violations are detected later
compared to implementation options lower in the protocol stack.
However, this does not decrease the level of security. Both approaches support per-application trust relationships as authentication, confidentiality, and integrity are applied on the packet level.
A summary of our findings for all implementation options
is displayed in Table 2. Each implementation option is matched
against the security objectives derived from the security requirements identified above.

PROPOSED INTEGRATION OF SECURITY FUNCTIONS INTO
THE PROTOCOL STACK
The LME sees to the configuration, resource management, and
mobility management of aircraft connected to a LDACS ground
station. Therefore, we claim that it is the appropriate place in the
protocol stack to place the security management functions (F_SecFunc). The LME has access to all sublayers of the system; therefore, it is natural to add the auditing function (F_Audit) here. The

IEEE A&E SYSTEMS MAGAZINE

NOVEMBER 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017