Challenge-Response Authentication for LEO Satellite Channels: Exploiting Orbit-Specific Uniqueness

Abstract

The number of low Earth orbit (LEO) satellite constellations has grown rapidly in recent years, bringing a major change to global wireless communications. As LEO satellite links take on a growing role in critical services such as emergency communications, navigation, wide-area data collection, and military operations, keeping these links secure has become an important concern. In particular, verifying the identity of a satellite transmitter is now a basic requirement for protecting the services that rely on satellite access. In this article, we propose an active challenge-response authentication framework in which the verifier checks the satellite at randomly chosen times that are not known in advance, removing the fixed measurement window that existing passive methods expose to adversaries. The proposed framework uses the deterministic yet unpredictably sampled nature of orbital observables to establish a physics based root of trust for satellite identity authentication. This approach transforms satellite authentication from static feature matching into a spatiotemporal consistency verification problem inherently constrained by orbital dynamics, providing robust protection even against trajectory-aware spoofing attacks.

Figures (5)

• Figure 1: Geometric illustration of the Keplerian orbital elements in the Earth-centered inertial (ECI) reference frame.
• Figure 2: Coordinate transformation chain from the perifocal orbital frame to the receiver's local frame and the resulting parameter estimations. The satellite position in the perifocal frame $\mathbf{p}_\text{s}^{\mathrm{pf}}$, parameterized by the true anomaly $\nu$, is first converted to the ECI frame through three intrinsic rotations about the $z$-$x'$-$z"$ axes by $\Omega$, $i$, and $\omega$, respectively, using elementary rotation matrices $\mathbf{R}_\alpha(\cdot)$, where $\alpha \in \{x, y, z\}$ denotes the axis of rotation. The ECI position is then transformed to the ECEF frame by rotating by the Greenwich mean sidereal time (GMST) angle $\theta_{\mathrm{GMST}}$, and subsequently projected into the local receiver frame defined by latitude $\lambda$ and longitude $\psi$. The slant range $r(t)$ between the satellite and the receiver is computed from the ECEF positions of the satellite $\mathbf{p}_\text{s}^{\mathrm{ecef}}$ and the receiver $\mathbf{p}_\text{r}^{\mathrm{ecef}}$. From $r$ and its time derivative $\dot{r}$, five observable features are estimated: RTT $\tau$, RSP $P_\text{r}$, Doppler shift $f_\text{D}$, elevation AoA $\theta$, and azimuth AoA $\phi$.
• Figure 3: Overview of the proposed active challenge-response authentication framework. Here, $T_1, T_2, \dots$ denote the absolute time slots within the satellite visibility window, and $t_1, t_2, \dots, t_N$ denote the $N$ time slots randomly selected from them and arranged in chronological order. In Stage 1, Bob measures kinematic features and constructs a CCM from satellite ephemeris data. In Stage 2, Bob issues randomized temporal challenges at $t_1, t_2, \dots, t_N$ and acquires multi-feature responses. An adversary, Trudy, may attempt to inject a forged signal. In Stage 3, Bob compares the observed features against the CCM: Alice exhibits a consistent orbital trajectory, while Trudy's response reveals kinematic inconsistencies that expose the impersonation attempt.
• Figure 4: Conceptual illustration of the collinear attack scenario and the verifier’s authentication model. Trudy attempts to match the AoA ($\theta$) of Alice at selected timestamp, e.g., $t_1,\dots,t_N$, while the verifier tracks the temporal consistency of physical features using the CCM table. In Scenario I (blind adversary), both AoA and Doppler are jointly used for multi-feature, multi-timestamp authentication. In Scenario II (informed adversary), Doppler is pre-compensated, and authentication relies on multi-timestamp AoA authentication.
• Figure 5: Spatiotemporal trajectory analysis and authentication performance under different Trudy's altitudes (Top: $500$ km, Bottom: $1200$ km). (a) Elevation AoA trajectory mismatch, (b) Kinematic Doppler trajectory mismatch, and (c) Authentication performance (Minimum DEP) versus the number of observation samples $N$. Scenario I follows the "AoA + Doppler (fixed)" curve, while Scenario II is restricted to the "AoA only (fixed)" curve due to the Trudy's Doppler pre-compensation. Notably, Scenario III unpredictably selects $N$ timestamps across the entire time slot, following "AoA only (random)" curve. This temporal randomness intrinsically captures the accumulated kinematic drift, drastically accelerating impersonator detection compared to conventional fixed sampling even when the initial spatial parameters are perfectly matched. For the performance evaluation, the measurement noise standard deviations of the elevation AoA and Doppler shift are set to $\sigma_{\theta} = 1.0 \text{ deg}$ and $\sigma_{f_D} = 200 \text{ Hz}$, respectively.