I wonder what encryption scheme is used in high-precision encrypted GPS streams (the so-called “P(Y) code”). If there's a master key needed, then it has to be in every device. Yet the master key doesn't seem to have ever leaked (unlike like game consoles or Apple devices).
So what could explain why military-precision channel GPS receivers haven't been hacked yet? How does the protocol work?
Am I going to regret posting this? There seems to be enough non-classified information available about GPS to answer this question.
I see 3 reasons why P(Y) encryption is different and less likely to be hacked than game console encryption:
Hardware containing the GPS decryption key is more difficult to obtain than hardware containing the game console decryption key.
Now that selective availability is turned off, even civilian receivers have positioning accuracy about as good as military receivers -- eliminating the biggest benefit of obtaining the GPS decryption key. (The other abilities that key gives a person -- receivers that are more resistant to spoofing, and spoofing transmitters that can cause even anti-spoofing military receivers to give bad location data -- are useless unless someone broadcasts spoofing transmissions, which for various reasons few people are willing to do).
From what I read on Wikipedia about the selective availability anti-spoofing module (SAASM) and the previous PPS-SM system, there is apparently no master key. Periodically a fresh new (and I suspect completely unguessably random) key is generated, distributed to all military units that require it, and then uploaded to the GPS satellites. After that the old key is pretty much useless. So even if one GPS decryption key did leak, it would only be useful for a short time.
I am not familiar with SAASM, but I have read a little bit about the older scheme PPS-SM and can answer that.
The SV (space vehicle - aka the satellite) transmits an encrypted P(Y) code. The encryption key, called Cryptovariable Daily Key (CVd) changes every day.
If the receiver wants to acquire the signal, it needs to produce a copy of the P(Y) code and therefore it needs the CVd key.
So how does the CVd key is obtained? There are two ways:
By loading the receiver a weekly key CVW. This key can generate daily keys for a specific week.
The daily key is actually transmitted by the SV in the navigation message. But it is encrypted by a yearly key called GUV. This key needs to be loaded into the receiver every year.
Both keys are stored inside the PPS-SM module, which is supposed to be secure and prevent tampering or leakage. It is enough for the military to state that the receiver is unclassified.
Back to your question:
The major reason for this scheme is to prevent spoofing.
PPS GPS: What is it? And How do I Get it?
https://www.globalsecurity.org/military/library/policy/usmc/mcwp/3-16-7/ch9.pdf
The master keys are kept very securely and are used to generate session keys which enable the decryption of the high-precision codes only for a limited time. Some military underling has the unfortunate task of priming all the GPS equipment with the codes for the time period for which their use is anticipated. It's common for the equipment to forget the keys and this is a major PITA.
If keyed equipment is obtained and hacked then only the session keys are recovered and they rapidly go stale while the overall security of the scheme is maintained. Of course this is pure speculation on my part. But it's how I'd do it... Oh wait a sec!
