A Location Based Encryption Technique and

Some of Its Applications

Logan Scott, GeoCodex LLC, LS Consulting
Dorothy E. Denning, GeoCodex LLC, Naval Postgraduate School

BIOGRAPHY ABSTRACT

Logan Scott is a consultant specializing in radio Location based encryption enhances security by
frequency signal processing and waveform design for integrating position and time into encryption and
communications, navigation, radar, and emitter location. decryption processes. We find that from a security
He has more than 24 years of military GPS systems perspective, it is not enough to simply enable or disable
engineering experience. As a senior member of the decryption based on location and time; these aspects must
technical staff at Texas Instruments, he pioneered be integrated into the key construction process.
approaches for building high-performance, jamming- Furthermore, keys or files in transit should not reveal
resistant digital receivers using large-scale application- anything regarding their locations/times of applicability.
specific integrated circuit (ASIC) technologies. He has After reviewing the objectives of location-based
developed gain and frequency plans, non-uniform encryption, this paper introduces a specific approach
analog/digital conversion techniques, fast acquisition called geo-encryption.
architectures, Baseband signal processing algorithms and
adaptive array approaches. He is currently involved in The described geo-encryption approach builds on
projects to provide location based encryption and established cryptographic algorithms and protocols in a
authentication. He holds 27 US patents. way that provides an additional layer of security beyond
that provided by conventional cryptography. It allows
Dr. Dorothy E. Denning is a founding partner in data to be encrypted for a specific location(s) or for
GeoCodex and a professor in the Department of Defense specific area(s), e.g. a corporation’s campus area.
Analysis at the Naval Postgraduate School. Her current Constraints in time as well as location can also be
work encompasses the areas of cybercrime and enforced. Geo-encryption can be used with both fixed and
cyberterrorism, information warfare and security, and mobile applications and supports a wide range of data
cryptography. She has published 120 articles and four sharing and distribution policies.
books, her most recent being Information Warfare and
Security. She is an ACM Fellow and recipient of several We then discuss a process of applying successive geo-
awards, including the Augusta Ada Lovelace Award and encryptions at the originating node to enforce specific
the National Computer Systems Security Award. In geographic routings for transmission to the final
November 2001, she was named a Time magazine destination node. With each intervening node removing
innovator. Dr. Denning received the B.A. and M.A. one layer of encryption, unless the file has gone through
degrees in mathematics from the University of Michigan the proper sequence of nodes, decryption will fail. Using
and the Ph.D. degree in computer science from Purdue a similar process, messages can be location authenticated
University. She has previously worked at Georgetown by applying one layer of encryption at each intervening
University, Digital Equipment Corporation, SRI node.
International, and Purdue University. She holds 1 US
patent. Next, we discuss some specific applications. In the
civilian sector, there has been a great deal of interest in
providing location-based security for digital cinema
distribution and forensic analysis in cases of piracy. In
this application, the same, large (25 to 190 Gbyte),
encrypted media file might be used at multiple theatre
locations but with distinct GeoLocked keys specific to the

ION NTM 2003, 22-24 January 2003, Anaheim, CA 734

intended recipient location and exhibition license. This Network and computer security is rarely breeched using a
provides a secure and efficient point to multipoint brute force attack against cryptographic elements; the
distribution model applicable to distributions via satellite algorithms are simply too strong. Instead, attackers rely
or DVD. At the exhibition hall, robust on myriad techniques that take advantage of operating
watermarking/steganographic techniques can introduce systems features, attack protocols, use insider access,
location, time and exhibition license information into the exploit human weaknesses, or obtain information through
exhibition for subsequent use in piracy investigations. social engineering.

For the military GPS user, we show how individual Geo-encryption builds on established cryptographic
waypoints can be uniquely encrypted so as to be algorithms and protocols in a way that provides an
accessible only when the set is physically within the route additional layer of security beyond that provided by
parameters; both location and time wise. An intact, conventional cryptography. It allows data to be encrypted
captured set would not reveal mission parameters. for a specific place or broad geographic area, and supports
constraints in time as well as space. It can be used with
INTRODUCTION both fixed and mobile applications and supports a range
of data sharing and distribution policies. It provides full
On September 17, 2000, Qualcomm CEO and Chairman protection against attempts to bypass the location feature.
Irwin Jacob’s IBM Thinkpad computer was stolen while Depending on the implementation, it can also provide
he stood a few feet from it. strong protection against location spoofing.

“…was startled to find his laptop missing from GEOENCRYPTION

the podium after he wrapped up questions from
the Society of American Business Editors and The term “location-based encryption” is used here to refer
Writers in Irvine, Calif.” Forbes Magazine to any method of encryption wherein the cipher text can
only be decrypted at a specified location. If an attempt is
Fortunately, his hard drive was password protected. made to decrypt the data at another location, the
decryption process fails and reveals no information about
“… at one of the largest technology companies, the plaintext. The device performing the decryption
where policy required that passwords exceed 8 determines its location using some sort of location sensor,
characters, mix cases, and include numbers or for example, a GPS receiver or some other satellite or
symbols... radio frequency positioning system.

• L0phtCrack obtained 18% of the passwords Location-based encryption can be used to ensure that data
in 10 minutes cannot be decrypted outside a particular facility, for
• 90% of the passwords were recovered within example, the headquarters of a government agency or
48 hours on a Pentium II/300 corporation, or an individual’s office or home.
• The Administrator and most Domain Admin Alternatively, it may be used to confine access to a broad
passwords were cracked” geographic region. Time as well as space constraints may
@stake website advertising their LC4 password be placed on the decryption location.
audit and recovery product
A Short Tutorial On Encryption Algorithms
Government people know better.
Broadly speaking; encryption algorithms can be divided
“The Pentagon is investigating whether into two categories; symmetric algorithms and
ultrasecret "black programs" were compromised asymmetric algorithms. Referring to figure 1, symmetric
by former CIA Director John Deutch after he put algorithms use the same key for encrypting and
details about some of the Defense Department's decrypting plaintext. Numerous, very fast symmetric
most sensitive activities on his home computers.” algorithms are in widespread use including: DES &
Washington Times, 17 February 2000. Triple-DES as described in [1] and the newly released
Advanced Encryption Standard (AES) described in [2].
People tend to be the weakest link in security. Keeping the key private is essential to maintaining
security and therein lays the key question; how to share
On the subject of computer security: “…the keys securely. Numerous techniques have been developed
mathematics are impeccable, the computers are and the interested reader is directed to [3] for further
vincible, the networks are lousy, and the people discussion.
are abysmal.” Bruce Schneier, “Secrets & Lies,
Digital Security in a Networked World

ION NTM 2003, 22-24 January 2003, Anaheim, CA 735

 Figure 1: Symmetric Algorithm Figure 3: Hybrid Algorithm
Generate
Generate Plaintext
Random
Random Key
Key
Plaintext Key
Encrypt
Encrypt
Key
Encrypt
Encrypt Key_E
Encrypt
Encrypt
Cyphertext
Encrypted Key Cyphertext
Key
Decrypt
Decrypt Key_D
Decrypt
Decrypt
Plaintext Key
Decrypt
Decrypt

Plaintext

Asymmetric algorithms are comparatively new on the

scene with the first published description [4] in 1976.
both parties to communicate securely using a much faster
Also known as Public Key algorithms, these algorithms
symmetric algorithm. The hybrid approach has found
have distinct keys for encryption and decryption as is
wide application, most notably on the Internet where it
shown in figure 2. Here, Key_E can be used to encipher
forms the basis for secure browsers (Secure Socket Layer
the plaintext but not to decipher it. A separate key
(Key_D) is needed to perform this function. (SSL)) and secure e-mail.

The GeoEncryption Algorithm

Figure 2: Asymmetric Algorithm
In principle, one could cryptographically bind (attach) a
set of location and time specifications to the cyphertext
Plaintext
file and build devices that would decrypt the file only
Key_E
Encrypt
Encrypt when within the specified location & time constraints.
There are several potential problems with such an
Cyphertext approach:
Key_D
Decrypt
Decrypt
• The resultant file reveals the physical location of
Plaintext the intended recipient. The military frowns on
this sort of thing, at least for their own forces.
Furthermore, it provides vital information to
someone who wants to spoof the device.
In principle, to securely convey the plaintext, the intended
• If the device is vulnerable to tampering, it may
recipient could generate a key pair (Key_E, Key_D) and
be possible to modify it so as to completely
send Key_E, the public key, to the originator via
bypass the location check. The modified device
unsecured channels. This would allow the originator (or
would decrypt all received data without
anyone else) to encrypt plaintext for transmittal to the
acquiring its location and verifying that it is
recipient who uses Key_D, the private key, to decrypt the
correct. Alternatively, an adversary might
plaintext.
compromise the keys and build a modified
decryption device without the location check.
RSA, named after its creators Rivest, Shamir & Adleman
Either way, the modified device could be used
is perhaps the most popular asymmetric algorithm in use
anywhere and location would be irrelevant
today. Its security is based on the difficulty of factoring
large prime numbers.
As another possibility, one might consider using location
itself as the cryptographic key to an otherwise strong
One major drawback with asymmetric algorithms is that
encryption algorithm like AES. This is ill advised in that
their computational speed is typically orders of magnitude
location is unlikely to have sufficient entropy
(~1,000) slower than comparable symmetric algorithms.
(uncertainty) to provide strong protection. Even if an
This has led to the notion of hybrid algorithms such as the
adversary does not know the precise location, there may
one shown in figure 3.
be enough information to enable a rapid brute force attack
analogous to a dictionary attack. For example, suppose
Here, a random key, sometimes called the session key, is
that location is coded as a latitude-longitude pair at the
generated by the originator and sent to the recipient using
precision of 1 centimeter, and that an adversary is able to
an asymmetric algorithm. This session key is then used by

ION NTM 2003, 22-24 January 2003, Anaheim, CA 736

narrow down the latitude and longitude to within a to the recipient, much like we saw in the Hybrid
kilometer. Then there are only 100,000 possible values algorithm of figure 3. On the recipient (decryption) side,
for each of latitude and longitude, or 10 billion possible GeoLocks are computed using an AntiSpoof GPS receiver
pairs (keys). Testing each of these would be easy. for PVT input into the PVT→GeoLock mapping function.
If the PVT values are correct, then the resultant GeoLock
Applying an obfuscation function to the location value will XOR with the GeoLocked key to provide the correct
before using it as a key could strengthen this approach; session key (Key_S).
however, the function would have to be kept secret in
order to prevent the adversary from doing the same. In PVT→GeoLock mapping function
general, security by obscurity is scoffed at, because once
the secret method is exposed, it becomes useless. The Sidestepping the issue of what constitutes an AntiSpoof
entire security system collapses like a house of cards. receiver for the moment, we now address how GeoLocks
are formed. Figure 5 shows a notional diagram of a
A guiding principle behind the development of PVT→GeoLock mapping function where latitude,
cryptographic systems has been that security should not longitude and time constitute the inputs. Here, a regular
depend on keeping the algorithms secret, only the keys. grid of latitude, longitude and time values has been
This does not mean that the algorithms must be made created, each with an associated GeoLock value.
public, only that they be designed to withstand attack
under the assumption that the adversary knows them. Figure 5: PVT→GeoLock Mapping Function
Security is then achieved by encoding the secrets in the
keys, designing the algorithm so that the best attack B 412480 9 A F 4534E7 281 841B D 60A B 7C F A
requires an exhaustive search of the key space, and using
sufficiently long keys that exhaustive search is infeasible. E3D 73F 28 A 4054 068 93919767 6E76ED 2A

576F 459 5 C 8F 3262A 4 E1 8C C0A 43653816

GeoCodex’s GeoEncryption algorithm addresses these E6 10 14 C 9 55 F C 38 5D C 6 7 F 2 9 B E1 5 D D 2 7

issues by building on established security algorithms and EEA B 8B 2B F E8 205A 7 F 82C 9516 F C 6D 27D D
Latitude
protocols. Referring to figure 4, our approach modifies D 5 88 6 0C E
11A E2637

8 2 D EC E4 1
B 8323B 7F

D 3 A 8 3 78 E
952E357 4

1 27 5 06 C 0
43D 264E8

the previously discussed Hybrid algorithm to include a 814C C F 71 1D AB F D 91 85383231 F 2F 7218C

GeoLock. 7C 09A 4D 6 1482C 152 124C 121 4 266B 1F 6D

Figure 4: GeoCodex GeoEncryption Algorithm

D 6 F 0 25 7 9 4 99 D 9 5 99 58 8 D A 91 6 6 8A 95 3 23

95C B D C 2C 28D BB 56 E A A D 8D F 8E 781 20469

Recipient
Recipient Location,
Location, Generate
Generate Plaintext
Velocity
Velocity &
& Time
Time Block
Block Random
Random Key
Key F 0 E7 4 52 3 5 D F 41 C 1 7 93 F 3 5 66 1 1 45 2 7F 1D

Encrypt
Encrypt
PVT →
PVT → GeoLock
GeoLock Key_S
Mapping
Mapping ⊕
⊕
e
Key_E m
Ti
GeoLock
Encrypt
Encrypt
GeoEncryption
GeoEncrypted Key Cyphertext Longitude
AntiSpoof
AntiSpoof Enhanced
Enhanced Key_D
Decrypt
Decrypt
GPS
GPS Receiver
Receiver Grid spacing must take into account the accuracy of the
PVT →
PVT → GeoLock
GeoLock ⊕
⊕ Decrypt
Decrypt GPS receiver at the decrypting site; otherwise erroneous
Key_S
Mapping
Mapping GeoLock values may result. It makes no sense to have
Plaintext
GeoDecryption 1cm grid spacing if using a standalone GPS receiver.
Conversely, if using an RTK style receiver capable of
2cm accuracy, 10-meter grid spacing is overly
conservative. Grid spacing may also be wider in the
On the originating (encrypting) side, a GeoLock is
vertical direction to account for poorer vertical
computed based on the intended recipient’s Position,
positioning accuracy typical in most sets because of
Velocity, and Time (PVT) block. The PVT block defines
satellite geometries [5].
where the recipient needs to be in terms of position,
velocity & time for decryption to be successful. The
Figure 6 shows the number of possible grid points on the
GeoLock is then XORed with the session key (Key_S) to
planet as a function of grid spacing, ignoring altitude,
form a GeoLocked session key. The resultant is then
encrypted using an asymmetric algorithm and conveyed time and velocity.

ION NTM 2003, 22-24 January 2003, Anaheim, CA 737

 Figure 6: Number of Distinct Grid Locations Civilian sets can be made difficult to spoof through a
series of hardening measures. These include a variety of
1.E+22
5.1E+20 signal’s checks:
Number of Distinct Grid Locations On Planet

1.E+20
5.1E+18

1.E+18 • Use J/N meter to check for above normal energy

5.1E+16

1.E+16
levels
5.1E+14
• Monitor C/No meter for Consistency/
Earth

1.E+14
5.1E+12 Unexpected C/No given J/N
1.E+12
5.1E+10 • Monitor Phase Difference Between Antenna
1.E+10 Elements (All signals shouldn’t come from the
5.1E+08
1.E+08
same direction)
1000 100 10 1 0.1 0.01 0.001 • Deep Acquisition to Look for Weak, Real
Grid Size (meters)
Signals

A more complete PVT→GeoLock mapping function Numerous navigation checks can also be instituted:
could actually have eight inputs:
• Compare “Watch Time” with “Signals Time”
• Position (East, North, Up) (Most signal generators can’t synchronize with
• Velocity (East, North, Up) GPS time)
• Time • Continuity Checks in Time and Position (There
• Coordinate System Parameters is no hyperspace button in real life)
• Consistency with other Navigation Sensors
The velocity inputs might actually map into a minimum • Large Residuals, Particularly in Differential
speed requirement so as to ensure that the recipient is Correction Channel(s)
actually underway. Including coordinate system • RAIM Type Functions
parameters in the PVT→GeoLock mapping function
provides support for non-stationary reference frames. This With careful attention to detail, civilian sets do not have
feature might be used, for example, in communicating to be as vulnerable to spoofing as most of them are.
with a satellite.
Relay Encryption to Force a Particular Routing & For
The grid could just as well been based on a Military Grid Authentication
Reference System (MGRS) or it’s close cousin UTM. In
fact, any arbitrary shapes could have been used; for Successive Geo-encryption can be used to force data
example the shape of the Disneyland theme park could and/or keys to follow a specific geographical path before
map to a single GeoLock value so as to permit successful it can be decrypted. This is achieved by applying multiple
decryption when located in the theme park but not when geo-locks at the origination node prior to transmittal using
outside. a procedure such as the one shown in figure 7. As each
required node is traversed, one layer of GeoLocking is
Finally, we note that the PVT→GeoLock mapping removed, thus ensuring the desired path has been
function itself may incorporate a hash function or one- followed.
way function with cryptographic aspects in order to
hinder using the GeoLock to obtain PVT block values. Figure 7: Successive GeoLocking to Force A
Similarly, the algorithm may be deliberately slow and Particular Routing
difficult; perhaps based on solving a difficult problem.
Origination Node
A Few Quick Observations On AntiSpoof Receivers RK L1(RK) L2(L1(RK))
L1
L1 L2
L2 L3
L3
Most civilian receivers are trivially simple to spoof;
Key ID Key ID Key ID
simply hook up one of the many excellent signal Valid Times
Receive Location
Valid Times
Receive Location
Valid Times
Receive Location
simulators available and the receiver will buy into
whatever PVT values you want [6]. This is why military
receivers use Y-code; an encrypted version of P-code. L3(L2(L1(RK))) L2(L1(RK)) L1(RK) RK
Unless the spoofer has access to the correct cryptographic U3
U3 U2
U2 U1
U1
keys and knows how to generate Y-code from P-code, it
Key ID Key ID Key ID
can’t spoof the military set. He may be able to jam it, but Secure Time
Secure Position
Secure Time
Secure Position
Secure Time
Secure Position
not spoof it.

ION NTM 2003, 22-24 January 2003, Anaheim, CA 738

Relay encryption might be useful for applications that towards piracy based on the music industry’s experience
employ regional distribution centers for the distribution of with Napsterization. Music sales are down 8% and
data supplied by producers. For example, in subscription company valuations are down 40%, largely because of
television, the producers could be the television networks, piracy.
while the distributors are cable or satellite television
providers. A producer could lock a key initially to a As a consequence, there has been significant interest in
geographic region covered by one of the distributors using providing location-based security for digital cinema
a key known only to the subscribers, and then to the distribution and forensic analysis in cases of piracy.
precise location of the distributor using the distributor’s GeoCodex has been working with Digital Cinema
key. The distributor would unlock its geo-lock before Ventures (DCV) to develop security techniques specific
broadcasting the programming to subscribers, who would to this industry.
then unlock the regional geo-lock and decrypt the
cyphertext. In this application, the same, large (25 to 190 Gbyte),
encrypted media file might be used at multiple theatre
In some applications, it may be desirable to know that a locations nationwide but with distinct GeoLocked keys
message has followed a particular route. Figure 8 depicts specific to the intended recipient location and its
a process similar to the Route Forcing technique for exhibition license. This provides a secure and efficient
achieving this, where each traversed node in effect stamps point to multipoint distribution model applicable to
the message with its PVT values. distributions via satellite or DVD. At the exhibition hall,
robust watermarking/steganographic techniques can
Figure 8: Route Authentication By Successive introduce location, time and exhibition license
GeoEncryption information into the exhibition for subsequent use in
RK L1(RK) L2(L1(RK))
piracy investigations.
L1
L1 L2
L2 L3
L3

Key ID Key ID Key ID

Figure 9 depicts a media distribution reference model
Valid Times
Secure Position
Valid Times
Secure Position
Valid Times
Secure Position
wherein a Studio Control policy is maintained. In this
model, we start with the Telecine, which produces the
Destination Node Digital Cinema Master, an uncompressed, highest
L3(L2(L1(RK))) L2(L1(RK)) L1(RK) RK resolution digital version taken from the film masters. The
U3
U3 U2
U2 U1
U1

Key ID Key ID Key ID

Figure 9: Media Distribution Reference Model
Secure Time
Expected Location 3
Secure Time
Expected Location 2
Secure Time
Expected Location 1
(Studio Control Version)

{L2A,L3A,L4A} Lock/UnLock
Studio Entity Identifier
Studio Proxy
Proxy (SP)
(SP) Instance
{L1A} {U1A,L0A} L1A
APPLICATIONS EXAMPLES Digital
Cinema L4A(L3A(L2A(L0A)))
Master Post
Post Post
Post
Telecine
Telecine Production
Production Production
Production Distribution
Distribution
{U4A
To show how GeoEncryption can be applied to real world L1A House
House L0A Server
Server Carrier
Carrier Server
Server From SP}

problems, we discuss two examples: digital cinema Re: Media

File
Multiple
Versions
Multiple
Encryptions Satellite, DVD

distribution, and, GPS receiver waypoint GeoEncryption. Locking

Locking
Facility
Facility {U2A, U0A, L5A from SP}
L3A(L2A(L0A))
Fiber Optic
{U3A
From SP}
UnLocking
UnLocking Local
Projector
Projector with
with L2A(L0A) Theatre Local
Digital Cinema Distribution Facility
Facility
Watermarking
Watermarking
Facility
Facility
Theatre
Server
Server
Area
Area
Locking
Locking & & Server
Server
UnLocking
UnLocking Facility
Facilities
Facilities L5A
“Today, the film studios spend over $1 billion each year Report Back to
Studio
File Other
Projectors
Theatre
Servers

to duplicate, distribute, rejuvenate, redistribute and

ultimately destroy the thousands of film reels required to
bring the close to 500 films released each year to postproduction house assembles and converts the DC
audiences across the U.S.” Booz Allen Hamilton: master into multiple versions, possibly for presentation
DIGITAL CINEMA: BREAKING THE LOGJAM and exhibition on a variety of media (e.g. Theatre, DVD,
Cable TV). A postproduction server then provides
SATCOM links provide for a very efficient and cost multiple encryptions of the multiple versions for
effective digital cinema distribution model but piracy is a distribution. Individual distributors are expected (but not
major concern; SATCOM links are easy to intercept. The required) to have their own servers to source their own
experience with Direct Satellite Services (DSS) has not facilities. Theatres receive copies of the media file in non-
been encouraging. There are an estimated 3 million real-time; storing a copy on their local server. The Theatre
unauthorized users using cloned versions of the tamper server then provides the still encrypted media file to an
resistant smart cards that seek to prevent this. authorized, tamper resistant projector, which contains
Furthermore, cinema stakeholders are risk adverse

ION NTM 2003, 22-24 January 2003, Anaheim, CA 739

sufficient buffering to source the real-time decryption and Figure 10: Waypoint GeoEncryption to Secure
exhibition of the media file. Mission Information
Placing four successive locks on the random key (ala.
Figure 7), the studio proxy can force the key to traverse
the distribution carrier’s server which takes off its lock
(U4A), the Theatre server which takes off its lock (U3A)
and finally, the projector which takes off its lock (U2A)
and the studio’s lock (U0A). Only the projector and the
studio proxy can access the random key needed to decrypt
the media file. Intervening stages of distribution are
critically involved in key transmittal and partial
decryption, but they have no access to the plaintext
media.
and routes, maybe with misleading descriptions. For
Waypoint GeoLocking for Improved Mission Security example, it might display a route titled “Safe Route
Through Minefield” that in fact really leads over the
To navigate with GPS, users typically follow a route mines. The set could also be configured to display
consisting of an ordered series of waypoints. In its erroneous position when outside of its authorized area.
simplest form, a waypoint is nothing more than a position Integrated into weapons systems, they may refuse to fire
but in airborne applications it may contain velocity (or worse) when outside of their authorized areas. The
expectations and time of transit expectations as well. In possibilities are limited only by the creativity of the
military applications, velocity & time of transit mission planner.
specifications are used in launching coordinated attacks
where diverse force elements converge on target(s) CONCLUSIONS
simultaneously. Ground forces routinely use GPS to
place, and then traverse mine fields via safe routes. Geo-encryption is an approach to location-based
encryption that builds on established cryptographic
Extended waypoint/regional information can include: algorithms and protocols. It allows data to be encrypted
for a specific place or broad geographic area, and supports
• Radio Contact Parameters constraints in time as well as space. It can support both
o Frequency fixed and mobile applications, and a variety of data
o IFF Parameters sharing and distribution policies. It provides full
• Weapons Parameters/Restrictions protection against location bypass. Depending on the
• Crypto variables implementation, it also can provide strong protection
against location spoofing.
In short, for the military user, the waypoints and
associated routes comprise some of the most sensitive ACKNOWLEDGMENTS
data in the military GPS set and should be protected
accordingly. GeoEncryption can provide an additional The authors would like to acknowledge the helpful
layer of security by restricting access to waypoint data commentary and discussions with our other GeoCodex
based on location, time & velocity. partners: Mark Seiler, Barry Glick and Ron Karpf.

Figure 10 depicts a notional mission profile consisting of REFERENCES

a series of waypoints where we have defined regions of
access for waypoints 2 & 3. There is no particular [1] FIPS 46-3
requirement that the PVT→GeoLock mapping function [2] FIPS 197
be based on a regular grid and here; we have chosen [3] Bruce Schneier, “Applied Cryptography, 2nd ed.”
polygonal shapes based on mission needs. Also, note that [4] Diffie & Hellman, “New Directions in Cryptography”
GeoLock regions can overlap; they do not have to be IEEE Transactions on Information Theory, Nov 1976
geographically disjoint from one another. Time & [5] SEP discussions at:
velocity window requirements could also have been http://home.earthlink.net/~loganscott53/Circular_Error_Pr
imposed. obable.htm
As an added refinement, we could also define a “keep [6] Logan Scott, Navtech Seminars course: “GPS
waypoints” region (shown in yellow). If the set exits this Interference & Jamming Issues for Civil & Military
area, perhaps due to capture, it can destroy its waypoints. Users”
Alternatively, it might display a different set of waypoints

ION NTM 2003, 22-24 January 2003, Anaheim, CA 740