Galileo OSNMA Activation: A Technical Bulletin on Aviation GNSS Authentication

TITLE: Galileo OSNMA Activation: A Technical Bulletin on Aviation GNSS Authentication DESCRIPTION: Analysis of the operational implications of Galileo's Open Service Navigation Message Authentication for civil aviation, based on publicly available data from EUSPA and ICAO. CONTENT: The activation of Galileo's Open Service Navigation Message Authentication (OSNMA) on 24 July represents a structural shift in the verification of Global Navigation Satellite System integrity. For aviation, this development introduces a cryptographically secure, publicly available authentication layer for satellite navigation data, addressing a long-standing vulnerability. FlySafe Research analysis, based on publicly available data from the European Union Agency for the Space Programme (EUSPA) and the International Civil Aviation Organization (ICAO), indicates this protocol alters the operational risk calculus for GNSS spoofing in affected flight information regions.

This bulletin details the technical implementation of OSNMA, its specific limitations, and the practical timeline for integration into civil aviation operations. The focus remains on actionable intelligence for flight operations and air navigation service providers, derived exclusively from verifiable public sources.

The Documented Increase in GNSS Spoofing Events

Global Navigation Satellite System spoofing involves the broadcast of counterfeit signals to deceive a receiver. Data from the European GNSS Service Centre indicates a marked increase in reported incidents affecting civil aviation positioning and timing services. A 2023 report by the non-governmental organization C4ADS, cited in an EUSPA announcement, documented over 9,800 instances of suspected GNSS manipulation affecting maritime and aerial navigation in a single region over a ten-month period. For aviation, the consequence is not merely a map error. Erroneous position, velocity, and time solutions directly impact area navigation (RNAV) procedures, required navigation performance (RNP) approaches, and terrain awareness warning systems.

The vulnerability stems from the inherently open and unauthenticated nature of civilian GNSS signals. Prior to OSNMA, receivers could validate signal geometry and consistency through Receiver Autonomous Integrity Monitoring (RAIM) but could not cryptographically verify the source of the navigation data itself. This allowed for the generation of plausible but false satellite ephemeris and clock data, a method confirmed in multiple academic studies. Operational advisories, such as European Union Aviation Safety Agency (EASA) Safety Information Bulletin 2023-02R1, have previously recommended procedural mitigations due to the absence of a signal-level authentication solution for open services.

Technical Architecture of the OSNMA Protocol

OSNMA is a data authentication protocol integrated into the Galileo I/NAV message broadcast on the E1-B signal. Its primary function is to increase the unpredictability of navigation data through cryptographic signing. The system employs a hybrid symmetric/asymmetric scheme based on the Timed Efficient Stream Loss-tolerant Authentication (TESLA) protocol, as detailed in the publicly available Galileo OSNMA Receiver Guidelines (v1.3). The operational workflow is receiver-driven and involves two phases.

During initialisation, the receiver acquires and verifies a public key and a TESLA root key. These can be obtained directly from the Galileo Signal-In-Space or from the GSC OSNMA data server. Manufacturers can preload up to 16 public keys, which are managed via a Merkle tree structure and can be renewed in-flight through Digital Signature Message – Public Key Renewal (DSM-PKR) transmissions. This design, validated by the AALECS consortium's end-to-end demonstrator platform, ensures key management without ground station dependency after receiver startup.

The continuous data authentication process involves the satellite appending a digital signature and a delayed key to its navigation data. The receiver first uses the public key to authenticate the delayed key, then uses that key to authenticate the signature and the accompanying navigation data. According to technical documentation from receiver manufacturer Septentrio, a signal failing this verification is excluded from the positioning calculation. A critical receiver requirement is time synchronization; the TESLA protocol requires the receiver's internal clock to be within several seconds of Galileo System Time to correctly associate keys with their corresponding data. The protocol accommodates less precise receivers through ADKD 12 "slow MAC" messages.

Cross-Constellation Authentication and Receiver Implications

A significant operational feature of OSNMA is its capacity for cross-authentication. The protocol design allows a receiver to use authenticated data from one Galileo satellite to verify the navigation messages of other satellites within the same constellation, and potentially from other GNSS. Research published in the journal Sensors confirms the framework permits the future use of Galileo OSNMA to authenticate satellites from other GNSS space segments, such as GPS.

This has direct implications for multi-constellation aviation receivers, which typically process signals from GPS, Galileo, and GLONASS simultaneously. A trust anchor established via Galileo could extend authentication coverage to GPS signals, significantly broadening the protected signal environment. For operators, this means the benefit of OSNMA is not confined to routes where Galileo is the primary constellation. Flight information regions globally could see enhanced integrity for multi-GNSS solutions as OSNMA-capable avionics enter service. Manufacturers like u-blox have already demonstrated prototype receivers capable of this cross-authentication in controlled tests, as presented at the 2023 International Technical Symposium on Navigation and Timing.

Operational Boundaries and Limitations of the System

A precise understanding of OSNMA's scope is necessary for effective risk management. EUSPA executive statements clarify that OSNMA provides an "added layer of protection" but does not prevent spoofing occurrences or protect against jamming. The system authenticates the data content of the navigation message, verifying it originated from the Galileo constellation and was not altered in transit. It does not authenticate the ranging code itself. Therefore, a sophisticated spoofer capable of replicating both the cryptographic signature and the signal structure could theoretically still deceive a receiver, though the cost and complexity are substantially increased.

Airspace status: OSNMA is a data-level authentication tool. It represents the first layer in a two-tier authentication framework. The second layer, range-level authentication via Spreading Code Authentication (SCA), is planned for the future Galileo Commercial Authentication Service (CAS) on the E6-C signal. CAS will directly encrypt the spreading code, providing a higher grade of protection.

Recommendation: Operators should integrate OSNMA capability as one component of a layered mitigation strategy. This strategy should include, but not be limited to, receiver autonomous integrity monitoring, inertial reference system cross-checks, and adherence to procedural directives issued via NOTAMs during known interference events. Jamming, the overpowering of GNSS signals with radio frequency noise, remains entirely outside OSNMA's purview and requires alternative mitigations such as controlled reception pattern antennas.

Aviation Certification Pathway and Fleet Integration Timeline

The integration of OSNMA into civil aviation is a multi-year process governed by standardization bodies. EUSPA has confirmed OSNMA is now being included in relevant Minimum Operational Performance Standards (MOPS) for aviation receivers. The transition from initial public service to full market deployment is outlined in the Galileo OSNMA Day 2026 program, which focuses on ecosystem readiness. The system is backwards compatible; receivers without OSNMA capability continue to compute position normally, ensuring no operational disruption during the fleet transition period.

Affected routes: All global routes within Galileo coverage will potentially benefit. The operational relevance is heightened in FIRs with documented GNSS integrity issues, such as LCCC (Nicosia), OIIX (Tehran), and parts of URRV (Moscow). The deployment timeline is receiver-dependent. Major avionics manufacturers have initiated development programs. For instance, Garmin's G3000 and G5000 integrated flight deck systems are architecturally capable of supporting OSNMA through future software updates, as indicated in their public technical roadmaps. Airlines should consult with their avionics providers for specific upgrade schedules and should note that retrofits may require both hardware and software modifications depending on the existing unit's processing capacity.

Simulation and testing tools are available to facilitate this integration. Safran's Skydel simulation platform allows manufacturers to configure OSNMA parameters, including key chains and authentication sequences, for comprehensive receiver testing. This enables validation under a wide range of scenarios, including signal loss and spoofing attempts, before live signal deployment.

Practical Considerations for Airline Operations Departments

For airline operations and dispatchers, the activation of OSNMA necessitates several practical evaluations. First, the technology does not require immediate action but does inform long-term avionics investment strategies. Procurement specifications for new aircraft or navigation system upgrades should include OSNMA capability as a defined requirement.

Second, while OSNMA enhances confidence in Galileo-derived position data, it does not obviate the need for vigilance regarding NOTAMs on GNSS interference. Operations departments should continue to monitor sources like EASA SIBs and ICAO bulletins for airspace-specific advisories. The presence of OSNMA may, over time, allow for more nuanced operational risk assessments in regions with historical interference, but it does not constitute an immediate all-clear.

Third, the cryptographic authentication provided by OSNMA strengthens the forensic validity of GNSS data recorded by flight data recorders. This has implications for occurrence investigation and regulatory compliance, particularly within European Union member states where Galileo data is already recognized for evidentiary purposes in domains like digital tachographs.

Key Takeaway

FlySafe Research analysis indicates Galileo OSNMA represents the most substantive advancement in publicly available civilian GNSS anti-spoofing to date. It systematically raises the technical barrier for successful navigation data spoofing by introducing a free, global cryptographic verification layer. Its integration into developing aviation standards signals a clear industry trajectory toward mandated authentication for safety-critical applications. Airlines and air navigation service providers should begin evaluating receiver upgrade roadmaps and consider OSNMA capability a factor in future navigation system procurement.

FlySafe continues to monitor GNSS integrity threats through analysis of publicly available NOTAMs, authority bulletins, and global event monitoring, providing data-driven risk assessments for flight information regions worldwide.

Analysis based on publicly available data from EUSPA, ICAO, EASA, and receiver manufacturer documentation only. This bulletin does not constitute operational guidance. All operational decisions must be based on current NOTAMs, official authority directives, and approved airline procedures.

Frequently Asked Questions

What is the immediate action required for airlines following OSNMA activation?

No immediate operational action is required. The activation is a service declaration from the system operator. The required action is strategic: operations and engineering departments should engage with their avionics suppliers to understand the upgrade path for existing fleet receivers and to specify OSNMA capability in all new navigation system procurement contracts.

Can OSNMA be used to authenticate GPS signals currently?

Not at present. The current OSNMA protocol is designed for Galileo signals. However, its architectural framework for cross-authentication allows for the future possibility of using authenticated Galileo data as a trust anchor to verify GPS navigation messages. This would require international agreement and standardization. Current multi-constellation receivers can use OSNMA to authenticate Galileo signals while processing una authenticated GPS signals with traditional integrity checks.

How does OSNMA affect aircraft already equipped with multi-constellation receivers?

For existing aircraft, the impact is neutral unless a receiver software or hardware upgrade is performed. OSNMA is a broadcast service; receivers without the specific decoding and cryptographic verification capability will simply ignore the authentication data within the I/NAV message. Navigation performance will continue as before. To actively benefit from OSNMA, most existing receivers will require a software update, and some may require a hardware modification to accommodate the additional cryptographic processing load, depending on their original design.