Authenticated GNSS: Galileo OSNMA & Anti-Spoofing

What It Is

Galileo Open Service Navigation Message Authentication (OSNMA) is the first operational system that allows civilian GNSS receivers to verify that the navigation signals they receive genuinely originate from Galileo satellites rather than from a ground-based spoofing transmitter. Declared operational by the European Union Agency for the Space Programme (EUSPA) in 2025, OSNMA represents a fundamental shift in GNSS security — moving from a model where receivers blindly trust any signal on the correct frequency to one where cryptographic proof of authenticity is embedded in the navigation message itself.

The problem OSNMA addresses has grown severe. Since 2018, GPS spoofing incidents affecting commercial aviation have escalated dramatically, particularly over the Middle East, Baltic region, and Eastern Mediterranean. These attacks feed receivers false position data, causing navigation errors, triggering false GPWS terrain alerts, and corrupting ADS-B position reports. Authenticated GNSS provides a technical countermeasure at the signal level.

How It Works

OSNMA embeds cryptographic authentication data within the Galileo E1-B navigation message. The system uses a combination of TESLA (Timed Efficient Stream Loss-tolerant Authentication) protocol and ECDSA (Elliptic Curve Digital Signature Algorithm) to authenticate both the navigation data and the source satellite identity.

In the TESLA scheme, each satellite broadcasts navigation data along with a Message Authentication Code (MAC) computed using a secret key. The key itself is revealed after a delay — typically one to two subframes later. A receiver stores the data and MAC, then verifies the MAC once the delayed key arrives. Because the key was secret at the time the data was broadcast, an attacker cannot forge a valid MAC in real time. The ECDSA component provides the root of trust: periodic digital signatures allow receivers to verify the TESLA key chain without prior key material.

The authentication latency — the delay between receiving the navigation data and being able to verify it — is approximately 30 seconds in the current implementation. This is fast enough for most navigation applications, though not for the most time-critical safety-of-life functions. Receivers that support OSNMA require a firmware update to process the authentication data, and the computational overhead is minimal for modern chipsets.

It is important to understand what OSNMA does not do: it does not prevent jamming. An attacker who overwhelms the legitimate signal with noise will still deny GNSS service. OSNMA specifically defeats meaconing (rebroadcast) and sophisticated spoofing attacks where false signals mimic the structure of genuine ones.

Relevance to Airspace Risk

The operational availability of Galileo OSNMA is a milestone for airspace risk mitigation, but its impact on commercial aviation will unfold over years rather than months. The gap between OSNMA's operational status and its adoption in certified avionics is governed by aviation's regulatory cycle — new receiver standards must be developed by EUROCAE and RTCA, then certified by EASA and the FAA. The realistic timeline for OSNMA-capable certified avionics is 2027 to 2030.

In the interim, OSNMA provides immediate value for non-aviation applications that feed into aviation safety: ground-based augmentation systems, drone operations using commercial receivers, and timing infrastructure for ATC systems. It also serves as a proof of concept that accelerates development of similar capabilities for other constellations. GPS III satellites are designed with provisions for navigation message authentication, though the US has not yet committed to a public timeline for enabling it.

For the regions most affected by spoofing — Iraq, the Eastern Mediterranean, and the Baltic — authenticated GNSS represents the most promising long-term technical solution. Until certified avionics are available, airlines continue to rely on procedural mitigations: cross-checking GNSS against inertial reference systems, monitoring NOTAMs, and training crews to recognize spoofing signatures.

Current Status

Galileo OSNMA entered its Initial Service phase in January 2023 and was declared fully operational in 2025. Receiver chipset manufacturers including u-blox, STMicroelectronics, and Septentrio have released OSNMA-capable firmware. The adoption curve in consumer and professional markets is accelerating, with automotive and maritime sectors leading integration.

GPS III satellites (Block IIIF, launching from 2026) include provisions for a similar authentication capability, though the L1C signal that would carry it is not yet fully operational. China's BeiDou and Russia's GLONASS have not announced equivalent public authentication services. Multi-constellation authentication — verifying signals from GPS, Galileo, and BeiDou simultaneously — remains a medium-term research objective.

Limitations

• •Does not prevent jamming — only defeats spoofing. A jammed receiver loses GNSS regardless of authentication capability.
• •Authentication latency of approximately 30 seconds may be too slow for certain time-critical safety applications.
• •Currently Galileo-only. GPS, BeiDou, and GLONASS do not yet offer equivalent civilian authentication.
• •Aviation certification timeline (2027-2030) means commercial aircraft will not benefit for years.
• •Sophisticated record-and-replay attacks with minimal delay may still be difficult to detect if the attacker operates within the TESLA key revelation window.

Related