[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Spread Spectrum- how it works
From: US3RMC::"[email protected]" "Clark Reynard" 8-SEP-1993 01:59:18.22
>Then the receptionist returned, and told me that the person from
>the engineering department who took care of the phones had indicated
>that not even the government had the technology to monitor these
>phones.
>
>Upon asking how and why the government might do this, I received
>a rather chilly notification that the engineering department,
>was, of course, unwilling to reveal these secrets. Well, it was
>worth a try.
Actually, they aren't telling you, but SS techniques are published widely
in the technical literature. For a relatively accessible and understandable
introduction, try the ARRL's book "Spread Spectrum Sourcebook", which
describes not only the theory but also the results of the ARRL's
experimentation with spread-spectrum technology for radio communications.
It's about $30 from any reputable ham radio supply house, and you
can mail-order it.
[very succintly, SS works by adding a pseudorandom modulation to the
transmitter carrier that modulates the signal far far MORE than the
actual informational modulation. For example, a 16-bit CRC register
feeding back on itself can be used. The output of the CRC register
(or any other pseudo-random-number-generator (PRNG) can be used as a
modulator in two ways:
1) Frequency hopping: the bits in the CRC or PRNG determine (via
a lookup table ("hop set") the new center frequency that the
transmitter will send on. This freqency may hop a hundred
times or more per second.
a) ease of detection: easy- you hear a "click" whenever the
transmitter hops onto the freqency you're monitoring
b) ease of interception: very hard- if there are a
few thousand such signals around, you have to splice
together 10 millisecond slices from a thousand different
sources- and that's a combinatorially prohibitive
problem. You need to know the "hop set" and the
particular polynomial or psuedorandom sequence to
easily recover the signal.
2) Direct Sequence: the single low-order bit in the CRC or PRNG
determines whether the output signal from the transmitter's
primary oscillator (already modulated with the user's voice)
is inverted or not. This translates to massive phase modulation.
If the CRC is clocked at a reasonable rate (say, 1 MHz) then
the output signal ends up with a bandwidth of about twice
the clocking freqency.
a) ease of detection: difficult- the SS signal shows
up in a conventional reciever as broadband noise- easy
to not notice.
b) ease of interception: very difficult- I haven't the
foggiest about how to go about it.
In either case, to demodulate the signal, one recieves the entire bandwidth,
then either hops their first-stage local oscillator (for frequency hopping)
or phase-inverts (for direct sequence) the incoming signal. The result is
a second-stage signal that can be demodulated by conventional means. The
only big trick is to synchronize the PRNG on the reciever to the PRNG on
the transmitter.
Another advantage to SS is that it tends to "ignore" strong signals in the
band- any signal that does not correllate against the PRNG modulation is
"spread out" over the entire band by the demodulation operation, while the
correct signal energy is concentrated into a small channel. This gives
what's called "process gain" and allows a weak spread-spectrum signal to
work even in channels that may be dominated by strong conventionally-modulated
signals.
The ARRL did find that if they knew the bandwidth of the signal they were
looking for they _could_ direction-find on it, using wideband recievers
and notch filters to remove known conventionally-modulated signals from
the signal; once they were close enough to be in the "near field" of the
transmitter standard direction-finding techniques were adequate to DF,
even if they couldn't understand what was being transmitted, they could
find the source. (this was the basis for the FCC's OKing of the use of
SS modulation by hams on the 440 and higher bands- that some form of
accountability was being preserved).
-----
Note that if the PRNG in a direct-sequence SS is replaced by a true
random number source, we have the equivalent of a one-time pad and
(I believe) complete security. However, since the typical demands
of a direct-sequence system for phase information are in the megabits
per second, the logistics of "key management" may be utterly impractical.
-----
So, if CM was using either modulation method, and used some reasonable
PRNG (i.e. one with remappings and hopsets determined by user-genned random
numbers) then it is quite possible that the government does not have the
technology _deployed_ in the field to intercept them. But if they
need it, I'm sure they will figure out how to do it.
-Bill