Secure pprzlink: encrypted communications for open source drones

Earlier this month, the Paparazzi team released Secure pprzlink, an encrypted communication protocol for UAVs. While developing Secure pprzlink was a community effort, Galois supported Secure Pprzlink in part as an internal research project I was involved in, and in part as my innovation week project.

Secure Pprzlink is an encrypted version of pprzlink. Pprzlink is a multi-UAV communication protocol, similar to MAVLink. However, both Pprzlink and MAVLink are unencrypted, making communication easier, but also risky. Without encryption, anyone can listen to your drone communication, and can potentially send modified or outright “fake” commands to it, steering it off course, or causing it to crash. Using an encrypted radio link is similar to using an encrypted connection to the internet, and should be  common practice.

The new secure Pprzlink uses a strong and fast cipher ChaCha20 with Poly1305 authenticator. For better security and user convenience, we implemented a variation of station-to-station key-exchange protocolto allow seamless key-exchange between the UAV and the GCS. Secure Pprzlink is backed by a formally verified cryptographic library HACL*  (yes, the same library that is a part of new Mozilla Firefox). Secure Pprzlink was inspired by Galois Embedded Crypto (GEC) library, which was designed for SMACCMPIlot secure autopilot as a part of Galois’s effort on HACMS project.


Why is using a formally verified crypto library important?

In short, cryptography is hard to do right, and formal methods help make sure that the encryption algorithms behave as intended. This short video may give you a better idea:

 Secure Pprzlink uses a formally verified cryptography library, but is not verified itself. However, it could be verified in the future, to provide additional guarantees.


How can I use it?

The Paparazzi team prepared a wiki page with instructions and examples. In short, choose a secure link as your mode of communication when building the autopilot code, and the rest is handled automatically. Also, the GCS part of secure pprzlink is written in Rust, a memory-safe language, which guarantees that the code written in Rust is itself memory-safe and thus eliminates a large amount of possible software bugs.

Give it a try, and please send us any feedback and ask questions on the paparazzi gitter channel, or via the paparazzi mailing list.

Wishing everyone happy (and secure) flying!