EUROCONTROL Guidelines for the Use of CRC in AIXM 5.1

EUROCONTROL Guidelines for the use of CRC in AIXM 5.1

Guidelines the use of CRC in AIXM 5.1

EUROCONTROL Guidelines for the use of CRC in AIXM 5.1
DOCUMENT IDENTIFIER : EUROCONTROL-GUID-

Edition Number : 0.5

Edition Date : 06 December 2013

Status : Draft

Intended for : General Public

Category : EUROCONTROL Guidelines

DOCUMENT CHARACTERISTICS

TITLE
EUROCONTROL Guidelines for the use of CRC in AIXM 5.1
Publications Reference: / GUID-
ISBN Number:
Document Identifier / Edition Number: / 0.5
EUROCONTROL-GUID- / Edition Date: / 06 December 2013
Abstract
The Commission Regulation (EU) 73/2010 for aeronautical data quality in the single European sky context includes specific provision for use of CRC for the protection of the integrity of data sets. The AIX Specification of Eurocontrol proposes the use of the Aeronautical Information Exchange Model (AIXM) version 5.1 as means of compliance with the ADQ provisions for common data set specification and encoding format. In this context, this document contains an analysis of the CRC related requirements and proposes a solution in the form of a CRC-extension (UML and XML schema). The document also presents an alternative and maybe more powerful solution for ensuring data integrity, using XML Signatures.
Keywords
AIXM
CRC
Data Integrity
ADQ
Contact Person(s) / Tel / Unit
Eduard Porosnicu (EUROCONTROL) / +32-2-7293326 / DSR/CMN/IM
STATUS, AUDIENCE AND ACCESSIBILITY
Status / Intended for / Accessible via
Working Draft / o / General Public / þ / Intranet / o
Draft / þ / EUROCONTROL / o / Extranet / o
Proposed Issue / o / Restricted / o / Internet (www.eurocontrol.int) / o
Released Issue / o

DOCUMENT APPROVAL

The following table identifies all management authorities who have successively approved the present issue of this document.

AUTHORITY / NAME AND SIGNATURE / DATE
Author / Eduard Porosnicu, DSR/CNM/IM / 06 DEC 2013

DOCUMENT CHANGE RECORD

The following table records the complete history of the successive editions of the present document.

EDITION
NUMBER / EDITION
DATE / REASON FOR CHANGE / PAGES AFFECTED
0.5 / 06/12/2013 / Proposed for AIXM-ADQ Workshop. Including updates based on comments received on the previous version and discussions with various stakeholders, in particular from industry. Chapter 4 (Use of XML Signature) is new. / All
0.4 / 06/2012 / Updated after the CRC Workshop / All
0.3 / 03/2012 / Updated to allow multiple values per CRC after discussion with industry / All
0.2 / 03/2011 / Updated draft after internal discussions / All
0.1 / 2011 / Initial draft / All

Publications

EUROCONTROL Headquarters

96 Rue de la Fusée

B-1130 BRUSSELS

Tel: +32 (0)2 729 4715

Fax: +32 (0)2 729 5149

E-mail:

CONTENTS

DOCUMENT CHARACTERISTICS 2

DOCUMENT APPROVAL 4

DOCUMENT CHANGE RECORD 5

CONTENTS 6

1. Introduction 8

1.1 Purpose of the document 8

1.2 Scope of the document 8

1.3 Applicability 8

1.4 Abbreviations 8

1.5 Definitions 8

1.6 Reference material 8

1.7 Document structure 8

2. Requirements 10

2.1 ICAO and European regulations 10

2.1.1 ICAO Annex 15 10

2.1.2 ADQ Regulation 10

2.2 Discussion 11

2.2.1 Selected items versus complete data set 11

2.2.2 Transfer of input CRCV versus re-calculation 11

2.2.3 Past experience – use of CRCV with AIXM 4.5 12

3. CRC in AIXM 5.1 13

3.1 Using Metadata versus the AIXM CRC extension 13

3.2 Referenced data using XPath 13

3.3 Multiple CRC values for one feature 14

3.4 CRC extension for both features and objects 14

3.5 CRC algorithm 14

3.6 AIXM CRC Extension Definition 15

3.7 CRC extension usage 17

3.7.1 Example 17

3.7.2 Special characters 18

3.7.3 XML tags should be considered excluded 18

3.7.4 CRC limitations – undetected change in concatenated elements 19

4. Advanced possibilities with XML Signature 20

Edition: 0.5 Draft Page 1

EUROCONTROL Guidelines for the use of CRC in AIXM 5.1

1.  Introduction

1.1  Purpose of the document

The primary purpose of this document is to provide guidelines for the provision of cyclic redundancy check (CRC) values in data sets that use the Aeronautical Information Exchange Model (AIXM) specification. However, the document also takes a broader view on the data integrity protection aspect and also presents some possibilities offered by digital signature technologies.

1.2  Scope of the document

The document contains an analysis of the CRC related requirements, the solutions that are proposed and the definition of the corresponding AIXM extensions (UML and XML schema), including examples of usage.

1.3  Applicability

The guidelines contained in this document provide means of compliance with the specific provision for use of CRC contained in the Commission Regulation (EU) 73/2010 for aeronautical data quality in the single European sky context [RD 2]. This document complements the Aeronautical Information Exchange (AIX) Specification of Eurocontrol [RD 3].

1.4  Abbreviations

AIXM / Aeronautical Information Exchange Model
ADQ / Commission Regulation (EU) No 73/2010 laying down requirements on the quality of aeronautical data and aeronautical information for the single European sky
CRC / Cyclic redundancy check

1.5  Definitions

CRC = A mathematical algorithm applied to the digital expression of data that provides a level of assurance against loss or alteration of data.

1.6  Reference material

[RD 1]  Internal guidelines for the development of EUROCONTROL specifications and EUROCONTROL guidelines. Edition 1.0 dated 16 October 2007. Ref. ECTL_SPEC_GUID_1.0 191007

[RD 2]  Commission Regulation (EU) No 73/2010 laying down requirements on the quality of aeronautical data and aeronautical information for the single European sky.

[RD 3]  Aeronautical Information Exchange (AIX) Specification, EUROCONTROL-SPEC-0151, https://www.eurocontrol.int/articles/aeronautical-information-exchange-aix-specification

1.7  Document structure

Chapter 1 contains information about the document: purpose, scope, applicability, editorial aspects.

Chapter 2 contains an analysis of the requirements for the use of CRC in ICAO and in the European ADQ context. It also summarises the experience gathered in the European AIS Database (EAD) with the use of CRC values in AIXM 4.5.

Chapter 3 presents the AIXM 5.1 situation and defines an extension (UML mode, XML schema) that enables to include CRC values in AIXM 5.1 data sets, including examples.

Chapter 4 presents the extended possibilities offered by digital signatures for ensuring data protection in general and the practical use of XML Signatures inside with AIXM data sets. This ensures at least the same level of data integrity protection as the CRC.

2.  Requirements

2.1  ICAO and European regulations

Recipients of aeronautical data need to be assured that the data was not corrupted by the transmission channel through which it arrives. When information is exchange on paper, it is generally perceived as safe from this point of view. People expect that alterations are visible, in the form of erased or unclear text/images. However, this perception is not really justified the paper production process frequently implies manual data typing, and editorial/printing processes that are not error free.

When data is exchanged in electronic format, there is a general perception that corruption could occur undetected. This comes especially from the early networks and radio-transmission channels, which suffered from interferences and low signal integrity. However, all modern digital storage and digital data transmission channel have embedded mechanisms (checksums, etc.) that ensure the integrity of the data. Still, there is general perception in the aeronautical information domain that data, which may be critical for the safety of air navigation, needs to be protected against loss or alteration, from the point of origination to the end user.

2.1.1  ICAO Annex 15

ICAO requires specifically that this protection is assured through the use of CRC, which are mathematical algorithms applied to the digital expression of data to provide a level of assurance against loss or alteration of data. The following requirement is stated in Annex 15 (14th Edition), item 3.5.2:

“Electronic aeronautical data sets shall be protected by the inclusion in the data sets of a 32-bit cyclic redundancy check (CRC) implemented by the application dealing with the data sets. This shall apply to the protection of the integrity classification of data sets as specified in 3.3.3.”

2.1.2  ADQ Regulation

In the European context, the ADQ Regulation states a similar requirement in Annex VI, Data protection requirements referred to in Article 9:

“1. All data transferred in an electronic format shall be protected against loss or alteration of data by the application of the CRC32Q algorithm as referred to in Annex III point (21). The cyclic redundancy check (hereinafter CRC) value shall be applied before the final verification of the data prior to storage or transfer.

2. Where the physical size of data exceeds that which may be protected at the required level of integrity by a single CRC, multiple CRC values shall be used.

3. Aeronautical data and aeronautical information shall be given an appropriate level of security protection during storage and when exchanged between the parties referred to in Article 2(2), to ensure that the data cannot be accidentally changed or subjected to unauthorised access and/or alteration at any stage.

4. The storage and transmission of aeronautical data and aeronautical information shall be protected by a suitable authentication process such that recipients are able to confirm that the data or information has been transmitted by an authorised source.”

2.2  Discussion

2.2.1  Selected items versus complete data set

According to ICAO Annex 15, only data identified as critical, essential or routine requires CRC protection. However, according to the Aeronautical Data Quality (ADQ) Regulation in Europe, all data might require CRC protection. In addition, even the ICAO list in Annex 15 Appendix 7 of critical, essential and routine data elements might suffer modifications.

Therefore, any data integrity protection solution should allow that a CRC value is provided both for individual data items and for entire branches or parts of the data set.

2.2.2  Transfer of input CRCV versus re-calculation

CRCs should be applied from the first point that the aeronautical data and information is captured in electronic form and their values shall be stored together within the data set itself, becoming part of it.

As long as these records are stored or retransmitted in their original forms, their initial CRCV is available for integrity checking. However, a record or part of its attributes might be incorporated in another record, either in the same or any other data set. In this case the original CRCV is no longer relevant and new CRCV may be generated for the new record. The ‘parent data’ CRCV could be stored as Metadata, for traceability purpose, together with the other data origination information.

Example:

DATA SET 1
Identifier / Height / CRCV
Point A / 123.45 / AAAA123
Point B / 110.65 / AAAA456
/ DATA SET 2
Identifier / Latitude / Longitude / CRCV
Point A / 532432.15N / 0342355.49E / BBBB123
Point B / 533000.00N / 0342355.49E / BBBB456
/ DATA SET A
/
Identifier
/ Latitude
/ Longitude
/ Height
/ CRCV
/
Point A / 532432.15N / 0342355.49E / 123.45 / XXXX123
Point B / 533000.00N / 0342355.49E / 123.45 / XXXX456

NOTE: Only the shaded fields are used in the calculation of the CRV

In the example above the attribute Height from Data Set 1 was joined with the attributes Latitude and Longitude from Data Set 2 to form a new data set: Data Set A. The CRCVs of the records from Data Set 1 and Data Set 2 are no longer relevant and a new CRCV was calculated for the records in the Data Set A.

2.2.3  Past experience – use of CRCV with AIXM 4.5

In the previous AIXM versions 3.3 and 4.5, a dedicated VAL_CRC attribute was present on some features. The use of that attribute was left to the latitude of the implementers. In the European AIS database, the bit stream used for the calculation of the CRC value was composed by concatenating the following fields, in this order:

·  Latitude (<geoLat>)

·  Longitude (<geoLong>)

·  Elevation (<valElev>)

·  Geoid Undulation (<valGeoidUndulation>)

In cases where the elements representing the Elevation and the Geoid Undulation are “null” or the relevant features do not have attributes to take these values, the concatenation of latitude and longitude only was used.

Therefore, the AIXM 4.5 response to the ICAO requirement was limited to protecting a number of predefined fields that were considered critical.

In addition, this CRC protection is also used for manual data input: when manually typing latitude, longitude, elevation and geoid undulation values in the EAD Terminals, the operator also has the possibility to input also the CRC value that corresponds to the input data items. This CRC is verified against a CRC value calculated by the input form. This ensures a high integrity of the manual data input, but it is limited to the fields that are addressed by the CRC.

3.  CRC in AIXM 5.1

3.1  Using Metadata versus the AIXM CRC extension

The core AIXM 5.1 model does not include any CRCV fields. At the time when the model was designed and published, it was considered that CRCV should be included in the metadata, using the ISO 19139 physical XSD schema, which is embedded in the GML schema and therefore directly available in AIXM.

However, further analysis done under the Aviation Domain Working group of the Open Geospatial Consortium has shown that there is no obvious field for the inclusion of CRCV in the ISO 19115 metadata schema. This is detailed in the “Guidance on the Aviation Metadata Profile”, document # 10-196r1 on the OGC Portal. Therefore, a metadata extension is proposed.

In addition, due to the complexity of the ISO 19139 Metadata schema, feedback from developers indicates that the CRCV would be more useful and easier to process if located closer to the data item concerned (not in the Metadata “headers”). Therefore, an AIXM 5.1 Extension schema is also proposed in order to provide CRCV inside an AIXM 5.1 data set.

Each of the two methods (ISO 19139 Metadata extension versus the AIXM CRC extension) could be used in parallel, as follows:

·  the (message) Metadata CRC extension should be used when necessary to provide a global CRC value for a whole data set or to store CRC values issued in the upstream data chain part;

·  the AIXM CRC extension should be used when necessary to provide individual CRC values at feature and sub-feature level, down to the level of each individual property.