Cognitive radio networks (CRNs) exploit the idle portion of the licensed spectrum to establish network communications. Essential to the co-existence of this technology with legacy systems, is the reliable sensing of spectrum opportunities. However, existing spectrum sensing techniques are vulnerable to adversaries that mimic the characteristics of Primary User (PU) transmissions in order to reduce the bandwidth availability for the CRN. In this paper, we address the problem of authenticating the PU signal in order to mitigate PU emulation attacks. We propose a PU authentication system based on the deployment of "helper" nodes, fixed within the geographical area of the CRN. Our system relies on a combination of physical-layer signatures (link signatures) and cryptographic mechanisms to reliably sense PU activity and relay information to the CRN. Compared to prior work, our system can accommodate mobile secondary users and can be implemented with relatively low-power helpers.