[aprssig] Authentication over APRS was: Ab)Use of APRS for telemetry? Anyone doing it?

Tyler Allison tyler at allisonhouse.com
Mon Dec 6 12:25:18 EST 2004


>>> One could certainly use a OTP (one time pad), but that clearly
>> violates
>>> the FCC rule mentioned above.
>>
>> Why?  OTP's were designed specifically for your purpose. When the
>> traffic must be in the clear an OTP is a suitable security mechanism.
>
> One time pad <> one time password!

OTP *CAN* mean one time password, though it may depend on who you are
talking to and their work history.  EITF defines OTP as "one time
password".
(http://www.ietf.org/html.charters/otp-charter.html)
(http://www.ietf.org/rfc/rfc2289.txt)

In the intent of the original post OTP was being used as a term for "one
time password". At least that's how I read it.

The use of a "one time password" is easy to implement.

On APRS it might look something like this:

1) User sends 'login' message to Server
2) Server responds to user with 'challenge' message
3) User uses the contents of the 'challenge' message to generate the OTP.
4) User sends OTP to server along with command(s) to run

They key is that the server and user already know the secret pass-phrase
that allows both sides to generate the one time password. Combining the
challenge with the secret pass-pharse and passing it though an algorithm
(MD5?) allows both sides to arrive at the same 'password'.

May be over kill if the FCC has already said passwords can be 'encrypted'.

Source code is available on the internet. Look for S/KEY, OTP or OPIE.

-Tyler
-- 
"The only consistent feature of all of your dissatisfying relationships is
YOU." - Despair.com






More information about the aprssig mailing list