[aprssig] Re: Authentication over APRS

Bob Snyder rsnyder at toontown.erial.nj.us
Wed Dec 8 16:59:47 EST 2004


On Wed, Dec 08, 2004 at 02:55:49PM -0500, KC2MMi wrote:

> Scott, that's already old hat on computers. "SecureID" is one vendor. You

Based on Scott's previous emails, it seems he has a pretty good grasp of
modern computer authentication methods. :-)

SecurID is a great product, I use it daily. It provides "two factor"
authentication (requiring both something you know - your pin, and something
you have - the token). It's not vulnerable to replay attacks as you suggest,
because the act of using the code on the token locks out that code for any
other authentication attempts. It is, however, vulnerable to
man-in-the-middle attacks unless other methods are used to mitigate this.

A fully-cryptographic method is probably the best, but requires custom
software generally, especially if needing the nonauthentication traffic
is to remain in cleartext. ssh is out there, but modern flavors I've
seen have removed the option to do authentication without also
encrypting the payload.

For a simple solution, either One Time Passwords or Challenge/Response
seems best. Kantronics as I recall does a weak flavor of
Challenge/Response, in that you can give it a long passphrase, and it'll
send prompt you for the character at position x, y, & z (changing every
login) in the phrase. Using a hardware "calculator" gives decent two
factor authentication, although as I recall the protocol used by most
such calculators was found to have a hole a while ago.

Bob N2KGO




More information about the aprssig mailing list