[aprssig] Re: Authentication over APRS

Scott Miller scott at opentrac.org
Wed Dec 8 17:36:05 EST 2004

> SecurID is a great product, I use it daily. It provides "two factor"
> authentication (requiring both something you know - your pin, and
> you have - the token). It's not vulnerable to replay attacks as you
> because the act of using the code on the token locks out that code for any
> other authentication attempts. It is, however, vulnerable to
> man-in-the-middle attacks unless other methods are used to mitigate this.

I've used these too.  It requires fairly close time synchronization, and if
you're dealing with a device somewhere on a mountaintop miles away with no
GPS, keeping within a couple of minutes is too much trouble.

> seems best. Kantronics as I recall does a weak flavor of
> Challenge/Response, in that you can give it a long passphrase, and it'll
> send prompt you for the character at position x, y, & z (changing every
> login) in the phrase. Using a hardware "calculator" gives decent two

Yeah, and you're going to run out of secrets pretty fast if it's something
you do on a regular basis.  I think a TEA or similar CBC-MAC with a simple
challenge/response should be fine.  The remote device might just pick a
random sequence of four characters and send them with each beacon - these
would be hashed along with the command, and the device would choose a new
sequence after executing the command.


More information about the aprssig mailing list