[aprssig] Igateing a Non Amateur

[Steve Dimse]

On Oct 1, 2005, at 1:06 PM, Mark White wrote:

> Opening the source
> should have no consequence on said system.

What you are missing is that it is not the security system, but the  
hub code where open source is a problem. As long as there is a hub  
program that anyone can modify and then join the network, the  
"security" system is irrelevant, it can simply be removed from the code.

Let me see if I can clarify. Say the APRS IS were, with the wave of a  
magic wand, upgraded so that SSH is used for validation. Say that a  
person or group personally verifies the license status of every user  
along with two picture IDs, and every person perfectly guards their  
SSH key verifying their identity.  In this case, a hub program would  
be able to verify that each connection really came from the person  
that claims to have sent it and that a particular piece of data  
originates with a ham. One of the programs that can connect in this  
environment is an upgraded version of aprsd. It is absolutely true  
that this open source program could be just as secure as an upgraded  
version of javAPRSrvr. However, because the source code is available,  
it is trivial to remove the code that checks for validation, and give  
every connection validated status. Now the whole network is  
compromised, no data can be trusted. While a hub program could verify  
the identity of every connection, it could not verify the identity of  
the users connected to another hub. The only security possible is by  
limiting hub operations to trusted individuals.

To state it another way, while the code certainly can be open source,  
any machine that runs the code as part of the APRS IS must be know to  
be running a version of the code with full security. This cannot be  
done in software, it must be done in the human realm. Either someone  
or some group manages the APRS IS, and restricts hubs to a small  
group of trusted administrators, or does an ongoing, comprehensive  
evaluation of the security of each and every hub in the system.

At this point the discussion of SSH proponents usually turns to  
encrypting the data. In the magic wand scenario earlier, rather than  
validating the connection, each and every packet could be encrypted  
by the sending station using their private key, so anyone connected  
to the system can use a public key to decrypt the packet and at the  
same time verify the originator of the packet. This would in fact  
work, and is the simplest system I can think of for providing true  
protection from FCC violations under the message forwarding rule  
while still having an open network any ham can join. So all it takes is:

1. A person or group that will verify in person the identity of every  
person wishing to use the APRS Internet System. This person or  
persons are completely trustworthy, and the users all take  
responsibility for protecting their key.

2. A public key infrastructure to support the validation process.

3. Probably hardware upgrades for the hubs and at least some of the  
clients, this is a lot of data to decrypt because each packet must be  
individually decoded.

5. Re-write of each and every application using the APRS Internet  
System.

6. Abandonment of UI-View, since it cannot be upgraded.

Piece of cake...

This basically is the summary of the argument that gets bandied about  
every year or so. Yes, it can be done, and if we were protecting our  
life savings, we would. We are protecting APRS data though, so it  
won't be done because the work involved is not worth the return.  
IGate operators need to be aware of the reality of the situation and  
make their own decisions.

Steve K4HG