[aprssig] Universal APRS messaging

Steve Dimse steve at dimse.com
Thu Oct 23 19:45:49 EDT 2008

On Oct 23, 2008, at 5:52 PM, Tyler Allison wrote:
> Not just the APRS-IS. All of APRS. APRS was never designed to  
> authenticate
> the owner.  You can secure the APRS-IS all you want and I can still  
> send a
> "nasty" APRS message to somebody in NZ using my APRS enabled radio  
> using
> someone elses callsign,

Yes, and it is a good point. The authentication was never designed to  
prove in court that ham W4xxx actually sent a message. The purpose was  
to protect the IGate operators by meeting the requirements for  
protection as a message forwarding system.
> Let's be pure in our argument please. There never was real security  
> in the
> authentication system with or without the publishing of the aprsd  
> source
> code.  It would take a reasonably smart developer about an hour to  
> reverse
> the algorithm used for 'authentication' by doing simple crypto  
> analysis.
> If you want an actual time, I'll ask one of the guys at my work to  
> do it
> blind and I'll time him. I got beer money he can do it under an hour.

It actually may be a little harder than that. There was nowhere for a  
cracker to intercept callsign/password pairs short of cracking into  
the internet itself and monitoring the logins. You are correct in that  
if someone had access to a reasonable number of callsign/password  
pairs they could figure out the algorithm, but to get that list you  
would have needed to break into a router somewhere near a hub and  
capture the traffic. It wasn't encrypted, it could have been done, but  
that is another level of cracking that would take more than an hour.  
If someone had even a single password/callsign they could send traffic  
appearing to be IGated from that station, which makes getting the  
algorithm meaningless.

It is certainly true that the system never had the security you would  
want your bank to use protecting your accounts. On the other hand, the  
combination of small network size, human monitoring, and the 15 bit  
login protection provided the design level of security, i.e. enough to  
protect the licenses of IGate operators. That level of protection was  
what was I'm saying lost about 8 years ago. That is the level of  
protection I think the APRS IS ought to try to restore.

Steve K4HG

More information about the aprssig mailing list