[aprssig] APRS-IS authentication

Matti Aarnio oh2mqk at sral.fi
Fri Aug 20 17:24:47 EDT 2010 

On Thu, Aug 19, 2010 at 12:01:44PM -0500, Jason KG4WSV wrote:
> On Thu, Aug 19, 2010 at 11:47 AM, Bill V WA7NWP <wa7nwp at gmail.com> wrote:
> > There is nothing illegal about non hams putting traffic on the
> > APRS-IS.
> 
> I wouldn't be so sure.
> 
> The core of APRS-IS runs javAPRSsrv, which is licensed for amateur
> radio use.  Non-ham use violates my license agreement with Pete, as
> best I understand it.

Service would not be for hams...    There are commercial services of
fleet/person tracking, but a "free" one will always attract people.

How to make _automatic_ ham status discovery and generation of authentication code?

An automatic web-page thing could work by sending a QSL to claimed callsign at LoTW.
If the recipient acknowledges it, then there is a proof that LoTW keepers have
accepted the user as a ham, and the passcode can be given to the user.
You want also to validate that the LoTW ack is really by the same user as had
been interacting with robot page - you send some random token text on QSL's
"message" field to be returned to the passcode page.

Absolutely you don't want to be supplying passcodes by manual verification
of licenses, or you have to get a far and widely accredited group of verification
volunteers. Something alike DXCC verifiers.


Present passcode system uses a trivial hash function calculated on callsign
characters.

A non-trivial passcode could be using systems like Digest-MD, which is a sort
of password verification, but neither the verifier keeps the reference secret
nor the communication carry the secret in plain.  The reference secrets must
be generated somewhere, and distributed globally, automatically without manual
touches and in reasonably quick time on order of minutes, but that is
semi-trivial operational thing compared even with LoTW verification.

Doing SSL encryption and using so called mutual authentication would work
too, but running SSL eats up servers, and makes rotate.aprs.net practically
impossible.  So don't do SSL, use Digest-MD.


> APRS-IS traffic gets gated to RF by various iGate operators across the
> globe.  Non-ham traffic on APRS-IS could cause these operators to be
> in violation of their license by transmitting non-ham traffic on RF.
> While the legality issue here is for the operator of the iGate, the
> basic premise of IS->RF gating is the assumption that APRS-IS traffic
> _is_ ham traffic.

Very true.  Some countries have very few igates at all, because Bob does
always exhort "the igates must be bidirectional!", but local legislation
makes that very troublesome.  Having Rx-only-iGates at places like UK
means that people can do some APRS things, even if not doing that holy
grail of bidirectional messaging in between far-away users over RF and
APRS-IS.

We Finns have very relaxed legistlation compared to some other parts of EU..

> -Jason
> kg4wsv

73 de Matti, OH2MQK

More information about the aprssig mailing list