[aprssig] APRS-IS authentication

Georg Lukas georg at op-co.de
Sat Aug 21 15:31:37 EDT 2010 

* Matti Aarnio <oh2mqk at sral.fi> [2010-08-20 23:26]:
> How to make _automatic_ ham status discovery and generation of authentication code?
> 
> An automatic web-page thing could work by sending a QSL to claimed callsign at LoTW.
> If the recipient acknowledges it, then there is a proof that LoTW keepers have
> accepted the user as a ham, and the passcode can be given to the user.
> You want also to validate that the LoTW ack is really by the same user as had
> been interacting with robot page - you send some random token text on QSL's
> "message" field to be returned to the passcode page.

This is comparable to delegating the authentication to the EchoLink
people. It moves the burden from APRS-IS to another part of the ham
universe but provides a pretty secure authentication of the users
actually being licensed. On the other hand, it requires the user to
register with the specified group, even if they do not intend to use EL
or the LotW.

However, the main problem I see is the ease of circumventing this for
APRS-IS - the passcode algorithm is trivial, to say the least, and a
passcode generator is freely available with all major Linux distributions.

> Absolutely you don't want to be supplying passcodes by manual verification
> of licenses, or you have to get a far and widely accredited group of verification
> volunteers. Something alike DXCC verifiers.

Indeed, doing a proper authentication requires at least the radio
license, best combined with a picture ID card.

Replying to any email reques is as secure as an online passcode
generator, just more cumbersome ;)

Unless the authentication mechanism in APRS-IS is replaced with a
(cryptographically) secure one, there is not much sense in putting a
high barrier in front of the passcode calculation.

Right now, I am considering a semi-automatic solution. The user should
be asked to fill out a web form (this can be integrated into the
application as well), providing the following data:

* full name
* call sign
* email address (containing the callsign / FCC registered if possible)
* (optional) additional remarks

The requests can be stored in a request database for manual verification
and abuse tracking, maybe even combined with automatic checks at FCC and
other official registries. This will reduce the overhead of validation,
deter a large amount of vandals and allow to send a passcode email with
a single click.

I think it can be implemented in less than a weekend as well ;)

I don't think any more authentication will actually increase the
security of APRS-IS, until the passcode method is completely disabled.

73 de DO1GL
-- 
|| http://op-co.de ++  GCS/CM d-- s: a- C+++ UL+++ !P L+++ E--- W++  ++
|| gpg: 0x962FD2DE ||  N++ o? K- w---() O M V? PS+ PE-- Y+ PGP++ t+  ||
|| Ge0rG: euIRCnet ||  5 X R(+) tv b+(++) DI+++ D+ G e+++ h- r++ y?  ||
++ IRCnet OFTC OPN ||________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20100821/3f344153/attachment.asc>

More information about the aprssig mailing list