[aprssig] Re: Authentication over APRS
scott at opentrac.org
Wed Dec 8 16:36:05 CST 2004
> SecurID is a great product, I use it daily. It provides "two factor"
> authentication (requiring both something you know - your pin, and
> you have - the token). It's not vulnerable to replay attacks as you
> because the act of using the code on the token locks out that code for any
> other authentication attempts. It is, however, vulnerable to
> man-in-the-middle attacks unless other methods are used to mitigate this.
I've used these too. It requires fairly close time synchronization, and if
you're dealing with a device somewhere on a mountaintop miles away with no
GPS, keeping within a couple of minutes is too much trouble.
> seems best. Kantronics as I recall does a weak flavor of
> Challenge/Response, in that you can give it a long passphrase, and it'll
> send prompt you for the character at position x, y, & z (changing every
> login) in the phrase. Using a hardware "calculator" gives decent two
Yeah, and you're going to run out of secrets pretty fast if it's something
you do on a regular basis. I think a TEA or similar CBC-MAC with a simple
challenge/response should be fine. The remote device might just pick a
random sequence of four characters and send them with each beacon - these
would be hashed along with the command, and the device would choose a new
sequence after executing the command.
More information about the aprssig