[aprssig] Universal APRS messaging
Steve Dimse steve at dimse.comThu Oct 23 23:45:49 UTC 2008
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Oct 23, 2008, at 5:52 PM, Tyler Allison wrote: > > Not just the APRS-IS. All of APRS. APRS was never designed to > authenticate > the owner. You can secure the APRS-IS all you want and I can still > send a > "nasty" APRS message to somebody in NZ using my APRS enabled radio > using > someone elses callsign, Yes, and it is a good point. The authentication was never designed to prove in court that ham W4xxx actually sent a message. The purpose was to protect the IGate operators by meeting the requirements for protection as a message forwarding system. >>> > Let's be pure in our argument please. There never was real security > in the > authentication system with or without the publishing of the aprsd > source > code. It would take a reasonably smart developer about an hour to > reverse > the algorithm used for 'authentication' by doing simple crypto > analysis. > If you want an actual time, I'll ask one of the guys at my work to > do it > blind and I'll time him. I got beer money he can do it under an hour. It actually may be a little harder than that. There was nowhere for a cracker to intercept callsign/password pairs short of cracking into the internet itself and monitoring the logins. You are correct in that if someone had access to a reasonable number of callsign/password pairs they could figure out the algorithm, but to get that list you would have needed to break into a router somewhere near a hub and capture the traffic. It wasn't encrypted, it could have been done, but that is another level of cracking that would take more than an hour. If someone had even a single password/callsign they could send traffic appearing to be IGated from that station, which makes getting the algorithm meaningless. It is certainly true that the system never had the security you would want your bank to use protecting your accounts. On the other hand, the combination of small network size, human monitoring, and the 15 bit login protection provided the design level of security, i.e. enough to protect the licenses of IGate operators. That level of protection was what was I'm saying lost about 8 years ago. That is the level of protection I think the APRS IS ought to try to restore. Steve K4HG
- Previous message: [aprssig] Universal APRS messaging
- Next message: [aprssig] Universal APRS messaging
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list