[aprssig] APRS-IS authentication
Georg Lukas georg at op-co.deSat Aug 21 19:31:37 UTC 2010
- Previous message: [aprssig] APRS-IS authentication
- Next message: [aprssig] APRS-IS authentication
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
* Matti Aarnio <oh2mqk at sral.fi> [2010-08-20 23:26]: > How to make _automatic_ ham status discovery and generation of authentication code? > > An automatic web-page thing could work by sending a QSL to claimed callsign at LoTW. > If the recipient acknowledges it, then there is a proof that LoTW keepers have > accepted the user as a ham, and the passcode can be given to the user. > You want also to validate that the LoTW ack is really by the same user as had > been interacting with robot page - you send some random token text on QSL's > "message" field to be returned to the passcode page. This is comparable to delegating the authentication to the EchoLink people. It moves the burden from APRS-IS to another part of the ham universe but provides a pretty secure authentication of the users actually being licensed. On the other hand, it requires the user to register with the specified group, even if they do not intend to use EL or the LotW. However, the main problem I see is the ease of circumventing this for APRS-IS - the passcode algorithm is trivial, to say the least, and a passcode generator is freely available with all major Linux distributions. > Absolutely you don't want to be supplying passcodes by manual verification > of licenses, or you have to get a far and widely accredited group of verification > volunteers. Something alike DXCC verifiers. Indeed, doing a proper authentication requires at least the radio license, best combined with a picture ID card. Replying to any email reques is as secure as an online passcode generator, just more cumbersome ;) Unless the authentication mechanism in APRS-IS is replaced with a (cryptographically) secure one, there is not much sense in putting a high barrier in front of the passcode calculation. Right now, I am considering a semi-automatic solution. The user should be asked to fill out a web form (this can be integrated into the application as well), providing the following data: * full name * call sign * email address (containing the callsign / FCC registered if possible) * (optional) additional remarks The requests can be stored in a request database for manual verification and abuse tracking, maybe even combined with automatic checks at FCC and other official registries. This will reduce the overhead of validation, deter a large amount of vandals and allow to send a passcode email with a single click. I think it can be implemented in less than a weekend as well ;) I don't think any more authentication will actually increase the security of APRS-IS, until the passcode method is completely disabled. 73 de DO1GL -- || http://op-co.de ++ GCS/CM d-- s: a- C+++ UL+++ !P L+++ E--- W++ ++ || gpg: 0x962FD2DE || N++ o? K- w---() O M V? PS+ PE-- Y+ PGP++ t+ || || Ge0rG: euIRCnet || 5 X R(+) tv b+(++) DI+++ D+ G e+++ h- r++ y? || ++ IRCnet OFTC OPN ||________________________________________________|| -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: <http://www.tapr.org/pipermail/aprssig/attachments/20100821/3f344153/attachment.pgp>
- Previous message: [aprssig] APRS-IS authentication
- Next message: [aprssig] APRS-IS authentication
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list