[ale] OT:pgp, linux and ham radionetworking

Joseph A. Knapka jknapka at earthlink.net
Thu Mar 1 11:47:58 EST 2001 

Rod Young wrote:
> 
> > Have you contacted the ARRL about a way this?
> Not yet.
> 
> > Your callsign as well as all transmissions must be in the clear.
> > Are you considering obfuscating the login? Instead, how about
> > using a *one*-time password sent in the clear?
> > It seems that this would be more secure and additionally
> > not in contravention of the Federal Confusion Commission's rules.
> 
> > 73, Brian, WIDOC
> 
> Just the password. It seems to me to pass the muster it a third party
> must be able to obtain the plain text password. If the digital signature
> is dynamic (IE the same exact signature text is not used) and the
> plaintext password can be resolved by the anythird party, then it it is
> no different than any other digitalized signal system we use. The
> security would be that you brian would be the only holder of your private
> key. Therefore only you could gernerate your digital signature. Anyone
> could download your public key to verify the signature. But no one should
> be able to dupelicate it. I am not a pgp user YET. So if there are users
> out there who see a hole in my thinking please point it out.
> --

If I understand correctly, in order to log in a user would need to
supply a plain-text password and a digitally-signed copy of that
password. The signed representation of the password will always
be the same when signed by the same signature, so this approach is
vulnerable to a replay attack: anyone who sees the password and
signature go by can just capture them and send them to you at a
later time and be authenticated.

In order to avoid this you will have to utilize some sort of
cryptographic
challenge, which it seems is impossible given the FCC rules.

Brian's suggestion of using a one-time password is much better. Still
vulnerable to man-in-the-middle attacks (at least), but much better.
Then the problem is one of generating and distributing passwords,
which could be done via normal Internet mechanisms like PGP.

-- Joe Knapka
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list