I am sitting in the MicroHams Digital Conference and Bryan Hoyer, KG6GEU, is giving a presentation on authentication over digital communications. He has several good points and this is a particular pain point for me. Unfortunately, his presentation went off on a another tack and I think he missed a very important aspect in his presentation.
His presentation was proposing using HMAC to provide a digest of the message being transmitted to authenticate that the message is valid. This is a good step for things such as packet and APRS. Yes, there is some overhead (about 14-22 bytes) and it will take software on both ends to produce, recognize and authenticate the HMAC digest. This provides a way of verifying that the message was sent by the person you are expecting them to be. That is assuming that you have key infrastructure already built ahead of time.
The one aspect that I think Bryan missed that could have brought a lot of light to the discussion is Winlink authentication. Today Winlink is inherently insecure. Painfully insecure. In fact, not only is it so insecure that anyone can log into Winlink as me and get my messages, they can also send messages was me without ever needing to authenticate as me other than using my callsign. Yes, there is an option with Winlink to use a password, but now I am sending that password in the clear so that anyone can read it. Still not a good situation if you are trying to authenticate where a message originated from.
So what really needs to be done with Winlink is to provide another mechanism to authenticate. I have had a long standing argument with Don Marshall, KE7ARH, about how to add this authentication to Winlink. Don seems to think that my ideas would violate Part 97 rules. I of course don’t think so.
To begin with when a user connects to a Winlink RMS station, the RMS station responds with a random string which actually originates from the Winlink CMS server. My Winlink client would then take the random string, calculate a new string using my password and return the new string to the RMS station. My newly generated string would then be returned to the CMS server for verifcation. Since the CMS server knows what random string was sent to my Winlink client and it knows what my password is, so it could calculate the new string the same as the Winlink clients do. If the CMS server gets back something different than what it calculated, then the authentication would fail. And at no time has my password gone over the air to be captured.
To really be complete, a similar method would need to be done with every data packet going back and forth between the Winlink client and the RMS station would need to authenticate each packet to keep from having someone to insert themselves in the communication and take control of the session.
73 de WTØF