[ale] OT:pgp, linux and ham radionetworking

Thu Mar 1 12:31:48 EST 2001

Thanx you pointed out the hole in my logic. As I said I am nota pgp user 
yet, so I was working on an incorrect assumption about how varible the 
signature was. But the toke and timestamp idea sounds good.
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 03/01/2001, 11:47:58 AM, "Joseph A. Knapka" <jknapka at earthlink.net> 
wrote regarding Re: [ale] OT:pgp, linux and ham radionetworking:

> Rod Young wrote:
> >
> > > Have you contacted the ARRL about a way this?
> > Not yet.
> >
> > > Your callsign as well as all transmissions must be in the clear.
> > > Are you considering obfuscating the login? Instead, how about
> > > using a *one*-time password sent in the clear?
> > > It seems that this would be more secure and additionally
> > > not in contravention of the Federal Confusion Commission's rules.
> >
> > > 73, Brian, WIDOC
> >
> > Just the password. It seems to me to pass the muster it a third party
> > must be able to obtain the plain text password. If the digital signature
> > is dynamic (IE the same exact signature text is not used) and the
> > plaintext password can be resolved by the anythird party, then it it is
> > no different than any other digitalized signal system we use. The
> > security would be that you brian would be the only holder of your private
> > key. Therefore only you could gernerate your digital signature. Anyone
> > could download your public key to verify the signature. But no one should
> > be able to dupelicate it. I am not a pgp user YET. So if there are users
> > out there who see a hole in my thinking please point it out.
> > --

> If I understand correctly, in order to log in a user would need to
> supply a plain-text password and a digitally-signed copy of that
> password. The signed representation of the password will always
> be the same when signed by the same signature, so this approach is
> vulnerable to a replay attack: anyone who sees the password and
> signature go by can just capture them and send them to you at a
> later time and be authenticated.

> In order to avoid this you will have to utilize some sort of
> cryptographic
> challenge, which it seems is impossible given the FCC rules.

> Brian's suggestion of using a one-time password is much better. Still
> vulnerable to man-in-the-middle attacks (at least), but much better.
> Then the problem is one of generating and distributing passwords,
> which could be done via normal Internet mechanisms like PGP.

> -- Joe Knapka
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.