►
From YouTube: User Authentication for Amateur Satellites
Description
Ham Expo presentation from September 2022 by Paul Williamson, KB5MU
Satellite communications systems are subject to a broad range of potential abuses. As satellite communications systems become more useful, they can even attract pirate users from outside the intended community. We propose a system for P4XT that securely authenticates every user on the uplink of a digital system in real time, so that the satellite owner's authorization policy can be enforced.
A
A
The
next
big
step
forward
is
to
replace
the
linear
transponders
with
high
performance.
Digital
payloads,
open
research
institute
has
been
working
on
a
design
for
a
digital
satellite
communication
system
called
p4xt
that
uses
many
individual
digital
uplink
channels
in
the
5
gigahertz
microwave
band,
an
onboard
multiplexer
and
a
single
broadband
dbb
s2
or
s2x
digital
downlink
in
the
10
gigahertz
microwave
band.
A
It
will
support
many
simultaneous
real-time
voice
users,
as
well
as
a
range
of
capabilities
for
both
higher
and
lower
bandwidth
communications.
The
system
is
designed
for
a
geostationary
orbit
or
for
a
high
elliptical
orbit.
It
can
also
be
used
terrestrially
with
a
central
station
or
ground
sat
in
a
prime
location.
A
A
Unfortunately,
a
system
like
that
may
also
attract
various
kinds
of
misbehavior.
It
might
attract
non-amateur
users
who
wish
to
exploit
the
utility
of
the
system.
It
might
attract
amateur
users
who
disregard
the
rules
and
regulations
and
operating
practices
recommended
by
the
satellite
owner
operator.
A
A
The
amateur
satellite
service
hasn't
yet
flown
a
system
that
was
useful
enough
and
easy
enough
to
attract
widespread
pirate
usage,
but
the
u.s
navy
fleet,
satcom
satellites
from
the
late
1970s
and
1980s
have
seen
extensive
pirate
use.
It
was
possible
to
buy
the
components
of
a
pirate
fleet
satcom
terminal
at
any
truck.
Stop
in
brazil
and
non-military
communications
could
often
be
heard
on
the
down
link,
because
the
system
was
a
bent
pipe
analog
transponder.
A
A
A
Just
knowing
that
their
identities
are
public
might
be
enough
to
discourage
most
of
them.
If
they
persist
in
misbehaving,
the
system
can
deny
them
access
which
eliminates
most
of
their
ability
to
damage
the
system
and
the
community,
ignoring
the
thousands
of
other
things
that
can
go
wrong
with
a
satellite
communication
system.
Space
is
hard.
We
will
concentrate
on
problems
that
can
be
caused
by
radio
signals
on
the
up
link.
A
A
There
are
tricks
that
can
help
defend
against
such
attacks,
but
with
enough
power,
the
jammer
can
always
defeat
the
receiver,
no
matter
how
cleverly
designed
all
radio
communication
systems
have
this
fundamental
vulnerability,
a
strong
enough
jammer
can
prevent
communications
from
working
on
the
plus
side.
That
strong
jammer
is
pretty
easy
to
detect
and
locate,
so
it
can
eventually
be
forced
to
shut
down
even
better,
there's,
usually
no
big
incentive
to
simply
jam
a
whole
communication
system.
Unless
it's
of
military
or
political
importance,
we
can't
prevent
a
jamming
attack.
A
A
Abuse
attacks
are
another
matter.
The
abusing
station
is
technically
very
similar
to
an
ordinary
user
station,
at
least
in
terms
of
basic
performance,
antenna,
size,
power,
amplifier
and
so
on.
We
want
user
stations
to
be
affordable,
available
and
easy
to
use,
which
means
that
the
potential
abusers
also
have
ready
access
to
the
equipment.
A
The
potential
abuser
doesn't
need
to
emit
any
particularly
loud
signals,
so
it
can
hide
among
all
the
ordinary
users
and
evade
detection,
perhaps
worst
of
all.
In
some
cases
there
can
be
a
strong
incentive
to
abuse
the
system,
as
in
the
case
of
that
navy
fleet
satcom
system
I
described
earlier,
we
have
not
seen
this
kind
of
large-scale
abuse
on
amateur
satellites
so
far,
probably
because
our
systems
have
not
reached
the
threshold
of
usefulness
to
attract
pirate
users,
maybe
a
p4xt
system
will
cross
that
threshold.
A
A
A
A
What
we
need
is
a
way
to
unambiguously
identify
the
source
of
any
transmission
on
digital
voice
systems
based
on
lan
mobile
technologies
like
dstar
or
dmr.
Each
station
is
configured
to
transmit
identification
automatically
and
unidentified
transmissions
are
invalid,
but
there's
nothing
stopping
an
abuser
from
entering
a
false
identity.
A
A
A
A
The
design
is
further
constrained
by
the
need
to
be
fairly
efficient
in
terms
of
uplink
resources
used.
We
will
need
to
add
some
authentication
data
to
every
uplink
transmission,
but
that
overhead
needs
to
be
kept
pretty
small
in
order
to
avoid
wasting
too
much
uplink
bandwidth,
it
turns
out.
We
will
also
need
to
occasionally
perform
an
exchange
of
larger
authentication
messages
between
the
ground
station
and
the
satellite.
A
Those
transactions
can't
occur
too
often
again
because
of
efficiency.
The
rate
at
which
the
authentication
transactions
take
place
needs
to
be
under
the
control
of
the
satellite,
since
the
satellite
has
to
handle
a
large
number
of
simultaneous
users
and
has
limited
onboard
resources
for
storage
and
for
computation.
A
A
A
A
A
Anybody
who
is
able
to
come
up
with
a
valid
token
value
for
another
ground
station
will
be
able
to
impersonate
that
ground
station.
For,
however
long
that
token
value
is
valid,
so
we
want
the
token
to
be
valid
for
only
a
very
short
period
of
time,
so
that
a
would-be
impersonator
can't
just
intercept
the
token
being
transmitted
on
the
uplink
and
reuse
it.
A
A
A
I'm
not
going
to
try
to
explain
the
math,
but
here's
how
it
works.
At
a
block
diagram
level.
We
have
a
cryptographic,
computation
called
a
hash
function.
A
hash
function
takes
some
number
of
input
bits
and
generates
a
fixed
number
of
output
bits.
That
depends
only
on
the
input
bits,
but
in
a
complicated
way,
that's
practically
impossible
to
reverse.
A
A
A
A
A
The
essence
is
that
each
party
generates
a
big
random
number,
which
it
keeps
secret
and
then
uses
it
to
calculate
a
second
number.
The
parties
then
exchange
their
respective
results
over
the
air.
Somebody
listening
in
can
know
both
of
these
second
numbers,
but
does
not
know
the
random
number
for
either
party.
A
Each
party
combines
the
second
number
they
received
with
the
random
number.
They
kept
secret
to
generate
a
third
number
and
the
magic
in
the
math
is
the
third
number
works
out
to
be
the
same
for
both
parties,
and
that
third
number
is
the
shared
secret.
An
eavesdropper
cannot
compute.
The
third
number
neither
party
can
control
the
contents
of
the
shared
secret.
So
it's
not
an
encrypted
message.
A
A
Okay,
great
we're
getting
pretty
close
to
a
solution.
We
have
a
standard
well-trusted
way
to
generate
a
shared
secret,
the
diffie-hellman
key
agreement,
and
we
have
totp
a
standard
well-trusted
way
to
use
that
shared
secret
to
generate
one-time
tokens
for
each
uplink
frame,
we're
still
missing
one
essential
ingredient.
A
A
This
is
really
a
policy
question.
So
the
answer
depends
on
the
desires
of
the
satellite
owner
and
possibly
on
the
choice
of
authentication
mode
and
use
at
a
given
time
during
a
communications
drill
or
emergency.
For
example,
there
may
be
a
very
specific
list
of
stations
that
are
authorized
to
use
a
satellite
and
everybody
else
is
blocked
or
restricted
to
certain
kinds
of
use.
A
It
might
be
a
list
of
station
call
signs,
but
it
could
just
as
easily
be
a
set
of
tactical
identifiers
that
are
specific
to
the
served
agency
or
to
the
specific
drill
it's
going
to
depend
on
what's
needed,
for
the
situation
at
hand
for
a
more
general
amateur
radio
scenario,
what
we
mean
by
real
world
identity
is
almost
certainly
the
amateur
radio
station
call
sign,
held
by
a
specific
licensee
call.
Signs
are
handy,
they're,
compact
and
globally.
Unique
everybody
who
can
legally
operate
an
amateur
radio
station
has
a
station
call
sign
in
case.
A
We
need
to
impose
accountability
for
misbehavior.
The
call
sign
is
the
best
way
to
identify
the
individual
involved,
especially
when
a
pattern
of
misbehavior
calls
for
government
involvement
in
the
united
states.
The
fcc
maintains
a
public
database
of
call
signs
with
the
name
of
the
licensee
and
a
mailing
address.
A
A
A
The
logbook
of
the
world
is
a
way
to
confirm
contacts
for
awards
without
physically
exchanging
qsl
cards,
each
participating
operator
uploads.
The
list
of
contacts
they've
made
their
logbook
and
the
system
searches
for
matches
between
uploaded
logs
if
both
ends
of
a
contact
have
reported
matching
information
in
their
uploaded
logs.
Both
stations
get
credit
for
the
contact.
A
A
This
trick
depends
on
a
method
called
public
key
cryptography.
The
user
has
a
key
that
is
kept
secret,
referred
to
as
the
private
key
from
the
private
key.
They
can
derive
a
second
key
called
the
public
key,
as
you
might
guess,
from
the
name.
The
public
key
can
be
shared
with
everyone
without
compromising
the
private
key.
A
The
key
pair
can
be
used
in
a
variety
of
ways
for
digital
signatures.
The
private
key
is
used
to
compute
a
number
called
the
signature
based
on
the
contents
of
a
message
to
be
signed,
since
the
private
key
is
kept
secret.
Only
the
holder
of
the
key
pair
is
capable
of
computing,
a
signature,
but
through
the
magic
of
the
math.
A
A
A
A
A
The
league
uses
that
root
certificate
to
sign
a
working
certificate,
which
is,
in
turn,
used
to
sign
a
certificate
for
each
station
that
uses
logbook
of
the
world.
For
this
scheme.
To
work,
we
have
to
trust
that
each
authority
in
the
chain
of
trust
has
done
a
good
job
of
checking
that
it
only
signs
authentic
certificates
for
logbook
of
the
world.
A
A
A
A
A
I'm
guessing
that
most
people
who
would
be
early
adopters
of
a
p4xt
satellite
system,
already
have
a
certificate,
we're
not
stuck
using
just
one
source
of
certificates
either
if
the
logbook
of
the
world
certificates
can't
be
used
by
everybody.
For
any
reason,
it
wouldn't
be
too
big.
A
deal
to
establish
our
own
root
certificate
and
issue
call
sign
certificates
of
our
own.
In
the
same
way,
the
league
does
for
logbook
of
the
world.
A
A
A
A
A
A
A
One
of
these
is
the
auth
broadcast
message.
It
contains
various
parameters
that
all
users
need
to
participate
in
the
authentication
protocol.
It's
transmitted
once
per
second,
so
that
a
ground
station
won't
have
to
wait
very
long
to
receive
it
when
first
powering
up.
It
contains
the
date
and
time
to
40
millisecond
resolution,
so
the
ground
station
clock
will
be
in
sync
with
the
satellite's
clock,
which
is
necessary
for
the
totp
tokens
to
match.
Up
correctly,
it
contains
a
unique
identifier
for
the
satellite.
Just
in
case
we
someday
have
many
satellites
in
the
sky.
A
It
contains
the
public
parameters
for
the
diffie-hellman
key
agreement
protocol,
and
it
contains
two
values
that
define
how
many
frames
can
be
transmitted
with
the
same
authentication
token,
the
ground
station
records
these
values
for
later
use.
When
the
ground
station
wishes
to
transmit
it
simply
starts
the
transmit.
A
If
it
has
stored,
authentication
information
from
a
previous
session,
it
can
use
the
old
information
to
fill
in
authentication
tokens
for
each
frame.
If
it
does
not
have
such
information
default,
values
are
used
to
create
a
stream
of
tokens
to
use.
In
the
meantime,
the
satellite
will
receive
these
frames
and
evaluate
the
authentication
tokens
in
them.
A
What
it
does
next
will
depend
on
the
policy
decisions
set
by
the
satellite
operator.
We
hope
that,
under
normal
conditions,
the
satellite
would
go
ahead
and
retransmit
these
frames
on
the
downlink.
Even
if
the
authentication
tokens
don't
check
out,
this
policy
would
be
the
friendliest
to
users
and
also
minimize
the
delay
in
case
the
user
has
emergency
traffic
to
transmit
then
or
sometime
later,
according
to
satellite
policy,
the
satellite
may
decide
it
wants
to
authenticate
the
user.
A
It
also
contains
an
identifier
for
this
authentication
transaction,
a
block
of
random
bits
to
add
security
to
the
transaction
and
the
satellite's
computed
value
for
the
diffie-hellman
key
agreement.
Protocol
notice
that
we're
doing
multiple
things
in
parallel
here
we're
starting
the
certificate
check,
but
we're
also
going
ahead
with
the
key
agreement
protocol.
A
It
formulates
a
virtual
message
that
will
be
signed
using
the
secret
key
associated
with
its
call
science
certificate
notice.
This
virtual
message
is
never
actually
transmitted
by
either
station.
The
message
echoes
back
the
satellite
identifier
from
the
auth
broadcast
and
the
claimed
identity
that
was
challenged
in
the
directed
auth
challenge.
A
A
A
A
A
If
the
ground
station
is
authorized
to
continue
transmitting,
then
the
switch
over
time
from
the
auth
ack
comes
into
play.
This
identifies
the
specific
frame
where
the
ground
station
is
supposed
to
switch
over
from
using
its
old
or
default
authentication
tokens
to
using
newly
computed
authentication
tokens
based
on
the
shared
secret
agreed
upon
using
the
diffie-hellman
key
agreement
protocol.
A
A
Once
the
auth
ack
has
been
received
and
the
switch
over
time
has
arrived,
the
ground
station
generates
authentication
tokens
the
date
time
and
the
shared
secret
from
the
diffie-hellman
key
agreement
protocol
go
into
a
sha-1
hash
function,
the
hash
function,
computes
a
160-bit
number.
An
additional
calculation
is
used
to
extract
a
smaller
number
in
vanilla
totp.
A
A
A
I've
shown
you
a
method
by
which
the
origin
of
every
uplink
transmission
can
be
identified
with
high
assurance
with
this
protocol
in
place
as
part
of
the
overall
system
protocol
needed
to
access
and
use
the
p4
xt
satellite,
the
satellite
operator
will
have
the
ability
to
control
access
to
the
system
and
impose
accountability
on
misbehaving
users,
except
for
the
need
to
provide
a
call
sign
certificate
to
the
ground
station
controller.
This
imposes
no
burden
on
the
individual
user
of
our
ground
station.
Everything
is
automatic.
A
This
is
still
an
early
version
of
the
design.
Only
the
authentication
protocol
part
has
been
fleshed
out
to
even
this
level
of
detail.
So
there's
still
time
for
you
to
get
involved
and
help
out.
Your
comments
and
suggestions
are
sincerely
welcomed.
We
do
all
our
work
out
in
the
open
publishing
as
we
go,
not
just
open
source
but
open
process
too.