Library and binaries for creating secure yet compliant amateur radio connections.
Servers and clients have a long term dual sign ML-DSA/ed25519 key, which is post-quantum safe (with current state of the art fallback). Then for the actual connection both sides generate a temporary ed25519 key.
Everything sent over the air is clear text. Nothing is encrypted or otherwise obfuscated. Anyone listening can even confirm that the signature is a signature, and not some secret communication channel.
And yet they cannot impersonate either side.
Handshakes add about 5050 bytes in total. The bulk of this is the ML-DSA signature, one each for end of the connection. This means that the handshake takes 30-40 seconds at 1200bps. This is as good as it gets while remaining quantum resistant.
The per packet overhead is an ed25519 signature, 64 bytes. At 1200bps this is 0.42 seconds of airtime.
At 9600bps this should be 4 seconds and 53ms, respectively. We really should get off of this 1200bsp standard. But it's just so cheap and easy to stick an AIOC in a Baofeng and get a digital terminal. Of course nothing precludes running something faster and yet not G3RUH through that hardware.
While we could choose to skip quantum resistance, and get the handshake down to maybe under a second, what's the fun in that? Or more seriously, that added complexity is probably better spent on a better modem instead.
$ axsh-keygen server.key
[…]
$ axsh-keygen client.key
[…]
$ axsh-pubkey client.key > authorized_keys
$ axsh-pubkey server.key | axsh-fingerprint /dev/stdin
SHA256:LbGyurDlBczDLyrl23l20yiuEhpuUm1sjyC42y9FgyM$ axshd \
-k server.key \
-v trace \
-a authorized_keys \
--agw-addr 127.0.0.1:8010 \
-l M0QQQ-1$ axsh \
-k client.key \
-v info \
-s M0QQQ-2 \
--agw-addr 127.0.0.1:8000 \
M0QQQ-1
[…]
The authenticity of host 'M0QQQ-1' can't be established.
mldsa-ed25519 key fingerprint is SHA256:LbGyurDlBczDLyrl23l20yiuEhpuUm1sjyC42y9FgyM
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'M0QQQ-1' (mldsa-ed25519) to the list of known hosts.
[…]
INFO Handshake successful
echo hello world
hello world
>>> Exit status 0That last line means echo ran successfully.
The dual signature of ML-DSA/ed25519 provides authentication that the other side is who you think it is, both with today's ed25519, and protected against quantum computers with ML-DSA.
ML-DSA has two drawbacks:
- Keys and signatures are really big. Not suitable for signing every packet at speeds like AX.25 standard 1200bps. Handshakes therefore take a few seconds.
- Its core cryptographic primitive is less battle tested. Someone could find a flaw. That's what the ed25519 is there to protect against.
Authentication is broken if ML-DSA is broken (e.g. by smarter people) AND ed25519 is broken by a quantum computer. If either happens, we can switch it out and still be protected by the other algorithm until we've changed it.
The bandwidth overhead of ML-DSA signatures is too high to use on every packet. Therefore the actual payload is secured with only ed25519 signatures.
This means that someone with a quantum computer can hijack a connection already in progress, if they crack the key during the lifetime of the connection.
A protection against this is to re-key periodically, which is currently not implemented.
In the future I hope we can replace ed25519 with something both quantum safe and short.
Connection signing (in ClientHello and ServerComplete) is protected against
replay using a random 64bit integer, so handshakes can't be replayed.
Packet signatures use a counter to prevent replay and reorder within a connection. The counter is not sent, but is part of what is signed.
For local testing it's easier and faster to run over TCP. This is done by
running axsh and axshd without --agw-addr.
$ axshd -k server.key -a authorized_keys
# and in another terminal:
$ axsh -k client.key -s M0QQQ-1 localhost:12345