Secure Authentication for Radio Operators
Authenticating Amateurs over the Internet is a problem that is hard to solve. For APRS-IS, the insecure passcode system is in place. However, it is trivial for an attacker to generate the passcode for any existing (or imagined) callsign. Therefore, a new secure authentication mechanism, based on Internet standards (SSL/TLS) has been integrated into APRSdroid and the aprsc APRS-IS server software. Some aprs2.net servers already run experimental support for SSL logins without a passcode, based on LotW certificates.
- APRSdroid 1.2.3 or latest nightly
- TrustedQSL application from LotW (tested on Linux,
apt-get install trustedqsl)
- Valid LotW certificate installed in TrustedQSL (currently, the aprs2 servers only accept LotW)
Certificate Export from TQSL
- Launch TrustedQSL Cert Manager (
- Select the entry with your callsign and country
- From the menu, choose "Certificate" -> "Save"
- Save the file (
CALLSIGN.p12) to your disk
- Remember the export password you entered
Transmit the File to the Android
Here, you are free to choose the way (Dropbox, e-mail, USB, whatever you prefer).
WARNING: The file contains your LotW credentials, so you should not give it to third-parties!
- Tap on the
CALLSIGN.p12file (in the e-mail app, or using a file manager)
- If a "Complete action using..." dialog appears, select "SSL keyfile import" (with APRSdroid logo)
- You will be asked for the password (this is what you entered in step 5. of the export above)
- A short "Imported keyfile for CALLSIGN." message should appear.
- Launch APRSdroid
- Configure the app as follows:
- Connection Protocol: TCP connection
- Connection Preferences -> Server:
- Connection Logging: enabled
Open the Log from Menu -> Show Log. Push "Start tracking" and watch the Log view. If everything was successful, you should see the following lines appearing in reverse order:
APRS Service started: SmartBeaconing™ Position, TCP connection. Connecting to ssl.aprs2.net:24580... Loaded key: OID.1.2.840.1135184.108.40.206=#160E67656F7267406F702D636F2E6465, CN=Georg Lukas, CALLSIGN=DO1GL # aprsc 2.0.3-g898e4b5 # logresp DO1GL-10 verified, server T2FINLAND
If the "Loaded key" line does not appear, something went wrong. Please follow the instructions to submit a bug report.