CQ-Contest
[Top] [All Lists]

[CQ-Contest] authentication for log submission

To: CQ-Contest@contesting.com
Subject: [CQ-Contest] authentication for log submission
From: "Yannick DEVOS (XV4Y)" <yannick.devos@online.fr>
Date: Wed, 6 Jun 2012 18:18:21 +0700
List-post: <cq-contest@contesting.com">mailto:cq-contest@contesting.com>
Dear Katsuhiro, Michael,

Katsuhiro, you are right this is a serious security flaw in the way the log 
submission are handled.
It can lead to spoofing (someone use your identity to upload logs) and flooding 
(trying to overload the server).
However, as Michael stated, this issue is mitigated by the difficulty in 
forging logs that could be really harmful to the whole contest integrity.
A well designed server will also discard bad crafted logs without too much 
database load.

The only way to have a 100% secure system is the way LotW goes.
However it is not easy to handle and will increase contest handling costs a lot.

If I were a contest server administrator, what I will do is the following :
- for 95% of the participant, nothing at all just like today
- optionally, participant who want to secure their log can request an "ID 
token" upon sending one hand written dated and signed scan of their license
- an additional filed in the Carbrillo format will content this token and it 
will be checked while the log is processed

This is not fully secured as someone can "sniff" the token on the network (it 
is never crypted in the process) or hack the contestant computer and copy it.
However if someone is serious enough to do this, this means all the security on 
the server and the contestant computer has to be checked, and this raises the 
bar significantly.
For me, it add a fair level of authentication for a marginal managing cost 
increase.

73,
Yan.
---
Yannick DEVOS - XV4Y
http://xv4y.radioclub.asia/
http://varc.radioclub.asia/

> I'm not sure this was discussed before, but this reminds me that
> someone who has malicious intention may submit other station's
> log to defeat the station after first submission by actual station.
> There looks no authentication method to verify the station for major
> contests(please correct me if I am wrong).  Complicated method to
> authenticate the station may lead decreasing the number of log
> submission, so this may not be applied to all stations.  But I think
> there should be some method to authenticate at least for stations who
> want to win a prize.
> 
> Please ignore this message if my concern is baseless fear, the
> contest sponsors have already taken care of this, or we can trust
> everybody since we all have good morals.
_______________________________________________
CQ-Contest mailing list
CQ-Contest@contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest

<Prev in Thread] Current Thread [Next in Thread>