Is the remote ID is a cryptographic joke that is going to be cracked on day one, allowing a bad actor to spoof other pilots IDs ?
From Remote ID (RID) | UK Civil Aviation Authority
The private key seems way too short which will allow someone with a very simple computer to brute force attack the private key as there are only 36x36x36 possibilities = 46656.
I don’t know the full details of how this is going to be implemented but my gut feeling tells me it’s inherently insecure.
It will also be easy to corrupt it’s operation so the data sent will be irrelevant. Not me guv.
Here’s the entire list of CAA Remote ID private keys, before they’ve even rolled it out:
caa_remote_id_private_key_list.txt (227.8 KB)
If you run a relatively low speed brute force of around 1,000 attempts per second, you’ll crack the private key in under 47 seconds.
EDIT: CSV file replaced with TXT file to prevent it being opened in Excel and reformatted.
It did seem incredibly insecure to me aswell.
Maybe it’ll come with some form of secondary authentication?
i.e access to the database that gives any possible chance of a GDPR breach
LOLZ
However you list is incorrect
Entries 33867 to 33876 are being interpreted as numbers by the formatting function, as are entries 35163 to 35172 or
anywhere where you get a pattern like 1e1 it is being interpreted as a number and not a string.
You do realise this is just a txt file, right? Any “interpretation” or “formatting” will be from the software you are using to open the txt file, not the txt file itself.
They wouldn’t know real security if it whacked them on the head.
There is a way to have RID such the authorities can see the data but Karen down the road with a smartphone app can’t. There is no public interest argument for the RID data to be sent cleartext or weakly secured. If it was done properly, asymmetric crypto could be properly implemented and the system properly secured, but that takes more than 1 brain cell to figure out.
