Digital signature of QSL cards

业余无线电

This article is not a current or de facto standard.

This article was translated by translating software, please contact [email protected] if you met any issues reading this article. Thanks.

Digital signature of QSL cards.

  1. Background

In recent years, more and more radio stations no longer send paper QSL cards, but instead use electronic QSL cards or use online log services. We realize that online log services rely too much on some centralized websites and are not enough to show the personality of the station, so it cannot completely replace paper QSL cards.

At the same time, the electronic version of the QSL card without a signature is easily forged and cannot effectively prove the authenticity of the communication on its own. This article proposes a feasible digital signature scheme that does not affect the function of the electronic QSL card and the personalized QSL card. Digitally sign the information on the QSL card.

  1. Scope

This article defines a method for digitally signing digital QSL cards. However, this article does not make requirements for the public key distribution, trust, and revocation processes.

  1. Requirements

The digital signature proposed in this article meets the following requirements:

i. Digital signatures can be easily identified and verified

ii. Digital signatures will not have a significant impact on the design and aesthetics of QSL cards

iii. The recipient’s format conversion and other operations on the received QSL card will not affect the validity of the signature.

iv. The recipient can print a QSL card containing a digital signature, and the printed card can be independently verified.

  1. Normative reference documents

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

  1. Definition

5.1 Basic definition

  • Byte A symbol consisting of 8-bit binary
  • Signature Payload The meaningful part of the actual signed data
  • Signed Data Input to digital signature algorithm
  • Signature A file consisting of file header, signature algorithm description and digital signature.

5.2 SSH messages

This article describes the SSH message structure many times. Under the semantics of this article, the types used are:

  • ssh-string is a four-byte, big-endian representation of the string length and the byte string specified by the aforementioned length. The string can contain Unicode NUL characters, and the string bits do not contain redundant Unicode NUL characters.
  • uint32 A 32-bit unsigned integer represented in four-byte big-endian order.
  • byte[N] N bytes, no other information
  • varint is a variable-length number. Its highest digit indicates whether it is the last digit of the number (1 means no, 0 means yes). For example, 150 is represented as 10010110 00000001, and the hexadecimal translation is 96 01. Note : This non-SSH message definition.
  1. Specific implementation

6.1. Digital signature algorithm selection

In this design, we will use the SSH key to digitally sign the information on the QSL card. This is because the SSH signed message is smaller than the PGP signed message and is easier to display on the QSL card.

For the specific algorithm selection, we use the Ed25519 elliptic curve cipher because the public key size and signature size of Ed25519 are small enough and can be more conveniently embedded in the QSL card.

The signature content does not contain the signed information.

6.2.1 Construct ADIF

The digitally signed information uses the ADIF format. Its human-readable characteristics allow it to be constructed simply. At the same time, because the digital signature does not contain the signed information, the length of the signed information has no impact on the length of the signature.

The following information will be included in the ADIF data in order:

  • QSO_DATE
  • TIME_ON
  • BAND
  • CALL
  • MODE
  • STATION_CALLSIGN
  • OPERATOR

Among them, QSO_DATE is the Coordinated Time (UTC) date represented by 8 digits (year, month, day), TIME_ON is the Coordinated Time (UTC) time represented by 6 digits (hour, minute, second), regardless of QSL Whether the seconds of the communication are printed on the card, the time MUST be truncated to the whole minute (that is, the seconds should simply be set to 0).

All of the above MUST be in capital letters. If no operator is specified on the QSL card, OPERATOR is STATION_CALLSIGN without any modifications.

For example, the following QSL card:

TO BB0BBB DE B4/BG6TOE

Date Time (BJT) / Freq / Mode / RST
2023-01-01 02:00:59 14.245 MHz USB 59 59

[x]PSE [ ]TNX QSL

VY TU! 73

Its ADIF is translated as:

<QSO_DATE:8>20221231<TIME_ON:6>180000<BAND:3>20M<CALL:6>BB0BBB<MODE:3>USB<STATION_CALLSIGN:9>B4/BG6TOE<OPERATOR:6>BG6TOE<EOR>

The xxd dump of this file is:

00000000: 3c51 534f 5f44 4154 453a 383e 3230 3232 <QSO_DATE:8>2022
00000010: 3132 3331 3c54 494d 455f 4f4e 3a36 3e31 1231<TIME_ON:6>1
00000020: 3830 3030 303c 4241 4e44 3a33 3e32 304d 80000<BAND:3>20M
00000030: 3c43 414c 4c3a 363e 4242 3042 4242 3c4d <CALL:6>BB0BBB<M
00000040: 4f44 453a 333e 5553 423c 5354 4154 494f ODE:3>USB<STATIO
00000050: 4e5f 4341 4c4c 5349 474e 3a39 3e42 342f N_CALLSIGN:9>B4/
00000060: 4247 3654 4f45 3c4f 5045 5241 544f 523a BG6TOE<OPERATOR:
00000070: 363e 4247 3654 4f45 3c45 4f52 3e 6>BG6TOE<EOR>

Note: There MUST be no extra characters (including newlines, spaces, tabs, etc.) at the end of the text, that is, there should be no characters after <EOR>.

6.2.2 Construct ADIF information containing multiple QSOs

If a QSL card contains multiple QSOs, the corresponding ADIF file MUST directly splice the ADIF data of each QSO in the chronological order of the communication. There MUST NOT be any extra characters (including line breaks, spaces, tabs, etc.) at the end of the text, that is, not containing any characters after the <EOR> of the last QSO.

6.3 Signature data

6.3.1 Display method

Signature data MAY be displayed directly on the QSL card after being Base64 encoded. Signature data represented in text form SHOULD be formatted using a fixed-width font. The font used should be large enough to distinguish i , l, 1, O, o, 0, 5, S and other encoded characters used by Base64.

The signature data SHOULD be included in the QR Code after being encoded by Base45. At this time, the signature data SHOULD be an independent QR code. The QR code MAY use colors other than black and white. The printed QR code SHOULD use light-colored areas as the QR code background and dark-colored areas as the QR code foreground color.

6.3.2 Binary signature data format

The binary signature is an SSH signature structure, and its format is:

byte[6] MAGIC_PREAMBLE
uint32 SIG_VERSION
ssh-string publickey
ssh-string namespace
ssh-string reserved
ssh-string hash_algorithm
ssh-string signature

Among them: MAGIC_PREAMBLE is SSHSIG, SIG_VERSION is 1.

publickey is the public key of the serialized signing key.

namespace MUST be adif-qslv1.

reserved MUST be empty.

hash_algorithm MUST be sha512 (i.e., data is always signed using SHA512).

signature is the signature of the SSH body, using the ssh-ed25519 algorithm.

6.3.3 Simplification of signatures

In order to make the signature content easier to display, the signature content MAY be streamlined. The simplified signature only contains the header and ED25519 signature data. Among them, the header is fixed to DQSLV1, followed by the 64-byte ED25519 signature X||Y. When the receiver obtains signature data starting with DQSLV1, it MUST be expanded into a standard signature format for verification.

6.3.4 Signed content

The actual signed content is:

byte[6] MAGIC_PREAMBLE
ssh-string namespace
ssh-string reserved
ssh-string hash_algorithm
ssh-string H(message)

Among them: MAGIC_PREAMBLE is SSHSIG, SIG_VERSION is 1.

publickey MUST be the public key of the serialized signing key. namespace** should** be adif-qslv1.

reserved MUST be empty.

hash_algorithm MUST be sha512 (i.e., data is always signed using SHA512).

For the ADIF file described in section 4.2 of message, H(message) is the fingerprint under its SHA-512 algorithm.

After encoding this content in SSH Message format, use the Ed25519 private key and ssh-ed25519 to sign it, to obtain the signature field in Section 4.3.1.

  1. Attach raw QSO data

The original QSO data can be appended before the signature to facilitate direct recognition and verification by the machine. The original QSO data is a simplified representation of minimal QSO metadata, including the following fields: communication time, communication band, communication mode, receiver call sign, sender call sign, and OP.

Its format is:

byte[6] MAGIC_PREAMBLE
varint call
varint station_callsign
varint operator
ssh-string data

Among them, call, station_callsign, and operator are the 37-digit representation of the call sign (see the table below):

+---------++----+----++----+----+
|Char|Num ||Char|Num ||Char|Num |
+---------++----+----++----+----+
| 0 | 0 || C | 12 || O | 24 |
| 1 | 1 || D | 13 || P | 25 |
| 2 | 2 || E | 14 || Q | 26 |
| 3 | 3 || F | 15 || R | 27 |
| 4 | 4 || G | 16 || S | 28 |
| 5 | 5 || H | 17 || T | 29 |
| 6 | 6 || I | 18 || U | 30 |
| 7 | 7 || J | 19 || V | 31 |
| 8 | 8 || K | 20 || W | 32 |
| 9 | 9 || L | 21 || X | 33 |
| A | 10 || M | 22 || Y | 34 |
| B | 11 || N | 23 || Z | 35 |
| / | 36 |+----+----++----+----+
+----+----+

For example, B1CRA is expressed as 11 * 37^4 + 1 * 37^3 + 12 * 37^2 + 27 * 37 + 10 = 20683861

Among them, data is a string composed of multiple minimum QSOs, and its format is:

varint QSO Timestamp
Varint Band
byte[8] Mode

Among them, QSO Timestamp is the number of seconds since New Year’s Day in 1970 in coordinated time (but accurate to minutes). Band is the low-end (kilohertz) number of the corresponding frequency of the band, for example, the 20-meter band is expressed as 14000. Mode is a string representing the mode. If it is less than 8 bytes, use \0 to complete it.

  1. Example

Assume that ST4TION uses the radio stations C3SHI and TE5T to complete a communication using the MFSK modulation method on the 20-meter section at 10:05:30 on January 1, 2023, Beijing time. Now ST4TION I would like to sign the following QSL card in my own name:

TO TE5T          DE  C3SHI   OP ST4TION

Date Time (BJT)  / Freq       / Mode / RST
2023-01-01 10:00   14.074 MHz   MFSK    59 59

[x]PSE [ ]TNX QSL

VY TU! 73

The private key of ST4TION is:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACADTnJZ6blw4CsqVoxzv9iWVVl0ycM8Neqb9QvTyvKqCAAAAJiuWf0orln9
KAAAAAtzc2gtZWQyNTUxOQAAACADTnJZ6blw4CsqVoxzv9iWVVl0ycM8Neqb9QvTyvKqCA
AAAEDgyhqzLTK6rmVqjfvHpvHPYJzdeVuDhRo93XO98jDl1QNOclnpuXDgKypWjHO/2JZV
WXTJwzw16pv1C9PK8qoIAAAAFW1hdHN1QEJHNlRPRS1Ob3RlYm9vaw==
-----END OPENSSH PRIVATE KEY-----

Its public key is:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANOclnpuXDgKypWjHO/2JZVWXTJwzw16pv1C9PK8qoI

Then it constructs the following ADIF data (signature payload):

<QSO_DATE:8>20230101<TIME_ON:6>020500<BAND:3>20M<CALL:4>TE5T<MODE:4>MFSK<STATION_CALLSIGN:5>C3SHI<OPERATOR:7>ST4TION<EOR>

requires attention: - The Beijing time on the card should be converted to Coordinated Universal Time - Seconds in generated ADIF files are unconditionally truncated to 0 - The band is derived from 14.074, which is 20M - RST is not included in ADIF

The SHA512 fingerprint of this ADIF is:

5d10 5c01 843a 14ad 9852 5f40 f9e9 36d5
0e00 56b0 d98b a04f 6d1d d337 efb8 11bb
f397 52d3 6233 6b64 ab8f 430f cf6b e95d
bfb4 39b9 26c8 fb39 9cbf 414a b386 a1b4

Construct the following signed data:

00000000: 5353 4853 4947 0000 000a 6164 6966 2d71  SSHSIG....adif-q
00000010: 736c 7631 0000 0000 0000 0006 7368 6135  slv1........sha5
00000020: 3132 0000 0040 5d10 5c01 843a 14ad 9852  12...@].\..:...R
00000030: 5f40 f9e9 36d5 0e00 56b0 d98b a04f 6d1d  [email protected].
00000040: d337 efb8 11bb f397 52d3 6233 6b64 ab8f  .7......R.b3kd..
00000050: 430f cf6b e95d bfb4 39b9 26c8 fb39 9cbf  C..k.]..9.&..9..
00000060: 414a b386 a1b4                           AJ....

Use the aforementioned private key and ssh-ed25519 signature method to sign:

00000000: 0000 0053 0000 000b 7373 682d 6564 3235  ...S....ssh-ed25
00000010: 3531 3900 0000 4082 84f9 edcb 8ef8 6cdf  [email protected].
00000020: 5bee c347 6762 84ea ce4b 4644 6429 6900  [..Ggb...KFDd)i.
00000030: 4139 6e79 9bbd f74c 2b94 0e53 541e 4dfa  A9ny...L+..ST.M.
00000040: 94db 704a 9b77 aad1 4dcd 2e5d 6b3f 30c6  ..pJ.w..M..]k?0.
00000050: 44c6 7e84 ca4d 07                        D.~..M.

Construct signature:

00000000: 5353 4853 4947 0000 0001 0000 0033 0000  SSHSIG.......3..
00000010: 000b 7373 682d 6564 3235 3531 3900 0000  ..ssh-ed25519...
00000020: 2003 4e72 59e9 b970 e02b 2a56 8c73 bfd8   .NrY..p.+*V.s..
00000030: 9655 5974 c9c3 3c35 ea9b f50b d3ca f2aa  .UYt..<5........
00000040: 0800 0000 0a61 6469 662d 7173 6c76 3100  .....adif-qslv1.
00000050: 0000 0000 0000 0673 6861 3531 3200 0000  .......sha512...
00000060: 5300 0000 0b73 7368 2d65 6432 3535 3139  S....ssh-ed25519
00000070: 0000 0040 8284 f9ed cb8e f86c df5b eec3  [email protected].[..
00000080: 4767 6284 eace 4b46 4464 2969 0041 396e  Ggb...KFDd)i.A9n
00000090: 799b bdf7 4c2b 940e 5354 1e4d fa94 db70  y...L+..ST.M...p
000000a0: 4a9b 77aa d14d cd2e 5d6b 3f30 c644 c67e  J.w..M..]k?0.D.~
000000b0: 84ca 4d07                                ..M.
```84ca 4d07 ..M.

Simplified signature:

00000000: 4451 534c 5631 8284 f9ed cb8e f86c df5b  DQSLV1.......l.[
00000010: eec3 4767 6284 eace 4b46 4464 2969 0041  ..Ggb...KFDd)i.A
00000020: 396e 799b bdf7 4c2b 940e 5354 1e4d fa94  9ny...L+..ST.M..
00000030: db70 4a9b 77aa d14d cd2e 5d6b 3f30 c644  .pJ.w..M..]k?0.D
00000040: c67e 84ca 4d07                           .~..M.

Signed Base64 encoding:

U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgA05yWem5cOArKlaMc7/YllVZdMnDPDXq
m/UL08ryqggAAAAKYWRpZi1xc2x2MQAAAAAAAAAGc2hhNTEyAAAAUwAAAAtzc2gtZWQyNTUxOQAA
AECChPnty474bN9b7sNHZ2KE6s5LRkRkKWkAQTlueZu990wrlA5TVB5N+pTbcEqbd6rRTc0uXWs/
MMZExn6Eyk0H

Base64 encoding of compact signature:

RFFTTFYxgoT57cuO+GzfW+7DR2dihOrOS0ZEZClpAEE5bnmbvfdMK5QOU1QeTfqU23BKm3eq0U3N
Ll1rPzDGRMZ+hMpNBw==

Signed Base45 encoding:

1OAK69*B9000100000610000B00ZQET7D  CSF6RW6C97000524C-9MGB.JNCFS%F50YHHBOA0J+DB MPNR7TTT1:U%YQMUUN010002E1AVCC-CIFE1WDY86000000000V 0 8DRW6KE60008MA0006K1OQEBX50UCVW61A6000J10MMG QV0XPBIVTASD8U919KKCZUTAN93T8QA5K10WB7 GFV0OES9CWI2OAH$3NUVGXRJJ9Y5FVKQB.PK BL:7-2P94PJZG9X9

Base45 encoding of streamlined signature:

TS8*NAF+AMMG QV0XPBIVTASD8U919KKCZUTAN93T8QA5K10WB7 GFV0OES9CWI2OAH$3NUVGXRJJ9Y5FVKQB.PK BL:7-2P94PJZG9X9
  1. Informational references

RFC4634 US Secure Hash Algorithms (SHA and HMAC-SHA)

RFC4648 The Base16, Base32, and Base64 Data Encodings

RFC8709 Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol

RFC9285 The Base45 Data Encoding

ADIF Amateur Data Interchange Format (ADIF) Specification

  1. BG6TOE-QSLV1 QR Code extension

The signature of BG6TOE-QSLV1 is a simplification based on the complete signature. Its actual content is:

BASE45( "BG6TOE-QSLV1" || <public key> || <signature> )

As for the signature above, its BG6TOE-QSLV1 encoding is (before Base45):

00000000  42 47 36 54 4f 45 2d 51 53 4c 56 31 03 4e 72 59   BG6TOE-QSLV1.NrY
00000010  e9 b9 70 e0 2b 2a 56 8c 73 bf d8 96 55 59 74 c9   ..p.+*V.s...UYt.
00000020  c3 3c 35 ea 9b f5 0b d3 ca f2 aa 08 82 84 f9 ed   .<5.............
00000030  cb 8e f8 6c df 5b ee c3 47 67 62 84 ea ce 4b 46   ...l.[..Ggb...KF
00000040  44 64 29 69 00 41 39 6e 79 9b bd f7 4c 2b 94 0e   Dd)i.A9ny...L+..
00000050  53 54 1e 4d fa 94 db 70 4a 9b 77 aa d1 4d cd 2e   ST.M...pJ.w..M..
00000060  5d 6b 3f 30 c6 44 c6 7e 84 ca 4d 07               ]k?0.D.~..M.

The result after Base45 encoding is:

2H83*6/0A W5*NAF+A I0NKESOT6CEPK5G.ALSE6HROZAHYEUUOW 6AWJCM1OTPDMLMMG QV0XPBIVTASD8U919KKCZUTAN93T8QA5K10WB7 GFV0OES9CWI2OAH$3NUVGXRJJ9Y5FVKQB.PK BL:7-2P94PJZG9X9