Firstly, *thankyou* for looking into these issues. We do appreciate the time people invest into this sort of analysis!
A couple of points on your draft.
seqno was never put forward as a protection against replay attacks. Ever, AFAIK. The fact it wraps at 256 and is used on links where hundreds of messages can be transfered each second should be sufficient to see its inadequate for this purpose.
seqno was fit-for-purpose as an indication of link quality when mavlink connections were point-to-point. In today's increasingly complex mavlink networking setups its utility is decreating. We've given some thought to a replacement mechanism but nothing concrete has been proposed.
Your paper makes reference to using SITL, and MAVProxy's "output add". Those are warning signs for me.
Some background: when using a physical autopilot, ArduPilot *trusts* that if you are connected to the USB port of the autopilot then you are an authorized user of the autopilot and bypasses all signing checks. We do this so that if a user loses their passphrase then they can recover their vehicle. This is absolutely a trade-off, convenience versus security, but we believe that the physical proximity to the autopilot is sufficient to permit this bypass. See
https://ardupilot.org/copter/docs/common-MAVLink2-signing.html where USB is explicitly mentioned as being excluded from these checks.
When you start ArduPilot SITL, the ArduPilot process connects to port 5760. That port is effectively treated as a USB port! Which is to say, *no signing checking is done on that port*. If you create a link to another GCS via "output add" (or "--output" on the command-line), then that forwarded link *gains the same bypass nature* as that original MAVProxy started as part of "sim_vehicle.py"! I have created
https://github.com/ArduPilot/ardupilot_wiki/pull/6289 to avoid this confusion.
The correct way to test signing is working is to connect another GCS to a port which enforces signing when it is configured - typically port 5762.
On the matter of the MissionPlanner key interface, I confess to not being overly familiar with it. I have brought it to the attention of the maintainer. As you push this paper through I would suggest linking to an issue created against the MissionPlanner github repository would be appropriate.
MissionPlanner using a stale key to continue to talk to the vehicle is a deliberate choice; instantly losing link to the vehicle isn't necessarily what the user wants.
The use of a poor passphrase is an operator error, albeit one where the GCS which is helping the user set up the signing should warn that user. The MissionPlanner maintainer agrees that a "passphrase strength" indicator where you enter the passphrase would be a good improvement. The dictionary attack you describe could be applied against any service which relies on a user-generated secret to maintain security. Creating a "session key" protocol seems unnecessary if the user has chosen a suitably strong secret. It is possible we do not emphasize enough in our documentation that the strength of this passphrase is absolutely vital.
The use of public-key cryptography and the possibility of encryption was discussed extensively before the current MAVLink2 signing was implemented. The nature of the implementation environment poses significant challenges to these - mostly around resource limitations but also around connectivity limitations of the devices. Our usual response to queries on implementing these features is to accomplish these goals at a lower layer.
Please note I am *very* interested in your assertion that our timestamp protection is not working in MAVLink signing - particularly in ArduPilot. If that is, indeed, the case, then please provide more details on this attack.
Also note that over time the resources available to secure these connections will improve. However, signing was first introduced into ArduPilot in January 2016. While the upper-end of STM32 processors (STM32 processors comprise the vast majority of ArduPilot installatiions) has improved in capabilities significantly, the majority of new boards ArduPilot supports are actually based on STM32F405 - which was released in 2011!
Yours,
Peter