February 2008


AMHS is being deployed worldwide to support ground to ground communication such as flight plan distribution, and is replacing the older AFTN service. This paper describes the security features of AMHS, the benefits they provide, and how these services can be deployed.

Creative Commons License

AMHS Deployment & the Extended ATS Service

AMHS defines two services:

  1. The Basic ATS Service. This defines a service equivalent to the existing AFTN service, including conversion services between AMHS and AFTN. The Basic ATS Service makes sense for initial AMHS deployment.
  2. The Extended ATS Service. This defines services that go beyond the services available from AFTN, and includes a mechanism (using the ATN Directory) to allow co-existence of users of the Extended ATS Service with users of the Basic ATS Service and with AFTN users.

Secure AMHS is a part of the Extended ATS Service, and is described in this paper. for a more detailed view of AMHS architecture, please see our Aviation Solutions page.

Services Provided by Secure AMHS

AMHS Security provides three services using digital signatures. These are 'end to end' and operate between AMHS Clients:

  1. Message integrity. This ensures that the message has not been tampered with in transit. It enables a user receiving a message to be confident that the message is exactly the one sent
  2. Message Origin Authentication. This enables the recipient of a message to securely verify the originator, and be confident that the message has not been forged by another user or by an operator.
  3. Message Sequence Integrity. This enables a recipient to detect missing and duplicate messages, and to process messages in the intended order.

These services are important to ensure that the recipient has the highest level of confidence in all messages received, and to prevent message tampering and forgery.

How Secure AMHS Works

Secure AMHS operates in a simple manner, as illustrated above. The message sender (originator) digitally signs the message as it is being sent. Each message recipient verifies the signature, enabling the recipient to be confident that the message really comes from the stated sender and that it has not been tampered with.

The digital signature is carried along with the message, and the format of the message being transferred is not affected by AMHS Security. This means that AMHS security can be added with minimal disruption to a deployment that does not use the security features.

Deploying Secure AMHS

The core AMHS switching infrastructure can carry AMHS security without modification, so the key things needed for deployment are AMHS clients and applications with security features, and associated management. The key capabilities are:

  1. Clients (reception). Two levels of support are possible.
    • The ability to receive secure messages, discard security features and otherwise correctly operate. This capability is trivial to add to any AMHS client, and should be a core capability. It will ensure that secure messages do not cause any disruption.
    • The ability to verify a digital signature, and show the recipient that the originator and message integrity have been correctly verified.
  2. Clients (sending). The key feature is the ability to digitally sign a message. An AMHS client with security features should also first check that the recipient supports the Extended ATS Service, to ensure that it is safe to use the security service. It can do this by checking in the ATN Directory, as specified by the AMHS standards.
  3. The ability to manage secure identities using a PKI (Public Key Infrastructure) and provide these identities to the secure AMHS Clients.

Further technical details are given in the Isode whitepaper AMHS Security.

Isode Support for Secure AMHS

Isode provides a number of components to enable its partners to build and deploy secure AMHS. This includes:

  1. Client APIs to sign and verify digital signatures in a manner that hides all of the protocol and security complexity from the developer.
  2. Client APIs to access an ATN directory, to enable the client to determine support of the Extended AMHS Service.
  3. The M-Vault directory, which is a compliant ATN Directory server.
  4. Management tools to configure secure identities, and install them so that products using Isode's client APIs can use them. These tools will interact with a Certification Authority, which is used to provide the core PKI.
  5. A simple Certification Authority tool, appropriate for demonstrations and pilot deployment. Isode recommends use of a third party Certification Authority for production deployment.

These components provide everything needed for a secure AMHS system.


AMHS security is an important service that is straightforward for AMHS vendors to supply. Isode provides key components to enable its AMHS partners to provide secure AMHS products.