I know yoh mean this in a general sense, but I just whish to point out for everyone that in this scenario you don't actually need certificates: a MAC to prove authenticity is enough.
I think the point that 'masfuerte' was making is that simplicity and redundancy are _the_ bedrock of reliability.
Even if all the new hardware and software to implement this new security model on avionics busses is 100% open and audited by every laudable computer science / security specialist, it's just _more_ to possibly go wrong. That tends to change how people think about risk (weather rationally or not!)
Not really, you still need some system to distribute the shared key.
The paper's method suppresses original message then generates btand-new one, so if the key is easy to find out, then the spoofed message will have a correct MAC. Which means you need a cryptographically secure method to distribute the key, but you also have multiple consumers and you want to be able to replace broken devices too. This sounds like a non-trivial cryptosystem, and assymetric crypto + certificates is one possible solution.
Key distribution can be done manually at the factory where the plane is built. Which can also keep a keystore holding the key used for each plane. But we don't need to delve deep in this scenario, as ultimately op's point was that, by introducing crypto, you risk adding failure modes to the plane.
This would work in most cases, yes.
I think the point that 'masfuerte' was making is that simplicity and redundancy are _the_ bedrock of reliability.
Even if all the new hardware and software to implement this new security model on avionics busses is 100% open and audited by every laudable computer science / security specialist, it's just _more_ to possibly go wrong. That tends to change how people think about risk (weather rationally or not!)