A Study of Key-Fingerprints: Hex vs. Base32 vs. Wordlists Vs (opens in new tab)

(usenix.org)

11 pointssufficient9y ago4 comments

4 comments

The paper recommends sentence based fingerprints.

I've used rfc1751[0] which is word-based rather than sentence-based, but it's pretty convenient. I use it for my password sharing tool[1] which creates prompts that look like

    === secrets.vm ===
    common name: secrets.vm
    fingerprint: b957e10c998faa9909cff3ba4ec35485d04708c3ecc7481fe14d7f07bc0229cd
    public key:  c15e697e4807793ef8a9461a7b2c6cf2266d1ec1480a594e83b54e7b75e07702
    public sign: f1db594eb55fe97657c57f2aa01afd1210a46d42d80d5552ac4d548162d4968e
    mnemonic:    AM ROBE KIT OMEN BATE ICY TROY RON WHAT HIP OMIT SUP LID CLAY AVER LEAR CAVE REEL CAN PAM FAN LUND RIFT ACME
    does that look right? [y/n]

where "mnemonic" is the rfc1751 mnemonic of the sha256 of the other fields and is designed to be shouted across a room.

I'd definitely be interested in a standardised sentence-based fingerprinting system akin to rfc1751

[0]: https://tools.ietf.org/html/rfc1751

[1]: https://github.com/ketralnis/secrets

nullc9y ago

My WAG at this problem a few years ago: https://en.bitcoin.it/wiki/User:Gmaxwell/visual_fingerprint_...

ketralnis9y ago

I'd really want to see that technique studied on actual users before trusting it. I'm not convinced that users do anything more than glance at one or two characters in hex passwords and even SSH's visual fingerprints are probably insufficiently studied (but not totally unstudied[0]) to allow telling users that glancing is enough. And if glancing isn't enough, using visual indicators at all is probably actively harmful.

[0]: http://dirk-loss.de/sshvis/drunken_bishop.pdf

nullc9y ago

In fact, I declined to post the implementation for that reason.

I'm not sure if you read my writeup but I attempted to address that "users only glance at one or two characters" by suggesting the client show the users which characters to compare. It's a little kludgy with a text UI, however.

The idea is that the field of characters is large enough that comparing only a few is fine-- so long as they're selected in a way which isn't predictable to the attacker.

j / k navigate · click thread line to collapse

4 comments

ketralnis9y ago

The paper recommends sentence based fingerprints.

I've used rfc1751[0] which is word-based rather than sentence-based, but it's pretty convenient. I use it for my password sharing tool[1] which creates prompts that look like

    === secrets.vm ===
    common name: secrets.vm
    fingerprint: b957e10c998faa9909cff3ba4ec35485d04708c3ecc7481fe14d7f07bc0229cd
    public key:  c15e697e4807793ef8a9461a7b2c6cf2266d1ec1480a594e83b54e7b75e07702
    public sign: f1db594eb55fe97657c57f2aa01afd1210a46d42d80d5552ac4d548162d4968e
    mnemonic:    AM ROBE KIT OMEN BATE ICY TROY RON WHAT HIP OMIT SUP LID CLAY AVER LEAR CAVE REEL CAN PAM FAN LUND RIFT ACME
    does that look right? [y/n]

where "mnemonic" is the rfc1751 mnemonic of the sha256 of the other fields and is designed to be shouted across a room.

I'd definitely be interested in a standardised sentence-based fingerprinting system akin to rfc1751

[0]: https://tools.ietf.org/html/rfc1751

[1]: https://github.com/ketralnis/secrets

nullc9y ago

My WAG at this problem a few years ago: https://en.bitcoin.it/wiki/User:Gmaxwell/visual_fingerprint_...

ketralnis9y ago

[0]: http://dirk-loss.de/sshvis/drunken_bishop.pdf

nullc9y ago

In fact, I declined to post the implementation for that reason.

The idea is that the field of characters is large enough that comparing only a few is fine-- so long as they're selected in a way which isn't predictable to the attacker.

j / k navigate · click thread line to collapse