[Freedombox-discuss] identicons are not strong crypto [was: Re: Tap-to-share PGP key exchange]
Ted Smith
tedks at riseup.net
Mon Oct 3 19:04:03 UTC 2011
On Mon, 2011-10-03 at 19:35 +0100, Michael Rogers wrote:
> On 03/10/11 18:13, The Doctor wrote:
> > Sort of like this?
> >
> > http://www.thc.org/papers/ffp.html
> >
> > I am surprised that no one has brought up bubble-babble fingerprints
> > yet (https://secure.wikimedia.org/wikipedia/en/wiki/Bubble_Babble) or
> > a randomart depiction
> > (http://superuser.com/questions/22535/what-is-randomart-produced-by-ssh-keygen).
>
> Thanks for the interesting links!
>
> It seems to me that if an attacker knows what method a person verifying
> a key will use (hex digits, identicons, bubble babble, randomart, etc),
> the attacker will *eventually* be able to create a key that passes a
> first-glance verification. The question is, how difficult can we make
> the attacker's job?
>
> To take an extreme example, most people are able to distinguish between
> (at least) tens of thousands of faces and recognise (at least) dozens of
> familiar faces. That's far better than we can do with random phrases or
> ASCII blobs, so let's imagine we had a key verification system based on
> faces.
>
> In this imaginary system, <snip>
What advantage does your approach have over using QR codes, cameras, and
computers to compare long hex strings? How difficult will it be to
implement? Do any implementations exist? Has the approach been audited
and studied?
It's very fun to think up new protocols and high-level systems (I am
just as guilty of this as anyone). It is less fun to implement them and
even less fun to test them. The freedombox project needs to focus on
what actually exists (like comparing key fingerprints via QR codes,
cameras, and mobile computers) rather than dreaming up new and exciting
vaporware.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20111003/29174c22/attachment-0001.pgp>
More information about the Freedombox-discuss
mailing list