ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Followup on fingerprints

2015-07-31 20:29:09
from [Gregory Maxwell] [Permanent Link] 
On Wed, Jul 29, 2015 at 2:31 PM, Phillip Hallam-Baker
<phill(_at_)hallambaker(_dot_)com> wrote:

other bit that should be mentioned in the security considerations is
vanity fingerprints which are going to be more popular with all 26 Latin
letters to choose from. And those are a bad idea for the reason given in the
meeting. If my key starts off 'MERLI-Nxxxx' there is a temptation to only
check those bits.


To be clear, there are two attack vectors I'm aware of in the space of
user-factors around digest for visual comparison by users.

One is that users are more likely to trust vanity identifiers
(fingerprints that spell out specific words), "it says right there in
the fingerprint, it must be right".

The second, is that users will tend to much more strongly compare only
the vanity portion and ignore the following line noise; and thus be
more vulnerable to substution than they would be with ordinary
randomly selected identifiers; as the attacker need focus only on
matching the vanity part (which will necessarily be small owing to the
computational resources of the actual user).

This conjecture has been experimentally validated both with Bitcoin
addresses (base58) and (especially) Tor hidden services (base32): At
one time there were several hundred silkroadXXXXXX onions addresses
active and being used to scam people.

I don't think there is much room left to debate that schemes which
better accommodate 'vanity' identifiers are more vulnerable in
practice.

Devoweled encodings seems somewhat safer in that they're less likely
to get appriciable vanity use (and also less likely to spell offensive
words).

Beyond your suggestion to make fingerprints purposefully expensive to
create, another possibility it encouraging comparison methods which
are more robust.
E.g. here is a cut-and-choose based scheme I had previously
implemented--  it uses a much larger digest and then encourages the
user to compare an actually random subset of it:

https://en.bitcoin.it/wiki/User:Gmaxwell/visual_fingerprint_comparison

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Followup on fingerprints, ianG
Next by Date:  Re: [openpgp] Followup on fingerprints, Phillip Hallam-Baker
Previous by Thread:  Re: [openpgp] Followup on fingerprints, Vincent Breitmoser
Next by Thread:  [openpgp] draft minutes available, Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]