[messaging] Useability of public-key fingerprints

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 29 22:43:44 PST 2014 

On 01/30/2014 01:19 AM, Robert Ransom wrote:
> The difference is that you can encrypt messages to a key offline, but
> you need to be connected to the Internet (and to a working directory
> server of some sort) in order to encrypt messages to a fingerprint.

There is a hybrid approach to doing a handshake like this between two
users in person, though, if both have computing devices with them.  You
can use human-inspectable mechanisms like QR codes or acoustic coupling
to transmit a fingerprint, and then use whatever (non-inspectable)
higher-bandwidth channel exists between the two devices (802.11b, NFC,
bluetooth) to transmit the full key/metadata, which each peer then
verifies against the fingerprint.

> That's another of Ross Anderson's usability lessons: if you want the
> user to check a fingerprint, make the user type it in and have the
> software compare it.  (And in that case, it may as well be a key or
> password of some sort, especially with ECC.)

This is a really key insight, and i've found it to be a very useful
workflow to have users enter data rather than asking them to sustain the
effort to make a comparison.  Do you have a reference for Anderson on this?

I'm not convinced that users might just as well enter the full ECC key
as a shorter fingerprint, though.  For an application that wants 112-bit
cryptographic strength for this key exchange, users would have to
transcribe at least a 224-bit ECC key, which is significantly more
taxing (and error-prone) for most humans than transcribing a 112-bit
fingerprint.  What happens if the user makes a mistake?  Are they locked
out from communicating?

If the goal is a usable tool, it's probably worth taking advantage of
other mechanisms to bootstrap up from the smallest reasonable value we'd
want people to transcribe, as long as the fingerprinting mechanism used
is cryptographically strong.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140130/c9efcd70/attachment.sig>

More information about the Messaging mailing list