[messaging] Useability of public-key fingerprints
John-Mark Gurney
jmg at funkthat.com
Fri Jan 31 11:50:12 PST 2014
Daniel Kahn Gillmor wrote this message on Thu, Jan 30, 2014 at 01:43 -0500:
> On 01/30/2014 01:19 AM, Robert Ransom wrote:
> > The difference is that you can encrypt messages to a key offline, but
> > you need to be connected to the Internet (and to a working directory
> > server of some sort) in order to encrypt messages to a fingerprint.
>
> There is a hybrid approach to doing a handshake like this between two
> users in person, though, if both have computing devices with them. You
> can use human-inspectable mechanisms like QR codes or acoustic coupling
> to transmit a fingerprint, and then use whatever (non-inspectable)
> higher-bandwidth channel exists between the two devices (802.11b, NFC,
> bluetooth) to transmit the full key/metadata, which each peer then
> verifies against the fingerprint.
If you have a high bandwidth interactive channel, why not do a DH key
exchange, and then use a short hash (pin) to validate the DH key
exchange.. Once you have validated the DH key exchange, you can pass
any data over the channel...
I used this mechanism in pyfp:
https://www.funkthat.com/~jmg/pyfp/pyfp-0.5.tar.gz
pyfp is designed for secure file transfer over an insecure network when
you have an authenticated low bandwidth (such as voice) channel...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the Messaging
mailing list