[messaging] "Pseudoword" base32 fingerprints

Peter Eckersley pde-lists at eff.org
Wed Feb 5 17:48:49 PST 2014


Also, it strikes me that checking a whole 160 bit fingerprint on first use
is potentially more work than needs to be done.

Protocols like this should be possible:

1. Alice and Bob use Diffie Hellman or distributed RNG to compute a random
number.  This starts a finite clock ticking (3 minutes? 15 minutes?)
2. The random number determines which portions of the fingerprint they're
going to check now (perhaps on top of a history of which portions they've
checked in the past, if your protocol can preserve that history reliably)
3. They check those portions of the fingerprint.

In order to attack this, Eve needs to MITM the verification step and
compute her collision against the (somewhat weakened) fingerprint in a
fairly short of time (minutes vs weeks, say).

If the verification step is short and easy, perhaps users can be trained to
do a portion of it at the beginning of every session?



On 5 February 2014 17:38, Peter Eckersley <pde-lists at eff.org> wrote:

> I don't think the words necessarily need to be spelled out.  With some
> processing, couldn't you could remove all words from the list that have low
> edit distances from each other, thereby ensuring that (if both parties have
> the words in front of them) letter-by-letter transcription is unecessary?
>
> Also I think saying all of these rare words is actually fun.  But I'm
> probably not your typical user :)
>
>
> On 5 February 2014 17:35, Trevor Perrin <trevp at trevp.net> wrote:
>
>> On Wed, Feb 5, 2014 at 4:47 PM, Moritz Bartl <moritz at headstrong.de>
>> wrote:
>> > Hm. Sorry, stupid question, but why can't you simply map 4-tuples to a
>> > 65k wordlist? Fantasy names, English, something more pronounceable?
>> > There could maybe even multiple "authoritative tables" in various
>> languages.
>>
>>
>> Do you have an example wordlist?  With a 65K dictionary you'll need 8
>> words for a 128-bit security level.
>>
>> I tried a couple random word generators on the Internet:
>>
>>
>> http://www.wordgenerator.net/random-word-generator.php  (claims 90K
>> words)
>>
>>   cowhage - ekasilicon - democratist - clum - dyslexia - farfetched -
>> furrier - mangosteen
>>
>>   matric - beadsman - enterlace - oarswoman - secretitious - incisor -
>> danite - linstock
>>
>>   potash - intersert - possum - verbarfunambulo - additionally -
>> enterotome - turrethead - telegrammic - clupeid
>>
>>
>> ---
>>
>> http://www.wordreference.com/random/definition  (skipping proper nouns)
>>
>>   obstacle - isotherm - pestilential - woodsman - fleet - arrowhead -
>> downgrade - chinwag
>>
>>   mansuetude - sinistrorse - sporophyte - qawwali - bell - bipinnate -
>> boathook - bewitch
>>
>>   elutriate - gesture - unapproachable - pooh-pooh - rodomontade -
>> cameleer - malfunction - buoy
>>
>> ---
>>
>> Compare to pseudowords:
>>
>>   wivoig - datu - siwep - muvu - wkegod
>>
>>   rahixe - xniy - fxube - avwo - egujef
>>
>>   atop5l - udag - bofoc - ihin - roybuz
>>
>>
>> I like the smaller size of the pseudowords, particularly for
>> transcribing these things, spelling out the characters over the phone,
>> or viewing on a small screen.  And a lot of the words are unusual so
>> are going to need to be spelled out.
>>
>> But it would be interesting to see what a better wordlist looks like.
>>
>>
>> Trevor
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/messaging
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140205/a5f42d7f/attachment.html>


More information about the Messaging mailing list