[messaging] Useability of public-key fingerprints

Tom Ritter tom at ritter.vg
Tue Feb 11 15:32:49 PST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Been wanting to reply to this but was on vacation for a while. Here's
an amalgamation.

- -----------------


RE: Moxie and fingerprints are horrible. :) I agree-ish. I don't think
they're crucial for everyone, but I think eventually there's going to
be sharp edges that wind up poking through the abstraction. We've
talked about persistence of keying material and the inability for an
attacker to MITM you forever - but eventually you need to rekey
because of device change. Web of trust and communal key
sharing/introductions works better when people don't sign keys they
find randomly on the internet.  I think both are worth pursuing
investigations of.  (If we don't have a thread on persistence of key
material we should.)

Some of the places where I see fingerprints continuing to be useful
far into the future:
 - Business Cards. My key is at <this url> and the fingerprint is [field]
 - You are handed a new device and {don't have access to your database
of trusted fingerprints/need to accomplish work, quickly}. Your
contact sends you a <OTR message/pgp-signed message/whatever>. Do you
recognize this fingerprint?
 - "Here, SSH into my server, I set you up an account." "Is <this> the
SSH fingerprint?" "Uh.... yea I recognize that."
 - Want to build a system that shares public keys mesh-style to help
populate databases/work offline/promote key discovery? A
few-central-node web of trust system would be good, and you want that
trust to be based on more than 'I think that's good'.

Because context is crucial, I think there is value to trying to
enumerate different scenarios fingerprints may be needed, and trying
to produce optimum algorithms for each. (Similar to how the IETF will
produce use case documents.)

In different contexts vastly different options are preferential.
 - If I have a business card two good options are having the PGP
fingerprint on the bottom margin so I can hold it up to my screen, or
having a QR code scan to a copy-pastable text snippet I can paste
below the actual fingerprint
 - Orally, a restricted subset of alphanumeric characters will make a
good fingerpint. Read aloud the following two numbers: 0xBCCD388AEEA8
and 0x196442F6392
 - Typing, a sentence structure might work well: adjective noun
adverb verb object preposition noun. Bored plants merrily paint
airplanes during hurricanes. People are (I think) more likely to
remember more 'things' if they are words and and compose a sentence,
than if they are random words or digits.


- -----------------


RE: Error Correction:  If a string is intended to be *compared* by
humans, visually, error correction adds length and thus complication.
When you compare PGP fingerprints, having one read to you out loud or
holding a business card up to your screen - error correction bits do
not add value they subtract it.  Only when you _enter_ a string is
error correction useful.


- -----------------


Taking a step back to approaching the problem from the beginning:

As Nate said, ultimately we are taking a densely packed bit string or
a chosen precision (64 bits or 128 bits or 160 bits) and looking to
map it onto a field that will allow, in different circumstances, a
'match' when compared to a valid field or in other contexts say
'recognition', as in 'That's Bob's field, I recognize it.'.   The
adversary's goal is to get close enough to Bob's field such that Alice
makes a mistake when matching Bob's valid field to the imposter, or
Alice recognizes the imposter's field as Bob's.

The THC tool that brute forces look-alikes, with the tricks you'd
expect: it weighted fingerprints that matches better at the beginning
and ending higher, it weighted '3' as somewhat close to to '8' but not
as close as 'B', etc. Such a tool can be built for any field we come
up with.

Besides Trevor's examples:
Here are some already made:
 - Identicons:
http://haacked.com/archive/2007/01/22/Identicons_as_Visual_Fingerprints.aspx/
 - Monsters: http://www.splitbrain.org/projects/monsterid
 - Wavatars: http://www.shamusyoung.com/twentysidedtale/?p=1462
 - Unicorns (really)
http://meta.stackoverflow.com/questions/37328/my-godits-full-of-unicorns
Here are some more ideas:
 - A spirograph
 - A color pattern, a gradient
 - A floral pattern, or flannel, etc
 - A geometric plot on a Cartesian graph
 - A geometric plot on a globe (potentially limited to landmasses and
ignoring oceans)

I've thought a little about this before
(http://ritter.vg/code_poc_categoryauth.html), and my _theory_ is that
humans may be good are remembering/recognizing high entropy data when
it's presented in categories they already recognize. People recognize
the seasons, but that's only 2 bits. What high entropy categories do
people deal with regularly? I think maps are a good candidate. I'm not
sure what else, but I bet there are some others.

An attacker has the exact same problem as before - generate a field
that looks similar to, and may be confused with, a valid field. But
the goal (and theory) is that the well chosen field increases the
chance of detection of subtle differences.


- -----------------


Peter Gutmann gave a good talk at Blue Hat about psychology and
security. When we pop a security alert box up to someone and say
"Warning! This may be insecure" - they have no means to evaluate
whether or not it is secure, and we're putting them under pressure to
make a decision. They choose whatever option relieves the pressure,
that is, they make the alert go away.  (Approximately, his slides are
much better, but I can't seem to find them.)

My _theory_ not being a psychologist, is that an alert (if it ever
comes to an alert, and in some of the applications we're talking
about, it will), an alert should try to say something like:

"Something is strange. If what you are doing is a private or valuable
transaction (like submitting your taxes) you should [Read More Here].
If you're not worried about someone eavesdropping on your work, you
can [Continue]."


- -----------------


Take a step back forward: let's say we magically have a geometric map
plot that people recognized with pretty good confidence.  What would
this get us? I keep imagining my OTR conversation having their
map-fingerprint visible so I would get used to seeing it. And seeing
their map-fingerprint in my mail client.  Are we gaining anything by
getting a user to recognize their friend's fingerprint?

I'm not sure I see a context where we are, honestly.

- -----------------

RE: Pseudowords. Maaaaybe.  Just like THC's tool, I could create one
that aims to produce similarly-looking pseudowords. And since the
words are not words, I think people's pattern recognition will be
tricked more easily than with an actual wordlist.  I think a usability
study could be in order. ;)

- -tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJS+rMfAAoJEPDQHjnnLfY3WUcP/RvT4GsYjpDN65YHpsKzd/O8
nFxn4N+S6mavE/EQc4kUVtl8HnwdCmdAiI/bs8dfcHjaVuM67GAkthpwQb9S3zHn
Pr6+UKGMdhdIx1AUtSUXHkpHIQ1fec1XupEhQ9vlsu4mHP1ig7bdmtZkviiAl4YW
1QwnwF572f3CoN3HQJj+YOX+sqgbs/lnqba7H2mWu7shguRo4CkITM7fwP+Fz2iZ
2YBIeSoHYqdA+uDAIfOL9hsTsq0CIpZC1SFGoqpc32hov4a3aHpt9TIzdhnM29Dr
tS8ETGTb4JshkusXl5wJ9ZRk+izeM0l3TkFNvnU+T+kV4HPmI1yWuP2vqU7dV3nw
crkp8dPTibmSLZXW+onA3JI8+7xk7AEaR/flz09hEMrCgB4VMHcNdOKwEl+PIhtA
iceLMHR/ptdy+98cuArS9vDEX8K2rDqE7xKcqjj7bwI/Do9t3bZOkf3bj3gHgB2Z
uBpvPEyGiBjimnS5Gy+pV8/JexxRnw8SR8a5A0s6xQpM68pRxZYkBn3eYWv1GKp5
nrO+yd7ZRA7vrjPdG+VH3UOx9X6oh/fXdGpa35UaxTFSxAodWgl0RUTqHeD5P0vw
qj8DVMdtY4OIqiv/0/NNorMKpAUMHMUfphyDIGpplPW0MDnW/IDz4wEaAPMUfgkQ
lM6ByuO6yjhi6U3o4ORm
=PUga
-----END PGP SIGNATURE-----


More information about the Messaging mailing list