[messaging] Useability of public-key fingerprints

Brian Warner warner at lothar.com
Thu Feb 13 17:49:39 PST 2014 

On 1/31/14 12:29 PM, Daniel Kahn Gillmor wrote:

> This is the essence of what SAS (see other thread on "Short Auth
> Strings") does, right?

Yeah, SAS is basically after-the-exchange confirmation of two public
values (once in each direction). PAKE is before-the-exchange
transcription of a single secret value (which can be generated by
whichever side is most convenient).

> I think avoiding the extra step of human confirmation can be an
> advantage.
> 
> Presented with a prompt that says "is 10352 the correct PIN?", users
> will most likely read "Yes" as either "get on with it already" and
> "No" as "argh why are you getting in my way?"

Yup, that's one reason I went with J-PAKE for FF Sync: SAS is simpler,
but creates an incentive to "just say yes" without checking. (the need
for bidirectional checks was another: you could skimp on one direction,
but it'd open you up to fixation attacks).

You can convert the confirmation question into a transcription
operation, though: have the user type in the SAS string from the other
device, then compare them internally. Then you can play some games with
the transcription process to make it more interesting (or at least less
boring). The trick I never got around to testing out was:

* both clients agree on an image, maybe a picture derived from a few
  bits of the session key. They split the image into some number of
  square regions
* the first client rotates the squares using bits of the generated SAS
  value, and displays the distorted image
* the second client displays the same image, with the squares rotated
  randomly. The user is told to rotate the squares until they match the
  image being shown by the first client, then hit return
* the resulting rotation values are the "input" SAS string, and the
  second client does the comparison internally

(completely abstract images might be better than photos, since some
folks would ignore the first client entirely and just treat this like a
remove-the-distortions puzzle)

"Manipulate Until Equal" is a lot like "type in a number", but doesn't
remind people of passwords quite so much.

cheers,
 -Brian

More information about the Messaging mailing list