[messaging] Test Data for the Usability Study
michael at briarproject.org
Mon May 26 02:55:20 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 26/05/14 01:15, Tom Ritter wrote:
> Third: Figure out how to approximate an attacker who can perform
> 2^80 calculations in the 'weird' cases. For a 32-character hex
> fingerprint, a 2^80 attacker can match 20 characters.
> Weird Case 1: An attacker matches the beginning and end parts of
> the fingerprint to try and trick someone doing a visual compare.
> Clearly, matching the beginning and ending 10 characters exactly is
> harder than matching any 20. but how much harder? Would a match of
> the beginning and ending 8 characters correctly characterize a 2^80
As I've mentioned before, I don't think we can make a fair comparison
of 'weird' attacks across fingerprint representations.
Having said that... a 2^80 attacker can match 20 characters at chosen
positions. I don't know how to calculate how many characters a 2^80
attacker could match at unchosen positions, but it seems to me that it
would depend on the number of positions, i.e. the length of the
> Weird Case 2: An attacker tries the match the fingerprint by
> pronunciation to try and trick someone doing a vocal compare.
> Again, matching 20 characters exactly and making the remaining 12
> 'sound alike' is harder than just matching 20. Would an attacker
> getting 28 characters to 'sound alike' and have the rest match
> exactly approximate a 2^80 attack?
We don't even have a metric for 'sound alike', so this question isn't
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Messaging