[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

Robert Ransom rransom.8774 at gmail.com
Wed Jul 23 09:09:57 PDT 2014


On 7/23/14, David Leon Gil <coruus at gmail.com> wrote:
> (And, a somewhat delayed response.)
>
> Fingerprint derivation MUST take measures to make multi-target attacks cost
> as much as single-target attacks. The easiest approach is to use something
> else the user verifies -- like an email address or (unique) screenname --
> as an additional input to the KDF.
>
> (The advantage, as dkg points out, is large even for private attackers.
> It's gigantic for those involved in mass surveillance or espionage: it's
> the total number of keys. Just for RSA and DSA SSH host keys: > 2^27
> tagets. See, e.g.,
> http://elastic-security.com/2013/10/29/applications-of-zmap/)

So every time my computer's IP address or hostname changes, I should
have to go to its console to find out its new SSH host key
fingerprint?  I think not.

A public-key hash used as a ‘fingerprint’ should be long enough, and
use a secure enough hash function, to prevent second-preimage attacks.

Alternatively, the ‘fingerprint’ could contain enough of the public
key that anyone who knows one private key whose corresponding public
key has a given fingerprint can trivially compute the private key
corresponding to every other public key with the same fingerprint.
(For example, with an Ed25519-like signature scheme, one can use the
Curve25519 representation of a public-key group element as its
‘fingerprint’, and print/send/retype/verify 51 base32 characters
instead of 52 (if you're careful about which bit gets dropped).)


Robert Ransom


More information about the Messaging mailing list