michael at briarproject.org
Thu Aug 28 08:14:30 PDT 2014
Yes, I had the same thought. With a 10-digit pairing code, the security level against an online attack is 10^10 =~ 2^33. The attack is parallelisable - e.g. 2^16 cores doing 2^17 work each.
Should be fixable by exchanging hashes of the public keys before the keys themselves.
Brian Warner <warner at lothar.com> wrote:
>On 8/22/14, 5:50 PM, Andy Isaacson wrote:
>> It seems a little silly to me too, but I'm encouraged to see new
>> innovations in end user security systems, especially when they're not
>> trying to do something fundamentally impossible and seem to have a
>> reasonable grasp of what's required.
>Did anyone else get the sense that their "pairing code" is a truncated
>hash of the session key, and thus vulnerable to the MitM forcing the two
>session keys to achieve a partial collision of the codes?
>Sounds like a job for SAS (Short Authenticated Strings). I haven't
>thought through it too far, but I think speaking and verifying an 8
>digit code (4 from each side) would reduce the MitM's chance of success
>down to 1-in-10k, no matter how much computation they spent trying for
>collisions. SAS is unidirectional, so I think both sides have to emit
>and compare a code (A->B + B->A), hence the 2x length requirement. But
>maybe 1x is enough.
>Messaging mailing list
>Messaging at moderncrypto.org
More information about the Messaging