On 7/23/14, David Leon Gil <[email protected]> wrote: > (And, a somewhat delayed response.) > > Fingerprint derivation MUST take measures to make multi-target attacks cost > as much as single-target attacks. The easiest approach is to use something > else the user verifies -- like an email address or (unique) screenname -- > as an additional input to the KDF. > > (The advantage, as dkg points out, is large even for private attackers. > It's gigantic for those involved in mass surveillance or espionage: it's > the total number of keys. Just for RSA and DSA SSH host keys: > 2^27 > tagets. See, e.g., > http://elastic-security.com/2013/10/29/applications-of-zmap/)
So every time my computer's IP address or hostname changes, I should have to go to its console to find out its new SSH host key fingerprint? I think not. A public-key hash used as a ‘fingerprint’ should be long enough, and use a secure enough hash function, to prevent second-preimage attacks. Alternatively, the ‘fingerprint’ could contain enough of the public key that anyone who knows one private key whose corresponding public key has a given fingerprint can trivially compute the private key corresponding to every other public key with the same fingerprint. (For example, with an Ed25519-like signature scheme, one can use the Curve25519 representation of a public-key group element as its ‘fingerprint’, and print/send/retype/verify 51 base32 characters instead of 52 (if you're careful about which bit gets dropped).) Robert Ransom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
