Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
143 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The Effect of Length on Key Fingerprint Verification Security and Usability (2306.04574v2)

Published 7 Jun 2023 in cs.CR and cs.HC

Abstract: In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party's view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal/WhatsApp key fingerprints provide a considerably lower level of security than usually assumed.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. OpenSSH 8.2. 2020. OpenSSH Release Notes. www.openssh.com.
  2. akwizgran. 2014. Basic English: Encode random bitstrings as pseudo-random poems. GitHub repository at https://github.com/akwizgran/basic-english.
  3. Stefan Brands and David Chaum. 1993. Distance-bounding protocols. In Workshop on the Theory and Application of of Cryptographic Techniques at EUROCRYPT ’93. Springer, 344–359.
  4. Towards Usable Checksums: Automating the Integrity Verification of Web Downloads for the Masses. In CCS. ACM, 1256–1271.
  5. The GNU Privacy Handbook. https://www.gnupg.org/gph/en/manual.html.
  6. An empirical study of textual key-fingerprint representations. In 25th USENIX Security Symposium (USENIX Security 16). USENIX, Austin, TX, 193–208.
  7. Safeslinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th annual international conference on Mobile computing & networking. 417–428.
  8. Loud and clear: Human-verifiable authentication based on audio. In 26th IEEE International Conference on Distributed Computing Systems (ICDCS’06). IEEE, IEEE Computer Society, 10–10.
  9. Peter Gutmann. 2011. Do users verify SSH keys? Login 36 (2011), 35–36.
  10. Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications. In ACM Workshop on Socio-Technical Aspects in Security and Trust (STAST). ACM, New York, NY, USA.
  11. Antti Huima. 2000. The Bubble Babble Binary Data Encoding. Network Working Group Internet Draft, available at http://web.mit.edu/kenta/www/one/bubblebabble/spec/jrtrjwzi/draft-huima-01.txt.
  12. Usability and Security of Out-of-Band Channels in Secure Device Pairing Protocols. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS ’09). Association for Computing Machinery, New York, NY, USA, Article 11, 12 pages. https://doi.org/10.1145/1572532.1572547
  13. Serial Hook-Ups: A Comparative Usability Study of Secure Device Pairing Methods. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS ’09). Association for Computing Machinery, New York, NY, USA, Article 10, 12 pages. https://doi.org/10.1145/1572532.1572546
  14. Raph Levien and Donald Johnson. 1998. Snowflake. http://dlakwi.net/snowflake/snowflake.html.
  15. Performance and Usability of Visual and Verbal Verification of Word-based Key Fingerprints. In Human Aspects of Information Security and Assurance: 15th IFIP International Symposium, HAISA 2021, Virtual Event, July 7–9. Springer, 199–210.
  16. Moxie Marlinspike. 2016. Safety number updates. Signal Blog. Availabe at https://signal.org/blog/safety-number-updates.
  17. Adrian Perrig and Dawn Song. 1999. Hash visualization: A new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce, Vol. 25.
  18. Konrad Rieck. 2002. Fuzzy Fingerprints Attacking Vulnerabilities in the Human Brain. Online publication, available at http://ouah.org/ffp.pdf (2002).
  19. When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging. In Proceedings 1st European Workshop on Usable Security (Darmstadt, Germany). Internet Society, Reston, VA.
  20. On the Pitfalls of End-to-End Encrypted Communications: A Study of Remote Key-Fingerprint Verification. In Proceedings of the 33rd Annual Computer Security Applications Conference (Orlando, FL, USA) (ACSAC 2017). ACM, New York, NY, USA, 499–511. https://doi.org/10.1145/3134600.3134610
  21. Can Unicorns Help Users Compare Crypto Key Fingerprints?. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA) (CHI ’17). ACM, New York, NY, USA, 3787–3798.
  22. Pairing Devices for Social Interactions: A Comparative Usability Evaluation. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). Association for Computing Machinery, New York, NY, USA, 2315–2324. https://doi.org/10.1145/1978942.1979282
  23. Action Needed! Helping Users Find and Complete the Authentication Ceremony in Signal.. In SOUPS@ USENIX Security Symposium. 47–62.
  24. Is that you, Alice? A usability study of the authentication ceremony of secure messaging applications. In 13th Symposium on Usable Privacy and Security (SOUPS’17). 29–47.
  25. WhatsApp. 2017. WhatsApp Encryption Overview. Technical white paper, WhatsApp, Available from whatsapp.com.
  26. “Something isn’t secure, but I’m not sure how that translates into a problem”: Promoting autonomy by designing for understanding in Signal. In 15th Symposium on Usable Privacy and Security (SOUPS’19).
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now