[Freedombox-discuss] identicons are not strong crypto [was: Re: Tap-to-share PGP key exchange]
The Doctor
drwho at virtadpt.net
Tue Oct 4 12:42:19 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/03/2011 01:57 PM, Daniel Kahn Gillmor wrote:
> This is a demonstration of an attack against humans' poor ability
> to rigorously compare hexadecimal fingerprints. I was asking for
> analysis of comparable vulnerabilities of identicons or other
> graphical representations.
What I linked to was research that suggests that the phenomenon in
question (i.e., misidentifying busy little patterns visually) is not
limited to icons, but in fact busy little patterns perceived with the
eyes in general. Perhaps I was not clear in this, and I apologize.
> I'm not so sure about bubble-babble -- afaict, the advantage there
> is the ability to transmit it by voice with reasonable fidelity
> over a telephone.
In my experience, bubble-babble fingerprints are easy to verify over
the phone by confirming some parts with the NATO phonetic alphabet.
> A) We can try to solve the problem by shuffling the bits around
> into different forms that we think *might* be more memorable and
> resistant to fuzzy attack, or...
What if a pattern matching game was made out of it? A little sub-game
that could be solved in ten moves or so which would make it possible
to verify the fingerprint? I know of some gamification research along
these lines, let me go digging for some papers..
> B) We can try to let the humans do something humans are good at
> doing (like examining and thinking about the physical world to
> ensure that a physical link is intact), and let our machinery do
> the precise and rigorous comparisons directly. Given that we have
> such machinery available, and given the unlikelihood of a radical
> shift in human mental practice and capacity, option B seems like
> the better approach to me.
I am inclined to agree with you.
- --
The Doctor [412/724/301/703]
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/
File not found: A)bort, R)etry, M)assive heart attack?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6K/ysACgkQO9j/K4B7F8HNLACgwuMNDHLElOOkk14BJGjVdn3Y
WmIAoNu2xuGCdjfS12AdW2PkqsM+NdKG
=QA7l
-----END PGP SIGNATURE-----
More information about the Freedombox-discuss
mailing list