[Freedombox-discuss] Tap-to-share PGP key exchange

[Timur Mehrvarz]

On 05.10.2011 14:33, Boaz wrote:
> Cryptographically, It is possible to securely initiated a connection
> (with the property that the worst a MITM can accomplish is prevent the
> connection from successfully going through), based on verification of
> a very low entropy verification string.
> 
> This is done, for example, in ZRTP (
> https://secure.wikimedia.org/wikipedia/en/wiki/ZRTP ), where
> comparison by voice of two words packing just 16 bits of entropy
> prevents a MITM attack.
> 
> It works by each side committing to the fullness of their key via a
> hash, before transmitting the key itself.  In this way, the attacker
> doesn't get to sit there and try zillions of possibilities looking for
> one that produces the right verification string (as he does when
> trying to attack a traditional key fingerprint, which is why they must
> be very high entropy).  Instead, the attacker must guess once and
> guess right what to do hoping it will randomly result in the right
> verification string.  I hope important distinction between "how many
> computations the attacker needs to do" (for which 10^6 or 2^16 is
> hopelessly inadequate and something like 2^160 is needed), and "among
> how many possibilities must the attacker pick a single one randomly"
> (for which 10^6 or 2^16 will do just fine) is clear.
> 
> Personally, I think that this "short authentication string"
> verification by a secure means (e.g. physical proximity or familiarity
> of voice) holds tremendous promise.  I fear that people are dismissing
> it because they don't understand how it can actually work,
> cryptographicly.
> 
> If you're curious to learn more about how this principle works, as
> implemented in ZRTP, please write me on or off the list and I'll be
> happy to provide additional explanation and links to further
> information (there are some sources out there which explain this very
> well).

Please be so kind and provide this info on list. Thank you.

Timur