The Effect of Length on Key Fingerprint Verification Security and Usability
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security
Article No.: 23, Pages 1 - 11
Abstract
In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party’s view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal / WhatsApp key fingerprints provide a considerably lower level of security than usually assumed.
References
[1]
OpenSSH 8.2. 2020. OpenSSH Release Notes. www.openssh.com.
[2]
akwizgran. 2014. Basic English: Encode random bitstrings as pseudo-random poems. GitHub repository at https://github.com/akwizgran/basic-english.
[3]
Stefan Brands and David Chaum. 1993. Distance-bounding protocols. In Workshop on the Theory and Application of of Cryptographic Techniques at EUROCRYPT ’93. Springer, 344–359.
[4]
Matthew Copeland, Joergen Grahn, and David A Wheeler. 1999. The GNU Privacy Handbook. https://www.gnupg.org/gph/en/manual.html.
[5]
Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, and Matthew Smith. 2016. An empirical study of textual key-fingerprint representations. In 25th USENIX Security Symposium (USENIX Security 16). USENIX, Austin, TX, 193–208.
[6]
Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. 2013. Safeslinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th annual international conference on Mobile computing & networking. 417–428.
[7]
Michael T Goodrich, Michael Sirivianos, John Solis, Gene Tsudik, and Ersin Uzun. 2006. Loud and clear: Human-verifiable authentication based on audio. In 26th IEEE International Conference on Distributed Computing Systems (ICDCS’06). IEEE, IEEE Computer Society, 10–10.
[8]
Peter Gutmann. 2011. Do users verify SSH keys?Login 36 (2011), 35–36.
[9]
Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications. In ACM Workshop on Socio-Technical Aspects in Security and Trust (STAST). ACM, New York, NY, USA.
[10]
Antti Huima. 2000. The Bubble Babble Binary Data Encoding. Network Working Group Internet Draft, available at http://web.mit.edu/kenta/www/one/bubblebabble/spec/jrtrjwzi/draft-huima-01.txt.
[11]
Ronald Kainda, Ivan Flechais, and A. W. Roscoe. 2009. Usability and Security of Out-of-Band Channels in Secure Device Pairing Protocols. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS ’09). Association for Computing Machinery, New York, NY, USA, Article 11, 12 pages. https://doi.org/10.1145/1572532.1572547
[12]
Alfred Kobsa, Rahim Sonawalla, Gene Tsudik, Ersin Uzun, and Yang Wang. 2009. Serial Hook-Ups: A Comparative Usability Study of Secure Device Pairing Methods. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS ’09). Association for Computing Machinery, New York, NY, USA, Article 10, 12 pages. https://doi.org/10.1145/1572532.1572546
[13]
Raph Levien and Donald Johnson. 1998. Snowflake. http://dlakwi.net/snowflake/snowflake.html.
[14]
Lee Livsey, Helen Petrie, Siamak F Shahandashti, and Aidan Fray. 2021. Performance and Usability of Visual and Verbal Verification of Word-based Key Fingerprints. In Human Aspects of Information Security and Assurance: 15th IFIP International Symposium, HAISA 2021, Virtual Event, July 7–9. Springer, 199–210.
[15]
Moxie Marlinspike. 2016. Safety number updates. Signal Blog. Availabe at https://signal.org/blog/safety-number-updates.
[16]
Adrian Perrig and Dawn Song. 1999. Hash visualization: A new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce, Vol. 25.
[17]
Konrad Rieck. 2002. Fuzzy Fingerprints Attacking Vulnerabilities in the Human Brain. Online publication, available at http://ouah.org/ffp.pdf (2002).
[18]
Svenja Schröder, Markus Huber, David Wind, and Christoph Rottermanner. 2016. When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging. In Proceedings 1st European Workshop on Usable Security (Darmstadt, Germany). Internet Society, Reston, VA.
[19]
Maliheh Shirvanian, Nitesh Saxena, and Jesvin James George. 2017. On the Pitfalls of End-to-End Encrypted Communications: A Study of Remote Key-Fingerprint Verification. In Proceedings of the 33rd Annual Computer Security Applications Conference (Orlando, FL, USA) (ACSAC 2017). ACM, New York, NY, USA, 499–511. https://doi.org/10.1145/3134600.3134610
[20]
Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas, and Blase Ur. 2017. Can Unicorns Help Users Compare Crypto Key Fingerprints?. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA) (CHI ’17). ACM, New York, NY, USA, 3787–3798.
[21]
Ersin Uzun, Nitesh Saxena, and Arun Kumar. 2011. Pairing Devices for Social Interactions: A Comparative Usability Evaluation. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). Association for Computing Machinery, New York, NY, USA, 2315–2324. https://doi.org/10.1145/1978942.1979282
[22]
Elham Vaziripour, Justin Wu, Mark O’Neill, Daniel Metro, Josh Cockrell, Timothy Moffett, Jordan Whitehead, Nick Bonner, Kent E Seamons, and Daniel Zappala. 2018. Action Needed! Helping Users Find and Complete the Authentication Ceremony in Signal. In SOUPS@ USENIX Security Symposium. 47–62.
[23]
Elham Vaziripour, Justin Wu, Mark O’Neill, Jordan Whitehead, Scott Heidbrink, Kent Seamons, and Daniel Zappala. 2017. Is that you, Alice? A usability study of the authentication ceremony of secure messaging applications. In 13th Symposium on Usable Privacy and Security (SOUPS’17). 29–47.
[24]
WhatsApp. 2017. WhatsApp Encryption Overview. Technical white paper, WhatsApp, Available from whatsapp.com.
[25]
Justin Wu, Cyrus Gattrell, Devon Howard, Jake Tyler, Elham Vaziripour, Kent Seamons, and Daniel Zappala. 2019. “Something isn’t secure, but I’m not sure how that translates into a problem”: Promoting autonomy by designing for understanding in Signal. In 15th Symposium on Usable Privacy and Security (SOUPS’19).
Index Terms
- The Effect of Length on Key Fingerprint Verification Security and Usability
Recommendations
Can Unicorns Help Users Compare Crypto Key Fingerprints?
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing SystemsMany authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a ...
Secure and usable out-of-band channels for ad hoc mobile device interactions
WISTP'10: Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart DevicesProtocols for bootstrapping security in ad hoc mobile device interactions rely on users' ability to perform specific tasks such as transferring or comparing fingerprints of information between devices. The size of fingerprints depends on the level of ...
User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking
This paper describes an experiment to investigate user perceptions of the usability and security of single-factor and two-factor authentication methods in automated telephone banking. In a controlled experiment with 62 banking customers a knowledge-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2023
1440 pages
ISBN:9798400707728
DOI:10.1145/3600160
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2023
ARES 2023: The 18th International Conference on Availability, Reliability and Security
August 29 - September 1, 2023
Benevento, Italy
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 42Total Downloads
- Downloads (Last 12 months)26
- Downloads (Last 6 weeks)2
Reflects downloads up to 12 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format