Loading ...
Sorry, an error occurred while loading the content.

6191Re: [decentralization] decentralized recognizability

Expand Messages
  • brandon@blanu.net
    Nov 5 2:27 PM
    • 0 Attachment
      > Hmmm ... so are you saying that someone could use their own real
      > signature to generate a digital signature?
      > In other words, instead of typing arbritrary key strokes to generate the
      > key, you just digitize an instance
      > of your signature. Then when it's played back, it looks like your real
      > signature? Is that possible?

      This idea doesn't map onto the concept of a cryptographic signature, a
      mapping which someone might infer from the way the thread drifted from
      cryptographic signatures to written signatures.

      A normal written signature maps conceptually onto a hashed password. The
      "password" is the muscle memory in your hand. The hash function is
      writing. The generated hash is the signature. Like most hash functions,
      having the hash won't give you the password. However, signatures are
      fairly easy to "brute force" by practicing copying the signature over
      and over again until you gain the appropriate muscle memory.

      This metaphor breaks down in the digital realm, where muscle memory
      isn't required in order to produce a signature, just a scanned image of
      the signature. A signature then becomes a novel password generation
      scheme. You just need some hashing scheme which will reliably generate
      the same password given one of your similar but infinitely varied
      signatures. If an attacker intercepts any one of these, then they have
      your password. I've actually seen companies hyping this technology,
      mainly for PDAs. The advantages over normal signatures are that you
      don't have to remember a hard-to-remember secure password, your
      easy-to-remember password isn't attackable by normal dictionary attacks
      like most easy-to-remember passwords, and someone who sees you enter it
      probably can't reproduce it on the first try. However, despite the
      invulnerability to dictionary attacks, these passwords probably aren't
      that secure. I would guess that the number of bits which are unique to
      your signature but different from other people's signatures and also
      machine-recognizable are few. Thus it would probably be easy to
      brute-force such passwords. The worst problem is of course that no one
      can confirm or deny this assertion since no one has any idea how secure
      these passwords really are, the image hashing schemes being proprietary.

      The Circle idea is interesting because it's not using passwords, but
      public keys. Another easy misconception is that these public-key-based
      visual signatures map to public key cryptographic signatures. As far as
      I can tell, visualizing an actual signature would be useless since each
      signatures would look nothing like any others generated from the same
      public key. So what they are almost certainly doing is visualizing the
      public key itself. Unfortunately, the circle idea suffers from the
      deadbeef problem.

      The problem is that when you attempt to map a long random string (such
      as a public key signature) into the space of the human-readable, you
      lose information. Even if every bit of the string is represented in some
      way in the rendered form, there are variations on the representation
      which people will not be able to tell apart. If you encode in words,
      there are synonyms and mispellings that can be used. If you use colors,
      there are slight variations in hue which will go unnoticed. The same is
      true of pretty much any visual representation. Slight variations might
      not seem like a big problem, but the number of passable variations
      multiplied by the number of places which a variations can occur can
      yield a fairly large space, making brute forcing easier.

      The system is almost certainly inferior in many cases to pet names. With
      pet names, the computer binds the public key to an easy to remember name
      of my choosing. All further interactions are verified automatically by
      checking that the public key matches the one from before. There is no
      need for user intervention and thus no room for the user to make
      mistakes when visually verifying signatures.

      The one advantage I can see to this method is the fairly common case of
      needing to do a public key exchange with someone you have already
      exchanged with but have lost their key, and you want to reduce the
      likelihood of a MITM attack. This situation occurs fairly frequently
      with connecting to a server using SSH from multiple clients. Few people
      take the trouble to carry around the server's public key, so each new
      client allows for a MITM attack. A visual public key check, though not
      nearly as secure as actually knowing the public key, is better than
      nothing in the few occasions that an only mildly determined MITM attack
      is in progress.

      Links: (for blanu.net cross-posting)
      Mailing list</a>
      <a href="http://www.csse.monash.edu.au/~pfh/circle/">Circle</a>
      <a href="http://gonze.com/circle-sig1.png">Sample Circle public key
    • Show all 17 messages in this topic