[OTR-users] Shared secret authentication?

Gregory Maxwell gmaxwell at gmail.com
Thu Jan 20 23:15:10 EST 2005


On Thu, 20 Jan 2005 19:27:13 -0500, Ian Goldberg <ian at cypherpunks.ca> wrote:
> > In addition to displaying the public key hash in hex, it might be
> > useful to create a transformation that expresses it as english words
> > (uses the words to look up in a dictionary).   This way there is a
> > pretty good chance that someone can 'remember' part of another
> > person's key id when they go to another client without the stored
> > keys.   Of course, if you just use part of the hash,  it would make it
> > possible for someone to generate keys until they find a matching
> > string...  So rather it should expand the whole hash (or at least a
> > large part of it) and users should then use a non predictable subset
> > for verification.
> 
> That's the S/KEY idea (http://www.faqs.org/rfcs/rfc1760.html).  The
> particular word list they use isn't the best, though.

I've used S/KEY before, ... (and noticed the ugly dictionary) ...
Thought it used words just to make the reading and typing step less
error prone (which is the case), and I didn't realize that it actually
managed to transmit that much information (64bits).

I gave it some more thought while I was out to dinner and had some
other ideas... The goal of S/KEY is to be compact and typeable..  The
goal of using an english representation of a fingerprint is to make it
memorable so you can compare it later.  The problem is that most users
will just pick a few obvious memorable characteristics, so it would be
much easier for an attacker to just generate keys until they make one
that is similar enough to a human observer.... it might end up being
less secure than remembering a few digits of the fingerprint (which is
what I end up doing with ssh).

The solution to that is to encrypt the fingerprint with a password
prior to converting it into text and making the text output
sufficiently larger than the initial secret so an attacker without the
secret won't be able to perform an attack against the smaller
comparison base... and if they did know your secret their attack would
only generate an authentication key that fooled one user.

It would be really nice if IM systems mutually authenticated users
using the shared secret approach where the shared secret was the hash
(or expensive expansion function) of the
pasword+username+im_servername, so that the server never knows the
password.  Then the password (after a different expansion) can be used
for other tasks in the client, such as keeping the private side of an
authentication key encrypted, or keeping logs encrypted. (nice thing
about using the login key is that it would require no additional
effort or passwords for the users)..  Oh well.

Using language-like representations of key fingerprints is an
interesting subject... probably one that should be discussed in a
larger community, since it applies to PGP authentication (and ssh,
etc).



More information about the OTR-users mailing list