Abstract
In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party's view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal/WhatsApp key fingerprints provide a considerably lower level of security than usually assumed.
Original language | English |
---|---|
Title of host publication | International Conference on Availability, Reliability and Security, proceedings |
Publisher | ACM |
Pages | 1-11 |
ISBN (Print) | 979-8-4007-0772-8 |
DOIs | |
Publication status | Published - 29 Aug 2023 |
Event | International Conference on Availability, Reliability and Security - Benevento, Italy Duration: 29 Aug 2023 → 1 Sept 2023 https://www.ares-conference.eu/ |
Conference
Conference | International Conference on Availability, Reliability and Security |
---|---|
Abbreviated title | ARES 2023 |
Country/Territory | Italy |
City | Benevento |
Period | 29/08/23 → 1/09/23 |
Internet address |
Bibliographical note
This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policyKeywords
- key fingerprint verification
- device pairing
- out-of-band channel
- authentication
- end-to-end encryption
- secure messaging
- Signal safety number
- WhatsApp security code
- usability
- security