The Effect of Length on Key Fingerprint Verification Security and Usability

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party's view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal/WhatsApp key fingerprints provide a considerably lower level of security than usually assumed.
Original languageEnglish
Title of host publicationInternational Conference on Availability, Reliability and Security, proceedings
PublisherACM
DOIs
Publication statusAccepted/In press - 15 May 2023
EventInternational Conference on Availability, Reliability and Security - Benevento, Italy
Duration: 29 Aug 20231 Sept 2023
https://www.ares-conference.eu/

Conference

ConferenceInternational Conference on Availability, Reliability and Security
Abbreviated titleARES 2023
Country/TerritoryItaly
CityBenevento
Period29/08/231/09/23
Internet address

Bibliographical note

This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policy

Keywords

  • key fingerprint verification
  • device pairing
  • out-of-band channel
  • authentication
  • end-to-end encryption
  • secure messaging
  • Signal safety number
  • WhatsApp security code
  • usability
  • security

Cite this