On 1/31/14 12:29 PM, Daniel Kahn Gillmor wrote: > This is the essence of what SAS (see other thread on "Short Auth > Strings") does, right?
Yeah, SAS is basically after-the-exchange confirmation of two public values (once in each direction). PAKE is before-the-exchange transcription of a single secret value (which can be generated by whichever side is most convenient). > I think avoiding the extra step of human confirmation can be an > advantage. > > Presented with a prompt that says "is 10352 the correct PIN?", users > will most likely read "Yes" as either "get on with it already" and > "No" as "argh why are you getting in my way?" Yup, that's one reason I went with J-PAKE for FF Sync: SAS is simpler, but creates an incentive to "just say yes" without checking. (the need for bidirectional checks was another: you could skimp on one direction, but it'd open you up to fixation attacks). You can convert the confirmation question into a transcription operation, though: have the user type in the SAS string from the other device, then compare them internally. Then you can play some games with the transcription process to make it more interesting (or at least less boring). The trick I never got around to testing out was: * both clients agree on an image, maybe a picture derived from a few bits of the session key. They split the image into some number of square regions * the first client rotates the squares using bits of the generated SAS value, and displays the distorted image * the second client displays the same image, with the squares rotated randomly. The user is told to rotate the squares until they match the image being shown by the first client, then hit return * the resulting rotation values are the "input" SAS string, and the second client does the comparison internally (completely abstract images might be better than photos, since some folks would ignore the first client entirely and just treat this like a remove-the-distortions puzzle) "Manipulate Until Equal" is a lot like "type in a number", but doesn't remind people of passwords quite so much. cheers, -Brian _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
