In terms of visual hashes I asked Nicholas Wilson[0] about them as he did an investigation of them a year or so ago and I think came to the conclusion that they weren't useful.
Some of his comments follow: > The problem ultimately was that people aren't as visual as we think we > are. We can spot things like "lion", or "tree" very well, but even > with perfectly memorable images (ie non-random, visually distinctive > ones like stuff pulled from flickr) we just can't remember enough > detail from the picture - according to one study, we zone out at a > detail level of around 2^32 at best, 2^24 practically. > > Identicons are a catastrophe for cryptographic use - there's no way an > average person can distinguish more than 2^20 different polygonal > pictures. Given one picture, it's not hard to make a key whose > fingerprint has the roughly the same polygons and colours. Do not use! > > Similarly I think the OpenSSH art is highly susceptible to producing > almost-duplicate splodges. Certainly nowhere near as good as > https://github.com/thevash/vash which is the best (has many > improvements over Andrej Bauer's original solution). > > My best attempt was "stacking" various pictures, eg requiring the user > to remember a grid of five images taken from a flickr-derived > database. That's good, but I'd still be surprised if it's all that > resistant to brute-forcing. > > Ultimately, word-based visualisations are the best I could find. I > suggest Oren Tirosh's mnemonicode. Remembering 64 bits without error > is very easy. Our brains are best at taking in the bits when they're > done as a sequence. Here's a 64-bit sequence: "Albert studio giant. > Nevada safari Asia." It can be written down too, which is very nice > (images certainly can't), and as proof it's easy to remember you don't > even have to glance between the screen and the paper. I can chase up citations if that would be useful. Daniel [0]: http://www.nicholaswilson.me.uk/ On 23/03/14 17:21, Tom Ritter wrote: > About a week late, but updated: > https://github.com/tomrittervg/crypto-usability-study > > Some of the larger Open Questions: > - Are we settled on unicorns? (This is more about how it's generated: > http://unicornify.appspot.com/making-of) > - We have two participants speaking fingerprints aloud to each other. > Do we want them to do it over a cell phone to add difficulty, or just > omit that bit? > - We're settled on not trying to do a head-fake? > > -tom > > On 13 March 2014 09:29, Daniel Kahn Gillmor <[email protected]> wrote: >> On 03/13/2014 02:18 AM, Tom Ritter wrote: >>> On 11 March 2014 00:41, Trevor Perrin <[email protected]> wrote: >>>> Fingerprint Types >>>> - Visual and poetry fingerprints seem worth including. >>> >>> Does anyone have a preference for type of visual fingerprint? Some of >>> the implementations I know of are: >>> - Identicons: >>> http://haacked.com/archive/2007/01/22/Identicons_as_Visual_Fingerprints.aspx/ >>> - Monsters: http://www.splitbrain.org/projects/monsterid >>> - Wavatars: http://www.shamusyoung.com/twentysidedtale/?p=1462 >>> - Unicorns (really) >>> http://meta.stackoverflow.com/questions/37328/my-godits-full-of-unicorns >>> >>> I think I will go with identicons unless anyone really thinks unicorns >>> is better ;) >> >> i think for all of the above, we're going to have a difficult time >> designing credible similarity metrics that roughly match the metrics >> used by the "fuzzy fingerprinting" work. >> >> i do ♥ the unicorns though. >> >> --dkg >> >> > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
