Hey there, I have been looking at the way safety numbers are constructed in Signal. This left me somewhat confused, and I thought I'd ask here for clarification :)
As a brief recap, the safety numbers are structured like this: decimalize(SHA512^5200(id1_pub+userid1)) || decimalize(SHA512^5200(id2_pub+userid2)) Where decimalize takes the first 100 bits and transforms them into 30 decimals. Most of these things are straightforward: mix in id pubkeys, salt with user ids, stretch a bit, and transform into display representation. Cool beans. What confused me was that the safety number is constructed as a concatenation of two hashes. This struck me as weird and thinking through the attack scenarios a bit I couldn't come up with a good explanation for this design. The attack scenario we want to prevent is impersonation. Let's say we have Alice and Bob, with safety numbers A and B, each 30 digits ~= 100 bits in size (disregarding stretching here). Let's take Mallory impersonating Bob in communication with Alice as attack scenario. To perform this attack, Mallory will have to find a preimage for B, so her attacker capabilities must include 100 bits preimage. Comparing fingerprints with Alice, she'll display A and her preimage of B. Alice will first compare her own 30 digits on both devices, which helps verify the integrity of her own device (if the other party is genuine, at least) but says nothing about Bob's identity? She'll then compare Bob's numbers, gaining 100 bits of verification for him. So it seems to me that with this scheme 1) Mallory can impersonate Bob in communication with anyone, not just Alice, given a single preimage 2) Alice is asked to compare 60 digits, but gains only 100 bits of verification with Bob, and 3) if Alice is lazy and compares only part of the safety numbers, she might miss Bob's part entirely. Simply hashing all of the public keys and user ids together into one Alice+Bob-specific safety number has none of these problems, yielding the same 100 bits preimage attack scenario, in only half the digits. Can someone shed some light on this for me? :) - V _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
