* Michael Rogers <m.rogers at cs.ucl.ac.uk> [2007-03-06 14:46:36]: > Matthew Toseland wrote: > > You give a friend your IP address, port number, and a one-time password. > > This can be used precisely once. It can however be used by a newbie. > > Sounds reasonable, but a public key fingerprint - even a short one - > would be more secure against eavesdroppers than a password. Regardless > of whether passwords or fingerprints are used, we have to exchange > references in both directions if we want mutual authentication. > > How short can we make the references? Ideally they should be short > enough to read out over the phone or paste into IRC without getting > kicked off the server. The IP address and port are 48 bits, and the > fingerprint should be at least 32 bits (128 if we want decent security, > but that would make the reference quite long). > > The whole reference could be encoded in base32, which is nearly as > compact as base64 and easier to read out over the phone. That means a > reference with a 32 bit fingerprint would be 16 characters including > address and port - "ghw5 q63y aklt 24t3". A more secure reference with a > 128 bit fingerprint would be 36 characters - "ghw5 q63y aklt 24t3 67ip > 32yt sgqi 24od 5fan". That seems a bit unwieldy to me - what does > everyone else think? Where should we draw the line between brevity and > security? > > Cheers, > Michael
As far as I know, many people are using the phone as a mean to exchange serial keys of software ... Some are over 30 characters long ! And anyway, the size doesn't matter that much, does it ? ;) NextGen$ PS: and yes I'm proud of my gibe :p
