Fingerprint algorithm and SHA-1 usage

Christian Aistleitner christian at quelltextlich.at
Wed Dec 19 11:02:27 CET 2012 

Hi Werner,

On Tue, Dec 18, 2012 at 10:02:08PM +0100, Werner Koch wrote:
> On Tue, 18 Dec 2012 20:52, christian at quelltextlich.at said:
> >   by hand. But additionally putting a 2D Barcode encoded hash on the
> >   slip may do the trick.
> 
> And add lots of code which can be used to subvert the whole process.
> SHA-384 being the weakest link?  I doubt it.

So do I. The weakest link is us humans. I'd be glad if more people
would start to check more than only the first and last byte of the
SHA-1 hash to assert that two hashes match.

Humans are notoriously bad at comparing data piece by piece. Machines
are better at it. So once we exchanged the data by meeting in the real
world, why should we not delegate the comparison to machines?  Not
only sloppy^Wtoo busy people would benefit.

But yes, that'd mean using further code. As people typically use 3rd
party tools like caff anyways, I am not yet convinced that this an
unsolvable problem.

Percepted transparency of the process is more of an issue here. People
tend to think that the hexadecimal encoded hash actually /is/ the one
and only pure hash, while e.g.: a 2D-barcode encoded hash is some
obscure, bad thing.

But once one explains to them that both the hexadecimal encoding and
also the 2D-barcode encoding are isomorphic encodings of the same
512-bit hash, this perception changes a bit. Indeed, none of the two
encodings is more or less obscure than the other. It's just that
humans favour one of the isomorphic encodings for comparisons,
while machines favour the other.

So why not add both of them and let the recipient decide, how to
verify it?

Best regards,
Christian

P.S.: Obviously, 2D-barcodes are not the one and only solution. Most
2D-barcode variants are encumbered by patent issues for a start.
Nevertheless, they seem most viable to me for now. If anyone can
provide more input or propose different solutions, I'd definitely love
to hear them.


-- 
---- quelltextlich e.U. ---- \\ ---- Christian Aistleitner ----
                           Companies' registry: 360296y in Linz
Christian Aistleitner
Gruendbergstrasze 65a        Email:  christian at quelltextlich.at
4040 Linz, Austria           Phone:          +43 732 / 26 95 63
                             Fax:            +43 732 / 26 95 63
                             Homepage: http://quelltextlich.at/
---------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: </pipermail/attachments/20121219/5ee0db4a/attachment.pgp>

More information about the Gnupg-devel mailing list