Improved fingerprint representation

Neal H. Walfield neal at walfield.org
Wed Apr 8 22:25:51 CEST 2015 

Hi,

Most of you are probably familiar with the diceware password generator
[1].  Very briefly: instead of thinking of a password, one:

 - rolls a die 5 times,
 - converts this into a base 6 number, and,
 - indexes a list of "7776 short words, abbreviations and
   easy-to-remember character strings."

This is repeated until the desired password strength is reached.  The
resulting passphrase has a quantifiable amount of entropy and is
allegedly easy to remember.

I used this technique recently and found many of the words to be
difficult to remember.  Here are the first few entries:

  11111 a
  11112 a&p
  11113 a's
  11114 aa
  11115 aaa
  11116 aaaa
  11121 aaron
  11122 ab
  11123 aba
  11124 ababa
  11125 aback
  11126 abase
  11131 abash
  11132 abate
  11133 abbas
  11134 abbe
  11135 abbey
  11136 abbot
  11141 abbott

I personally don't think the words are that memorable.  Further, many
are very similar to others ('abbot' and 'abbott', for instance).  I
think this has to do with two factors: the list has too many entries
and it strives for short words.

I created a new, shorter list.  It is based on Voice of America's
Special English Word Book [2].  These are 1500 simple English words
that form the foundation of any English speaker's / learner's
vocabulary [3].  Thus, they are easier to remember.

Because we only need 6^4 words, I first removed words that are easily
misspelled.  For this, I consulted OED's list of commonly misspelled
words.  Then, I took the shortest 6^4 words.


While doing this, it occured to me that such a list could be used to
display fingerprints.  Personally, I often have trouble comparing the
40 hexadecimal characters on the piece of paper with the 40
hexadecimal characters on the screen.

I whipped together a little awk script that converts fingerprints
using this list (I just use the first 1024 entries, i.e., 10-bit
chunks).  In terms of the number of characters, the phrases are about
twice as long as a fingerprint, but they seem to me to be much easier
to read aloud and compare.  Here are a few examples:

  8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367

  grow heat hijack corn music effect adult partner 
  high custom capture evil marry funeral car prison 
  
  
  A4D9 4E92 B098 6AB5 EE9D CD75 5DE2 4996 5B03 58A2 
  
  listen explain request marry job many enter loud 
  part poison pull industry invite female coffee call 


  5200 54A5 3C19 CBB2 E7F5 6396 8723 4295 786B 0BAD 
  
  distance accident delegate dig behind charge chance shoot 
  exile edge floor period interest rain mental return 


  11C2 94DF 1D6C 9698 FEFE 231D 3BF6 09C6 8BAF CDBD 

  attach among develop only fertile effect ignore nice 
  bread force next happy old change shock fire 


(It now occurs to me that this is probably also a good way to display
ssh fingerprints.)


To encourage this readable adoption, I propose adding it to the output
of gpg --list-keys.  Thus, instead of:

  pub   3744R/0xAACB3243630052D9 2015-04-07 [expires: 2025-04-04]
        Key fingerprint = 8F17 7771 18A3 3DDA 9BA4  8E62 AACB 3243 6300 52D9
  uid                 [ultimate] Neal H. Walfield <neal at walfield.org>
  uid                 [ultimate] Neal H. Walfield <neal at gnupg.org>
  uid                 [ultimate] Neal H. Walfield <neal at g10code.com>
  sub   2048R/0x7223B56678E02528 2015-04-07 [expires: 2017-04-06]
  sub   2048R/0xC2B819056C652598 2015-04-07 [expires: 2017-04-06]
  sub   2048R/0xA3506AFB820ABD08 2015-04-07 [expires: 2017-04-06]

gpg --list-keys would print:

  pub   3744R/0xAACB3243630052D9 2015-04-07 [expires: 2025-04-04]
        Key fingerprint = 8F17 7771 18A3 3DDA 9BA4  8E62 AACB 3243 6300 52D9
*       Key phrase = idea engine fresh daughter light self major request 
*                    hurt hospital mate parade curfew house agency moderate
  uid                 [ultimate] Neal H. Walfield <neal at walfield.org>
  uid                 [ultimate] Neal H. Walfield <neal at gnupg.org>
  uid                 [ultimate] Neal H. Walfield <neal at g10code.com>
  sub   2048R/0x7223B56678E02528 2015-04-07 [expires: 2017-04-06]
  sub   2048R/0xC2B819056C652598 2015-04-07 [expires: 2017-04-06]
  sub   2048R/0xA3506AFB820ABD08 2015-04-07 [expires: 2017-04-06]

What do others think?


Thanks,

Neal


[1] http://world.std.com/~reinhold/diceware.html
[2] https://en.wikipedia.org/wiki/Special_English
[3] https://en.wikipedia.org/wiki/Passive_vocabulary
[4] https://www.oxforddictionaries.com/us/words/common-misspellings-american

More information about the Gnupg-devel mailing list