Turner, Dan, Shahandashti, Siamak F. orcid.org/0000-0002-5284-6847 and Petrie, Helen orcid.org/0000-0002-0100-9846 (2023) The Effect of Length on Key Fingerprint Verification Security and Usability. In: International Conference on Availability, Reliability and Security, proceedings. International Conference on Availability, Reliability and Security, 29 Aug - 01 Sep 2023 ACM , ITA , pp. 1-11.
Abstract
In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party's view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal/WhatsApp key fingerprints provide a considerably lower level of security than usually assumed.
Metadata
Item Type: | Proceedings Paper |
---|---|
Authors/Creators: |
|
Copyright, Publisher and Additional Information: | This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policy |
Keywords: | key fingerprint verification,device pairing,out-of-band channel,authentication,end-to-end encryption,secure messaging,Signal safety number,WhatsApp security code,usability,security |
Dates: |
|
Institution: | The University of York |
Academic Units: | The University of York > Faculty of Sciences (York) > Computer Science (York) |
Depositing User: | Pure (York) |
Date Deposited: | 09 Jun 2023 09:00 |
Last Modified: | 08 Feb 2025 00:13 |
Published Version: | https://doi.org/10.1145/3600160.3600187 |
Status: | Published |
Publisher: | ACM |
Identification Number: | 10.1145/3600160.3600187 |
Related URLs: | |
Sustainable Development Goals: | |
Open Archives Initiative ID (OAI ID): | oai:eprints.whiterose.ac.uk:200111 |
Download
Filename: The_Effect_of_Length_on_Key_Fingerprint_Verification_Security_and_Usability_Accepted_Manuscript.pdf
Description: The Effect of Length on Key Fingerprint Verification Security and Usability - Accepted Manuscript