Home > linux, planet.g.o, security > OpenSSH 5.1 and ASCII Art Fingerprints

OpenSSH 5.1 and ASCII Art Fingerprints

July 23rd, 2008 rbu

OpenSSH 5.1 is out, and besides a Security issue that does not affect Linux or the BSDs, it includes a new feature labelled VisualHostKey, aka SSH Fingerprint ASCII Visualisation. Using an idea proposed in the 1999 paper Hash visualization: A new technique to improve real-world security by Perrig and Song, an image with 18×9 resolution is generated from the fingerprint of the SSH server, and is displayed to the client.

Since the feature is experimental, and the algorithm to generate the image should not be considered final yet, display is disabled by default. You can see a test-run in the screen capture, and a (just for fun) list of images of my known hosts. I wonder how long it takes to remember that face… doesn’t it look like bit like Marge Simpson?

Now why all this, you are asking?

It is deemed that images are easier to compare and remember than the usual 32 hex digits, and I believe everyone has to judge by him/herself if that is true. How many of those SSH/OTR/SSL… fingerprint digits do you check*? All of them? Any, at all? Where did you derive your latest Firefox SSL CA certificates from? At a time where I cannot trust my provider to run a secure DNS server, verifying the authenticity of either the other side of communication, or the data in transit is most crucial. Let’s finally get that Tree Signing going!

* If you only check the first 4 digits, and the last 2 — you are riding on a 24 bit fingerprint.

Categories: linux, planet.g.o, security Tags:
  1. July 23rd, 2008 at 11:04 | #1

    Do you have an ebuild for it?

  2. zym
    July 23rd, 2008 at 12:42 | #2

    sounds very useful if there is just a couple of servers, it may be very noisy if you have thousands of servers. I’d like to try it.

  3. July 23rd, 2008 at 13:53 | #3

    Lars, there is no ebuild for it yet, but as I know our base-system team, you will not have to wait for long.

  4. oh
    July 23rd, 2008 at 15:53 | #4

    when u have more than 2-3 servers you wont remember the graphic anyway then its just wasting your screen space :)

    tho the idea is fun and stuff =)

  5. Sebastian
    July 23rd, 2008 at 19:19 | #5

    Cool feature, good post ;-)

  6. anon
    July 25th, 2008 at 20:26 | #6

    does it work against “fuzzy fingerprints” (http://freeworld.thc.org/papers/ffp.html ), I mean, do the “images” look different ?

  7. August 28th, 2008 at 19:23 | #7

    Nice, but how easy is it to produce two similar looking (at a glance) images from wildly varying keys, either deliberately or through randomness?

  8. rbu
    August 28th, 2008 at 20:36 | #8

    ircd, one of the requirements of the paper the algorithm is based on was that it is unfeasible to produce two similar images. According to the authors the algorithm will fulfill that. However, obviously the fuzzy attacks are possible on the eye, and that widens the target space for brute force attacks.

Comments are closed.