[HN Gopher] SSH Artwork
___________________________________________________________________
SSH Artwork
Author : barrettondricka
Score : 127 points
Date : 2024-11-27 01:16 UTC (21 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| H8crilA wrote:
| I wish Bitcoin produced at least something like that.
| j0hnyl wrote:
| You can always artify the qr code.
| everfree wrote:
| Vanity addresses are a similar idea.
| sbassi wrote:
| yes, when I tried this some years ago I only could set the
| first 3 o 4 characters, after that, it took more time I was
| willing to wait. I don't know how is it today.
| patchtopic wrote:
| "kill the artist when patience is depleted"
|
| drastic!
| thepuppet33r wrote:
| > Once visualization is introduced, so is aesthetics. This
| feature presents a great opportunity to fight against truly
| random key generation in order to trade security for arbitrary
| human desires.
|
| If this person made this tool specifically for the satire
| opportunity, that's hilarious.
| Cheer2171 wrote:
| I can't believe no one in this thread doesn't see this. This
| project is a critique of the openssh visual hash
| yccs27 wrote:
| The fact that this works means that comparing keys visually by
| their artwork is insecure, since it allows you to generate a key
| pair which looks very similar to a target public key. I guess
| visual fingerprints might not have enough entropy.
| tayiorrobinson wrote:
| It's probably still more secure than trying to compare the
| regular old string representations (who checks more than the
| last 5 characters from the end?)
|
| And plus, you still have to brute force it to get one that
| looks close
| clysm wrote:
| Where's the proof that this works?
|
| It's a brute forcing tool with the goal of finding the desired
| fingerprint, but there's no demonstration of it actually
| working.
| tasuki wrote:
| It's enough to find a fingerprint that's visually similar
| enough. It doesn't have to be exactly the same. That's many
| orders of magnitude easier than finding an exact match!
| doctoboggan wrote:
| > and kill the artist when patience is depleted.
|
| This is the key part. You probably have to have _a lot_ of
| patience to get anything reasonable.
| simlevesque wrote:
| > means that comparing keys visually by their artwork is
| insecure
|
| I'm not sure if this goal is achievable.
| 0x0 wrote:
| I guess if you use this, then the security of your key is only as
| strong as for how many minutes the bruteforce took (since anyone
| else could also run the tool and generate their own key matching
| the desired fingerprint in the same amount of minutes you needed
| - or less).
| tayiorrobinson wrote:
| so the exact same as any other crypto key?
| desumeku wrote:
| I don't think the idea is to use the visual representation of
| the SSH key as a security mechanism but rather to have an SSH
| key that looks cool when you visualize it.
| 0x0 wrote:
| Isn't the whole point of VisualHostKey in ssh to act as a
| security mechanism, i.e. "yes this looks like the correct
| server key" on first use on a new client that doesn't already
| have the key in known_hosts?
| idunnoman1222 wrote:
| The number of minutes being greater than the heat death of the
| universe
| 0x0 wrote:
| Is the runtime of this application "a number of minutes
| greater than the heat death of the universe" to find
| something that could pass off as matching the target
| visualhostkey?
| remram wrote:
| That's not how randomness works. The expected duration of the
| attack is only determined by how close they want to get to your
| artwork.
|
| For example, if you pick the first key you generate, it
| obviously doesn't mean the attacker can get the same art in one
| try.
| tasn wrote:
| This is cool as a project, but relying on humans to do pixel-
| perfect matching for security is probably a bad idea (well,
| glyph-perfect).
| crtasm wrote:
| On the other hand - when ssh warns you the host key has changed
| but the art looks unchanged to your eye, you know something
| serious has happened.
| dleink wrote:
| Yes.
___________________________________________________________________
(page generated 2024-11-27 23:01 UTC)