Public key fingerprint
From Wikipedia, the free encyclopedia
In public-key cryptography, a public key fingerprint is a string of bytes used to identify or validate a longer public key. Fingerprints are usually cryptographic hashes of the entire key. When a shorter fingerprint is desired, the hash may be truncated further.
Contents |
[edit] Identification
Public key fingerprints are often used as shorter identifiers for looking up or identifying public keys on a key server. For example, PGP uses 32-bit fingerprints (usually represented as 8 hexadecimal digits), which are short enough to memorize. While birthday paradox dictates that collisions at such short lengths are likely to occur, this does not present a real threat as the user will be presented with a choice of matching public keys in the case of ambiguity.
[edit] Validation
When public keys are exchanged over an insecure or untrusted channel, such as the Internet, steps need to be taken to establish the validity and authenticity of the exchanged keys. A popular method is to exchange the public key fingerprints over a secure or tamper-resistant channel, such as a telephone conversation or meeting up in real life, and check that the other party's public key fingerprint matches what they said theirs was.[1]
Other key validation models such as the web of trust are typically built on mutual verification of public keys by third parties.
[edit] Security of fingerprints
The security of public key fingerprints does not generally rely on breaking the hash function alone. Even if the attacker is capable of deriving colliding public keys that match a given fingerprint through a preimage attack against the hash function, it does not break the usefulness of the fingerprint, as they wouldn't have an accompanying private key. As long as there is no feasible means to derive the private key from a public key in the cryptosystem, the creation of a colliding keypair requires an exhaustive search over the keyspace of the hash function, needing the generation of a keypair at each step. As generating a keypair is rather computationally expensive in most cryptosystems, it is believed to be infeasible to create a colliding keypair to a known fingerprint through brute force.
For example, for a known MD5 hash of 128 bits, finding a keypair with a colliding fingerprint requires 2127 key generations on average. Given that on a modern computer, generating a keypair usually takes time in the order of a second, this translates into 1030 computer-years of work. Thus, for practical key sizes, it is more efficient to solve the RSA problem using known algorithms.
[edit] See also
[edit] References
- ^ Ashley, John Michael (1999). The GNU Privacy Handbook. Free Software Foundation. Retrieved on 2006-11-26.
 |
This cryptography-related article is a stub. You can help Wikipedia by expanding it. |
| Algorithms: Cramer-Shoup | DH | DSA | ECDH | ECDSA | EKE | ElGamal | GMR | IES | Lamport | MQV | NTRUEncrypt | NTRUSign | Paillier | Rabin | Rabin-Williams | RSA | Schnorr | SPEKE | SRP | XTR |
| Theory: Discrete logarithm | Elliptic curve cryptography | RSA problem |
| Standardization: ANS X9F1 | CRYPTREC | IEEE P1363 | NESSIE | NSA Suite B Misc: Digital signature | Fingerprint | PKI | Web of trust | Key size |
| History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography |
| Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers |
