Hacker News new | past | comments | ask | show | jobs | submit login

The fact that this works means that comparing keys visually by their artwork is insecure, since it allows you to generate a key pair which looks very similar to a target public key. I guess visual fingerprints might not have enough entropy.



A very easy way to find such "visual" collisions is described in section 4.2 of our drunken bishop paper: http://www.dirk-loss.de/sshvis/drunken_bishop.pdf


Where's the proof that this works?

It's a brute forcing tool with the goal of finding the desired fingerprint, but there's no demonstration of it actually working.


It's enough to find a fingerprint that's visually similar enough. It doesn't have to be exactly the same. That's many orders of magnitude easier than finding an exact match!


> and kill the artist when patience is depleted.

This is the key part. You probably have to have _a lot_ of patience to get anything reasonable.


It's probably still more secure than trying to compare the regular old string representations (who checks more than the last 5 characters from the end?)

And plus, you still have to brute force it to get one that looks close


> means that comparing keys visually by their artwork is insecure

I'm not sure if this goal is achievable.


Comparing visually wasn't safe in the first place for the same reason, this changes nothing


Here's my key's [1] art:

  +------[RSA]------+
  |    .+.+ oE+=oo  |
  |     .B.O.o=+B . |
  |     o.O +*.o.=  |
  |    . = ++ = . . |
  |     + +S.  o .  |
  |    . *. .   .   |
  |     o o         |
  |        .        |
  |                 |
  +-----[SHA256]----+
After 10,000,000 iterations (150 hours CPU time or so), this is the closest I got:

  +------[RSA]------+
  |     o+*B*=+Bo   |
  |    o.+.*X=O o   |
  |     = +*+* o o  |
  |    E = += + o   |
  |     + =S . +    |
  |    o . .    .   |
  |     .           |
  |                 |
  |                 |
  +-----[SHA256]----+
[1]: https://github.com/remram44.keys




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: