11

Suppose I have the privilege to being able to physically meet a person that I want to communicate with beforehand. Suppose the person and I have minimal trust --- it could be the first time we get to know each other. We just want to communicate. Suppose the physical meeting is not monitored (honestly, it doesn't matter for public keys to be monitored, and we assume at least our information to each other isn't altered) and we can both be sure of each other's identity. What are the best ways to exchange some information, like our public keys? We would like to take advantage of this physical secure channel to exchange information. Therefore, using something on the Internet, like a key server that is relatively unsafe is not considered.

A few obstacles:

  1. Because of the minimal trust, it's hard for us to give each other data digitally, especially not through a drive, for the sake of possible attacks.
  2. I thought of printing the key in some readable form on paper. But for a reasonably long key (2048 bits) with hex representation, that would require typing 128 characters. More characters are needed if some meta information about the key is included. (And somehow, GPG outputs thousands of characters when exporting public keys with --armor.) That creates a large chance of mistyping some character.

I do have some basic knowledge in modern cryptography. If the other person also does, then maybe we could do a key exchange physically using some protocol. But one problem is that we may need to prepare for it before meeting up. And the reality is that I might want to exchange information with people whom I just met. That is, I'd like to consider both prepared and unprepared situations.

Besides, I assume that we will be very careful to check the information we give each other. For example, we will double-check each character before typing the key on our computers. It is still possible to make a mistake somewhere, but to take advantage of it, an attacker first has to predict which character we make a mistake (not easy to predict), and then predict which character we may mistype it to (much easier to predict).

Improve this question
3
  • 2
    It sounds like you want to exchange public keys through some out-of-band method. The out-of-band method is resistant to MITM attacks, but the method might be prone to errors. A simple way to check for errors is for A to encrypt a message using B's public key, and send the encrypted message to B. If B is able to decrypt the message using B's private key, then this proves that A has B's true and correct public key. Commented Apr 24, 2025 at 21:32
  • @mti2935 Thank you for this insight. Do you know how one could correct the error, then, in an unsecure channel? The physical meeting chance might be scarce. Commented Apr 25, 2025 at 10:16
  • 1
    @mti2935 I got it. Maybe you meant that we can take our computers to the meeting and perform this verification on-site, as we type the keys from the papers to the computers. I think this is a good idea. If we don't connect our computers to anything while doing the verification, it should be relatively safe. Thank you. Commented Apr 25, 2025 at 17:10

2 Answers 2

Reset to default
29

To uniquely identify large public keys (like those used in the RSA cryptosystem), it's common to use fingerprints. Those are calculated by hashing the public key with a cryptographic hash function like SHA-256. The result is fairly compact (e.g., 32 bytes in the case of SHA-256), fits on a small piece of paper and can easily be checked visually. So both parties first meet in person and exchange the fingerprints. Later they can exchange the public keys over any insecure channel (like the Internet) and check the key authenticity by calculating the fingerprint and comparing it with the known-good value they received at the meeting. The properties of cryptographic hash functions ensure that even minor manipulations (or bit errors) will result in completely different hashes, making it easy to detect wrong keys.

Note that modern Elliptic-Curve algorithms like Ed25519 have much shorter public keys (256 bits), so it's practical to exchange the keys themselves and not use fingerprints.

Improve this answer
10
  • 3
    +1. OP, In the case of EC public keys - the public key must be a point that lies on the EC curve. A simple way to check for an error in an EC public key is to simply check if it lies on the EC curve. If there was some error during the transfer of the EC public key, then the likelihood of it lying on the EC curve will be infinitesimally small. Commented Apr 24, 2025 at 21:43
  • 4
    @mti2935: only using X9 uncompressed form (or hybrid, which AFAIK nobody ever did). X9 compressed, and the only standard form for EdDSA, are dense and errors are likely to produce an apparently-valid wrong value. // PGP uses such a fingerprint as the key's official identification, and for decades (until fairly recent attacks) it was common for someone to give you their keyid (usually truncated to 32bits or 64bits) and store the full key in a server from which you could fetch it by keyid. Commented Apr 25, 2025 at 0:38
  • 2
    Another variant on this could be to print both the full key (if reasonably short) and the fingerprint/hash, so that the recipient can type in the key and then double-check it using the fingerprint. Commented Apr 25, 2025 at 3:13
  • 4
    @jpa: You're ignoring the OP's scenario. Do you really think that two people will first go through all the trouble of doing a physical meeting for the sole purpose of a fingerprint exchange, but then they suddenly become too lazy to actually check the full fingerprints? This sounds absurd. Anyway, if mobile phones are acceptable in the meeting, the participants could scan the keys/fingerprints as QR codes (like in WPA3 SAE-PK). Commented Apr 25, 2025 at 6:41
  • 4
    @dave_thompson_085 While PGP keys are/were identified by keyid, they never were meant to be verified by keyid, but by fingerprint. The keyid is a trunctated fingerprint (was 32 bit, nowadays 64 bit), and you were supposed to compare the whole fingerprint since the invention of PGP. Commented Apr 25, 2025 at 7:26
24

QR codes

A QR code is nothing but easily machine-readable data, so the "oh 128 characters is too much to type" is negated. With a decently implemented QR code reader there also isn't any attack surface here.

Alternatively: Just use OCR and give some sort of corrective/hash value to detect reading errors. Since you only need to account for errors, not attacks, the proof value can be just a couple of characters.

Or combine the two.

Also: if the real key length is really too long, even for above methods, all you need to hand over is a hash of the actual key (that you can then transfer digitally). This is slightly vulnerable to hash collision attacks so not optimal but above methods should suffice anyway.

Improve this answer
7
  • 1
    This already exists in some e2e encrypted messengers, you can scan someone's qr code to make sure it's the right person. Commented Apr 25, 2025 at 12:23
  • 3
    for what it's worth, a version 40 QR code with low data correction (perhaps not really a desired quality here) can hold 23,648 bits. Commented Apr 25, 2025 at 13:26
  • 2
    The QR code has the very important (in this context) property of giving a visual clue about the amount of information it carries. This mitigates a whole lot of possible risks, e.g. exploiting some vulnerability in the key processing path. There is simply no much space to cram the exploit code in (I am not saying that this is not at all possible, it is just WAY harder than e.g. a modern flash drive of GB-range size). Commented Apr 27, 2025 at 10:09
  • 2
    @MatthieuM. bad news here. A lot of QR code readers automatically feed the decoded message in your default browser if it looks somewhat like URL. While not the same as running native code in your system, it is still an attack vector. Commented Apr 27, 2025 at 17:45
  • 1
    @fraxinus: I considered that. But for key exchange you'd likely want a specific application anyway -- one which allows registering who is associated with the key -- at which point the default behavior of QR code reader apps no longer matters. Commented Apr 28, 2025 at 7:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.