[pbs-devel] [PATCH proxmox-backup 0/7] add, persist and check key fingerprint

[Fabian Grünbichler]

On November 18, 2020 7:47 am, Thomas Lamprecht wrote:
> On 18.11.20 06:47, Dietmar Maurer wrote:
>>> On 11/18/2020 6:27 AM Dietmar Maurer <dietmar at proxmox.com> wrote:
>>>
>>>  
>>> Do we really need/want a 256bit long fingerprint?
>>>
>>> I thought 64bit (or maybe 32bit) would be large enough?
>>> If not, why does it have to be that large?
>> 
>> some quick math:
>> 
>> max keys a user generate in his live: 1024 (2¹⁰)
>> 
>> so the likelihood of a 32bit fingerprint clash is 
>> 
>> W = 1/2^²²   (1/4Millions)
>> 
>> which is, unlikely, but possible.
>> 
>> But with 64bit it is extremely unlikely (1/2⁵⁴).
> 
> From a pure user experience I think it could be better to present 8 byte of fingerprint
> information - as the nerves/stress ratio is probably not to good at times where this is
> required.
> 
>  8 byte: "90:A1:CA:44:BE:0B:D4:1C"
> 
> vs.
> 
> 32 byte: "90:A1:CA:44:BE:0B:D4:1C:F7:D9:F5:2F:7C:92:DB:69:B2:2A:AF:6A:1C:7A:DB:0C:03:93:3E:EA:95:EC:26:92"
> 
> I mean, after all, this is rather informal and even if there would be a unlikely
> collision it does not actually compromises security in any way I can think of.

I'd be fine with that, although I think we should probably mention 
somewhere why we think it's fine to use a truncated hash here:
- the actual verification happens via the signature of the manifest
- we are talking about your own keys, not keys of other parties that you 
  need to verify via a fingerprint (which is an entirely different 
  problem)
- the fingerprint is just used as an automatically/mathematically 
  generated 'name' of the key

should we switch it altogether, or just truncate it on display? IMHO for 
Qemu I'd like to keep the full digest/fingerprint, since there a 
skipped collision means corrupt backups, not running into the next 
error and bailing out..