Public key fingerprint
Encyclopedia
In public-key cryptography
, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function
to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.
This process produces a short fingerprint which can be used to authenticate a much larger public key. For example, whereas a typical RSA public key will be 1024 bits in length or longer, typical MD5
or SHA-1 fingerprints are only 128 or 160 bits in length.
When displayed for human inspection, fingerprints are usually encoded into hexadecimal
strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint for SSH
would be displayed as follows:
43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
, the recipient often wishes to authenticate the public key. Fingerprints can help accomplish this, since their small size allows them to be passed over trusted channels where public keys won't easily fit.
For example, if Alice wishes to authenticate a public key as belonging to Bob, she can contact Bob over the phone or in person and ask him to read his fingerprint to her, or give her a scrap of paper with the fingerprint written down. Alice can then check that this trusted fingerprint matches the fingerprint of the public key. Exchanging and comparing values like this is much easier if the values are short fingerprints instead of long public keys.
Fingerprints can also be useful when automating the exchange or storage of key authentication data. For example, if key authentication data needs to be transmitted through a protocol or stored in a database
where the size of a full public key is a problem, then exchanging or storing fingerprints may be a more viable solution.
PGP
developed the PGP word list
to facilitate the exchange of public key fingerprints over voice channels.
In systems such as X.509-based PKI
, fingerprints are primarily used to authenticate root keys. These root keys issue certificates which can be used to authenticate user keys. This use of certificates eliminates the need for manual fingerprint verification between users.
In systems such as PGP
or Groove
, fingerprints can be used for either of the above approaches: they can be used to authenticate keys belonging to other users, or keys belonging to certificate-issuing authorities. In PGP, normal users can issue certificates to each other, forming a web of trust
, and fingerprints are often used to assist in this process (e.g., at key-signing parties).
In systems such as CGA
or SFS
and most cryptographic peer-to-peer networks, fingerprints are embedded into pre-existing address and name formats (such as IPv6
addresses, file names or other identification strings). If addresses and names are already being exchanged through trusted channels, this approach allows fingerprints to piggyback on them.
In PGP, fingerprints truncated to 32 or 64 bits are called "key IDs". PGP uses key IDs to refer to public keys for a variety of purposes. These are not, properly speaking, fingerprints, since their short length prevents them from being able to securely authenticate a public key.
, where an attacker constructs a key pair whose public key hashes to a fingerprint which matches the victim's fingerprint. The attacker could then present his public key in place of the victim's public key to masquerade as the victim.
A secondary threat to some systems is a collision attack
, where an attacker constructs multiple key pairs which hash to his own fingerprint. This may allow an attacker to repudiate signatures he has created, or cause other confusion.
To prevent preimage attacks, the cryptographic hash function used for a fingerprint should possess the property of second preimage resistance. If collision attacks are a threat, the hash function should also possess the property of collision-resistance. While it is acceptable to truncate hash function output for the sake of shorter, more usable fingerprints, the truncated fingerprints must be long enough to preserve the relevant properties of the hash function against brute-force search
attacks.
In practice, most fingerprints commonly used today are based on non-truncated MD5 or SHA-1 hashes. As of 2006, collisions but not preimages can be found in MD5 and (it is believed) in SHA-1. Since these attacks raise questions about the preimage resistance of these hash functions, the future is likely to bring increasing use of newer hash functions such as SHA-256. Fingerprints based on SHA-256 and other hash functions with long output lengths are more likely to be truncated than (relatively short) MD5 or SHA-1 fingerprints.
In situations where fingerprint length must be minimized at all costs, techniques such as hash extension (see cryptographically generated addresses) can be used to boost the security of truncated fingerprints.
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks.
Creating public key fingerprints
A public key fingerprint is typically created through the following steps:- A public key (and optionally some additional data) is encoded into a sequence of bytes. To ensure that the same fingerprint can be recreated later, the encoding must be deterministic, and any additional data must be exchanged and stored alongside the public key. The additional data is typically information which anyone using the public key should be aware of. Examples of additional data include: which protocol versions the key should be used with (in the case of PGPPretty Good PrivacyPretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
fingerprints); and the name of the key holder (in the case of X.509X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
trust anchor fingerprints, where the additional data consists of an X.509 self-signed certificateSelf-signed certificateIn cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy....
). - The data produced in the previous step is hashed with a cryptographic hash function such as MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
or SHA-1. - If desired, the hash function output can be truncated to provide a shorter, more convenient fingerprint.
This process produces a short fingerprint which can be used to authenticate a much larger public key. For example, whereas a typical RSA public key will be 1024 bits in length or longer, typical MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
or SHA-1 fingerprints are only 128 or 160 bits in length.
When displayed for human inspection, fingerprints are usually encoded into hexadecimal
Hexadecimal
In mathematics and computer science, hexadecimal is a positional numeral system with a radix, or base, of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and A, B, C, D, E, F to represent values ten to fifteen...
strings. These strings are then formatted into groups of characters for readability. For example, a 128-bit MD5 fingerprint for SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
would be displayed as follows:
43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
Using public key fingerprints for key authentication
When a public key is received over an untrusted channel, such as the InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, the recipient often wishes to authenticate the public key. Fingerprints can help accomplish this, since their small size allows them to be passed over trusted channels where public keys won't easily fit.
For example, if Alice wishes to authenticate a public key as belonging to Bob, she can contact Bob over the phone or in person and ask him to read his fingerprint to her, or give her a scrap of paper with the fingerprint written down. Alice can then check that this trusted fingerprint matches the fingerprint of the public key. Exchanging and comparing values like this is much easier if the values are short fingerprints instead of long public keys.
Fingerprints can also be useful when automating the exchange or storage of key authentication data. For example, if key authentication data needs to be transmitted through a protocol or stored in a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
where the size of a full public key is a problem, then exchanging or storing fingerprints may be a more viable solution.
PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
developed the PGP word list
PGP word list
The PGP Word List is a list of words for conveying data bytes in a clear unambiguous way via a voice channel...
to facilitate the exchange of public key fingerprints over voice channels.
Public key fingerprints in practice
In systems such as SSH, users can exchange and check fingerprints manually to perform key authentication. Once a user has accepted another user's fingerprint, that fingerprint (or the key it refers to) will be stored locally along with a record of the other user's name or address, so that future communications with that user can be automatically authenticated.In systems such as X.509-based PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
, fingerprints are primarily used to authenticate root keys. These root keys issue certificates which can be used to authenticate user keys. This use of certificates eliminates the need for manual fingerprint verification between users.
In systems such as PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
or Groove
Microsoft Office Groove
Microsoft SharePoint Workspace, previously known as Microsoft Office Groove, is a desktop application designed for document collaboration in teams with members who are regularly off-line or who do not share the same network security clearance....
, fingerprints can be used for either of the above approaches: they can be used to authenticate keys belonging to other users, or keys belonging to certificate-issuing authorities. In PGP, normal users can issue certificates to each other, forming a web of trust
Web of trust
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure ,...
, and fingerprints are often used to assist in this process (e.g., at key-signing parties).
In systems such as CGA
Cryptographically Generated Addresses
A Cryptographically Generated Address is an Internet Protocol Version 6 address that has a host identifier computed from a cryptographic one-way hash function...
or SFS
Self-certifying File System
In computing, Self-certifying File System is a global and decentralized, distributed file system for Unix-like operating systems, while also providing transparent encryption of communications as well as authentication...
and most cryptographic peer-to-peer networks, fingerprints are embedded into pre-existing address and name formats (such as IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
addresses, file names or other identification strings). If addresses and names are already being exchanged through trusted channels, this approach allows fingerprints to piggyback on them.
In PGP, fingerprints truncated to 32 or 64 bits are called "key IDs". PGP uses key IDs to refer to public keys for a variety of purposes. These are not, properly speaking, fingerprints, since their short length prevents them from being able to securely authenticate a public key.
Security of public key fingerprints
The primary threat to the security of a fingerprint is a preimage attackPreimage attack
In cryptography, the preimage attack is a classification of attacks on hash functions for finding a message that has a specific hash value.There are two types of preimage attacks:...
, where an attacker constructs a key pair whose public key hashes to a fingerprint which matches the victim's fingerprint. The attacker could then present his public key in place of the victim's public key to masquerade as the victim.
A secondary threat to some systems is a collision attack
Collision attack
In cryptography, a collision attack on a cryptographic hash tries to find two arbitrary inputs that will produce the same hash value, i.e. a hash collision...
, where an attacker constructs multiple key pairs which hash to his own fingerprint. This may allow an attacker to repudiate signatures he has created, or cause other confusion.
To prevent preimage attacks, the cryptographic hash function used for a fingerprint should possess the property of second preimage resistance. If collision attacks are a threat, the hash function should also possess the property of collision-resistance. While it is acceptable to truncate hash function output for the sake of shorter, more usable fingerprints, the truncated fingerprints must be long enough to preserve the relevant properties of the hash function against brute-force search
Brute-force search
In computer science, brute-force search or exhaustive search, also known as generate and test, is a trivial but very general problem-solving technique that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's...
attacks.
In practice, most fingerprints commonly used today are based on non-truncated MD5 or SHA-1 hashes. As of 2006, collisions but not preimages can be found in MD5 and (it is believed) in SHA-1. Since these attacks raise questions about the preimage resistance of these hash functions, the future is likely to bring increasing use of newer hash functions such as SHA-256. Fingerprints based on SHA-256 and other hash functions with long output lengths are more likely to be truncated than (relatively short) MD5 or SHA-1 fingerprints.
In situations where fingerprint length must be minimized at all costs, techniques such as hash extension (see cryptographically generated addresses) can be used to boost the security of truncated fingerprints.
See also
- PGP word listPGP word listThe PGP Word List is a list of words for conveying data bytes in a clear unambiguous way via a voice channel...
- Public-key cryptographyPublic-key cryptographyPublic-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
- Key authenticationKey authenticationKey authentication is a problem that arises when using public key cryptography. It is the process of assuring that the public key of "person A" held by "person B" does in fact belong to "person A"....
- Key managementKey managementKey management is the provisions made in a cryptography system design that are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.Key management concerns...
- Key signing partyKey signing partyIn cryptography, a key signing party is an event at which people present their PGP-compatible keys to others in person, who, if they are confident the key actually belongs to the person who claims it, digitally sign the PGP certificate containing that public key and the person's name, etc...
- Rabin fingerprintRabin fingerprintThe Rabin fingerprinting scheme is a method for implementing public key fingerprints using polynomials over a finite field.-Scheme:Given an n-bit message m0,...,mn-1, we view it as a polynomial of degree n-1 over the finite field GF....