SSH Artwork

yccs27 · 2024-11-27T13:10:33 1732713033

The fact that this works means that comparing keys visually by their artwork is insecure, since it allows you to generate a key pair which looks very similar to a target public key. I guess visual fingerprints might not have enough entropy.

clysm · 2024-11-27T16:05:38 1732723538

Where's the proof that this works?

It's a brute forcing tool with the goal of finding the desired fingerprint, but there's no demonstration of it actually working.

tasuki · 2024-11-27T19:52:44 1732737164

It's enough to find a fingerprint that's visually similar enough. It doesn't have to be exactly the same. That's many orders of magnitude easier than finding an exact match!

tayiorrobinson · 2024-11-27T14:21:46 1732717306

It's probably still more secure than trying to compare the regular old string representations (who checks more than the last 5 characters from the end?)

And plus, you still have to brute force it to get one that looks close

doctoboggan · 2024-11-27T18:22:18 1732731738

> and kill the artist when patience is depleted.

This is the key part. You probably have to have _a lot_ of patience to get anything reasonable.

simlevesque · 2024-11-27T18:50:33 1732733433

> means that comparing keys visually by their artwork is insecure

I'm not sure if this goal is achievable.

patchtopic · 2024-11-27T12:25:17 1732710317

"kill the artist when patience is depleted"

drastic!

thepuppet33r · 2024-11-27T12:31:51 1732710711

> Once visualization is introduced, so is aesthetics. This feature presents a great opportunity to fight against truly random key generation in order to trade security for arbitrary human desires.

If this person made this tool specifically for the satire opportunity, that's hilarious.

Cheer2171 · 2024-11-27T16:27:26 1732724846

I can't believe no one in this thread doesn't see this. This project is a critique of the openssh visual hash

remram · 2024-11-28T01:17:24 1732756644

benjojo has an article on this, with another (Golang) implementation: https://blog.benjojo.co.uk/post/ssh-randomart-how-does-it-wo...

Includes example results, as well as an explanation for the randomart algorithm.

H8crilA · 2024-11-27T11:13:21 1732706001

I wish Bitcoin produced at least something like that.

everfree · 2024-11-27T19:15:30 1732734930

Vanity addresses are a similar idea.

sbassi · 2024-11-27T19:58:53 1732737533

yes, when I tried this some years ago I only could set the first 3 o 4 characters, after that, it took more time I was willing to wait. I don't know how is it today.

j0hnyl · 2024-11-27T16:12:05 1732723925

You can always artify the qr code.

pfoof · 2024-11-27T23:35:28 1732750528

And imagine how Facebook got lucky with their .onion address

tasn · 2024-11-27T13:46:59 1732715219

This is cool as a project, but relying on humans to do pixel-perfect matching for security is probably a bad idea (well, glyph-perfect).

crtasm · 2024-11-27T14:22:16 1732717336

On the other hand - when ssh warns you the host key has changed but the art looks unchanged to your eye, you know something serious has happened.

dleink · 2024-11-27T17:07:31 1732727251

0x0 · 2024-11-27T13:11:17 1732713077

I guess if you use this, then the security of your key is only as strong as for how many minutes the bruteforce took (since anyone else could also run the tool and generate their own key matching the desired fingerprint in the same amount of minutes you needed - or less).

remram · 2024-11-27T22:27:17 1732746437

That's not how randomness works. The expected duration of the attack is only determined by how close they want to get to your artwork.

For example, if you pick the first key you generate, it obviously doesn't mean the attacker can get the same art in one try.

desumeku · 2024-11-27T14:29:08 1732717748

I don't think the idea is to use the visual representation of the SSH key as a security mechanism but rather to have an SSH key that looks cool when you visualize it.

0x0 · 2024-11-27T18:26:06 1732731966

Isn't the whole point of VisualHostKey in ssh to act as a security mechanism, i.e. "yes this looks like the correct server key" on first use on a new client that doesn't already have the key in known_hosts?

tayiorrobinson · 2024-11-27T14:23:05 1732717385

so the exact same as any other crypto key?

idunnoman1222 · 2024-11-27T17:53:32 1732730012

The number of minutes being greater than the heat death of the universe

0x0 · 2024-11-27T18:28:37 1732732117

Is the runtime of this application "a number of minutes greater than the heat death of the universe" to find something that could pass off as matching the target visualhostkey?