←back to thread

Magic Wormhole: get things from one computer to another, safely

(github.com)
816 points tosh | 4 comments | 17 Aug 24 16:59 UTC | HN request time: 0.782s | source
1. HoyaSaxa ◴[18 Aug 24 03:36 UTC] No.41279958[source]
> The codes are short and human-pronounceable, using a phonetically-distinct wordlist. The receiving side offers tab-completion on the codewords, so usually only a few characters must be typed.

How does this work from a security perspective? Given the lack of apparent entropy can’t a malicious actor conceivably enter the correct phrase before the good actor?

replies(2): >>41280042 #>>41280321 #
2. bentley ◴[18 Aug 24 04:03 UTC] No.41280042[source]
https://en.wikipedia.org/wiki/Password-authenticated_key_agr...

“An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.”

3. lotharrr ◴[18 Aug 24 05:33 UTC] No.41280321[source]
The PAKE algorithm lets you spend an interactive roundtrip to buy a full-strength key out of a weak shared secret. An attacker can attempt to guess the passphrase, and their chances are non-zero (one out of 65536 with the default configuration), but when they guess wrong, the whole protocol shuts down, and the real participants have to start over again, with a new code. So the only way for the attacker to win is for you to restart over and over again until they get lucky. Kinda self-limiting that way :).

https://github.com/magic-wormhole/magic-wormhole/blob/master... has a larger writeup.

replies(1): >>41283682 #
4. upofadown ◴[18 Aug 24 17:19 UTC] No.41283682[source]
An attack on the PAKE would involve the attacker seeing the secret value as it was transferred to the recipient and then beating the recipient to the handshake. So there is security value in being prompt in putting in the secret value at the receiving end.

That is as opposed to sending a public key or key fingerprint. In that case there would be little value to the attacker in seeing the transfer. They would have to MITM the transfer of the key itself. If you wanted to prevent the attacker from sending bogus files you would also have to transfer some sort of signing key.

So a short, time limited, secret vs a longer public value.