←back to thread

Magic Wormhole: get things from one computer to another, safely

(github.com)
816 points tosh | 2 comments | 17 Aug 24 16:59 UTC | HN request time: 0.534s | source
Show context
menzoic ◴[18 Aug 24 05:44 UTC] No.41280363[source]
Autocompleting secrets sounds unsafe.

> The receiving side offers tab-completion on the codewords, so usually only a few characters must be typed.

replies(3): >>41280601 #>>41281026 #>>41291205 #
1. azornathogron ◴[18 Aug 24 08:36 UTC] No.41281026[source]
I don't think auto-completing a code-word leaks any information, since the set of code-words is fixed.

Just think of each word as being one character from a large-ish alphabet.

Code-words are used so that the one time secret can be easily remembered or shared over a voice channel.

replies(1): >>41284078 #
2. lotharrr ◴[18 Aug 24 18:11 UTC] No.41284078[source]
Correct. The wormhole code is a channel number (called a "nameplate") and a short secret, which defaults to 16 bits of entropy. The secret is used as the input to a PAKE, which only gives the other party (hopefully your intended recipient, but maybe an attacker) a single guess. The security of the protocol stems from the PAKE algorithm: yes, someone might jump into your conversation and attempt to guess the secret, but they're going to guess it incorrectly most of the time, and each time they fail, the connection is interrupted, and you (the sender) get an error. You'll probably give up well before they get a reasonable chance of success.

The secret can be any string you like, the protocol doesn't care, instead of "4-purple-sausages" it could be "4-65535" or "4-qtx", and have the same resistance to attack. The CLI encodes the secret as two words from the PGP word list, which was designed to be spoken and transcribed accurately even over a noisy voice channel (sort of like the Alpha/Bravo/Charlie/.. "military phonetic alphabet", except it's two alternating lists of 256 words each). In practice that pair of words is much easier to speak and listen and hold in your head for a minute or two than a random number, or the first two letters of each word divorced from the words themselves.

There are some provisions in the protocol (not yet implemented) to allow alternate word lists, so if the sender uses e.g. a French wordlist instead of the default English one, the receiving CLI learns about it early enough so that "wormhole rx" can auto-complete against the correct list. The server/attacker could learn which wordlist is in use, but still faces the same level of entropy about the PAKE secret itself.