The fact that this works means that comparing keys visually by their artwork is insecure, since it allows you to generate a key pair which looks very similar to a target public key. I guess visual fingerprints might not have enough entropy.
Where's the proof that this works?
It's a brute forcing tool with the goal of finding the desired fingerprint, but there's no demonstration of it actually working.
It's enough to find a fingerprint that's visually similar enough. It doesn't have to be exactly the same. That's many orders of magnitude easier than finding an exact match!
It's probably still more secure than trying to compare the regular old string representations (who checks more than the last 5 characters from the end?)
And plus, you still have to brute force it to get one that looks close
> and kill the artist when patience is depleted.
This is the key part. You probably have to have _a lot_ of patience to get anything reasonable.
> means that comparing keys visually by their artwork is insecure
I'm not sure if this goal is achievable.
> Once visualization is introduced, so is aesthetics. This feature presents a great opportunity to fight against truly random key generation in order to trade security for arbitrary human desires.
If this person made this tool specifically for the satire opportunity, that's hilarious.
I can't believe no one in this thread doesn't see this. This project is a critique of the openssh visual hash
benjojo has an article on this, with another (Golang) implementation: https://blog.benjojo.co.uk/post/ssh-randomart-how-does-it-wo...
Includes example results, as well as an explanation for the randomart algorithm.
I wish Bitcoin produced at least something like that.
This is cool as a project, but relying on humans to do pixel-perfect matching for security is probably a bad idea (well, glyph-perfect).
I guess if you use this, then the security of your key is only as strong as for how many minutes the bruteforce took (since anyone else could also run the tool and generate their own key matching the desired fingerprint in the same amount of minutes you needed - or less).
That's not how randomness works. The expected duration of the attack is only determined by how close they want to get to your artwork.
For example, if you pick the first key you generate, it obviously doesn't mean the attacker can get the same art in one try.
I don't think the idea is to use the visual representation of the SSH key as a security mechanism but rather to have an SSH key that looks cool when you visualize it.
Isn't the whole point of VisualHostKey in ssh to act as a security mechanism, i.e. "yes this looks like the correct server key" on first use on a new client that doesn't already have the key in known_hosts?
The number of minutes being greater than the heat death of the universe
Is the runtime of this application "a number of minutes greater than the heat death of the universe" to find something that could pass off as matching the target visualhostkey?