Detecting man-in-the-middle attacks: verifying fingerprints verbally

Warren GuyWarren Guy
29 January 2015

Have you ever wanted or needed to verify a GPG, OTP, SSL certificate or other fingerprint read aloud over the phone or even just sitting next to someone? This is important for detecting and preventing man-in-the-middle attacks, but reading/transcribing hexadecimal values can be tedious and error prone. Back in 1995, linguist Patrick Juola and PGP's Phil Zimmerman standardised a list of words corresponding with hexadecimal byte pairs for exactly this purpose. Each byte pair is represented by one of two words, depending on its position, to protect against inadvertently duplicated, missed, transposed words. As an example, my GPG fingerprint D1D4 64C0 04F0 0FB5 C9A4 C8D8 E433 E7FB 7FF5 6256 could be read aloud as "stairway souvenir flytrap recipe adrift upcoming artist positive spearhead Pandora spaniel stupendous tonic concurrent transit Wichita lockup visitor flagpole escapade".

I've written a pair of simple libraries, for JavaScript and for Ruby, for easily implementing the PGP word list, as well as a simple web based converter using the JavaScript library which is at Check out the libraries on Github:

TAGS: SysAdmin, Cryptography, Ruby, JavaScript, PGP, PGP fingerprint, GPG fingerprint, SSL, GPG

Next post: Planet SysAdmin: Call for blogs
Previous post: Reverse proxying Tor hidden services

Related posts:

View all posts