While playing around with SSH and Git, I reflected on how SSH’s key fingerprints are essentially an early form of identicon:

The key fingerprint is:
SHA256:xtaA8biLm/Jktn9A/j2sty686uosrRtz0GQIFw6nP2s root@bionic
The key's randomart image is:
+---[RSA 4096]----+
|o +.  .          |
| B .   =         |
|. o o o o        |
| . +  .o o       |
|  + .o. S .      |
|   + .o+         |
|  E.* .+ o       |
| .oO.+  = =      |
|  oBO++oo*oo     |
+----[SHA256]-----+

This made me want to write a blog post about how, now that we have GPU-accelerated terminal emulators1 and a wide variety of identicon libraries2, it would be cool to modularize the SSH key fingerprint generation algorithm. Imagine defining an executable inside your .ssh/config file in addition to an existing VisualHostKey=yes option that, when invoked, would take a public key on stdin and produce an image file on stdout to be displayed directly in your terminal emulator.

I’m not the first person to consider modern SSH fingerprint algorithms. Cipriani3 has a thorough article on the subject that references the original implementation and paper4. Cipriani provides their implementation using Unicode characters and colors, but ultimately concludes with a noteworthy point:

I think the problem of memory persists. We’re good at remembering regular pictures, but do abstract pictures count as regular?

This reminded me of something I’ve thought of before but haven’t put into words until now. We can generate fake pictures of people56, and humans are decent at remembering faces. At least, from anecdotal evidence, I think I’m more likely to remember a face than an abstract pattern.

You’ve probably seen Wavatars before7, even if you didn’t know the name of them at the time. I assume that Wavatars were and are widely used because they are memorable (and because of an innate human desire to create things after our likeness). It seems logical that, if we want to make sure SSH keys come from a certain human, making the key fingerprints themselves look like humans would be useful.

Imagine an identicon algorithm that generated realistic human faces. If you saw that identicon regularly, and it suddenly changed, would you notice? Is the probability of you noticing greater than if you were to use an existing abstract/geometric identicon algorithm instead?

For lack of effort, I’ll refer to these as “AI face identicons”.

The main outstanding barriers are:

  • A face-generation algorithm usable on hardware-constrained devices
  • A face-generation algorithm that is deterministic and seedable
    • (seedable with some non-trivial amount of entropy)
  • Storage/caching of public key fingerprint image data

I leave the rest as an exercise to the reader 😉

References


  1. Kitty GPU-based Terminal Emulator (Sep 23, 2023). “Kitty”↩︎

  2. drhus/awesome-identicons (Sep 23, 2023) “awesome-identicons”↩︎

  3. SSH Key Fingerprints, Identicons, and ASCII Art (Sep 26, 2017). “Tyler Cipriani”↩︎

  4. Hash Visualization: a New Technique to improve Real-World Security “Hash Visualization: a New Technique to improve Real-World Security”↩︎

  5. This Person Does Not Exist (Sep 23, 2023). “This Person Does Not Exist”↩︎

  6. Face Generation and Editing with StyleGAN: A Survey. “Face Generation and Editing with StyleGAN”↩︎

  7. Wordpress Plugin: Wavatars (Dec 17, 2007). “Shamus Young”↩︎