usability and security of out of band channels in secure
play

Usability and Security of Out-Of-Band Channels in Secure Device - PowerPoint PPT Presentation

Aug 20, 2023 •251 likes •670 views

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

  1. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory SOUPS Conference 15-17 July, 2009

  2. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  3. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  4. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Device Pairing Scenario

  5. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Device Pairing Human-Interactive Security Protocols (HISPs) OOB N

  6. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - HISPs Security in HISPs Technical security Security based on formal proofs Depends on the size of the digest/fingerprint b -bits for most protocols

  7. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - HISPs Security in HISPs Technical security Security based on formal proofs Depends on the size of the digest/fingerprint b -bits for most protocols Effective security Secure systems are socio-technical (Sasse et al.) Security of a protocol may depend on human effort Humans forget, make mistakes These mistakes may result in security failures Human failures are not covered by formal proofs Increasing technical security (value of b ) may reduce effective security

  8. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Research Question Are proposed OOB methods usably secure to guarantee specified technical security?

  9. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  10. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Manual comparison compare Devices generate fingerprints Fingerprints displayed in appropriate format Users compare fingerprints and indicate on the device a match or lack of it Devices require display and some form of input method

  11. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Manual copying and entering Bluetooth One device displays a fingerprint User copies and types the fingerprint into one or more devices Requires display and keypad Efficiency of entry depends on affordances of devices involved

  12. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Auxiliary devices 2D–Barcode Rely on secondary devices to transfer/compare information Proposed devices include camera phone external storage devices data cable etc May require users to carry extra hardware

  13. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Short-range wireless channels infrared Rely on short range wireless channels Require devices to be no more than a few centimetres apart Proposed methods include: infra-red light distance bounding 1 Most methods lack human verification 1 can also use normal channel

  14. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Timing methods Rely on transmission of information in well timed intervals Users coordinate the synchronisation Examples include shaking devices (Saxena et al.) pressing a button in response to some stimulus

  15. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  16. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Methods DEFINITIONS Method – refers to a specific mode of comparing/transferring information between devices by humans Representation – refers to specific format in which information is presented to users Method-representation – refers to a combination of a method and representation

  17. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Method-representations Compare & confirm compare Numeric Alphanumeric Words Sentences Country names Numeric & Sound Alphanumeric & Sound Melodies Images

  18. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Method-representations Compare & select Numeric Alphanumeric Copy & enter Numeric Alphanumeric Barcode

  19. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Design Dependent variables 1 Time 2 Number of non-security failures 3 Number of security failures Independent variable 1 Method-representation

  20. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Participants 30 participants were recruited via online advertisement Gender Male: 47% Female: 53% Age 18 - 25 40% 26 - 35 27% 36 - 45 13% 46 - 55 3% 56 - 65 13% 66 - 75 4% Education High School: 27% College: 27% Graduate: 26% Postgraduate: 20%

  21. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Apparatus tools Devices: Nokia N95 and N73 Nokia devices are common Bluetooth enabled Software: P2P payment system Device communication using Bluetooth Software created a log of participant’s actions Digital voice recorder To record interviews Questionnaires Enrolment After scenario (AS) After experiment/exit (AE) Written instructions

  22. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 1

  23. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 2

  24. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design–Procedure: Tasks Figure: Step 3 and 4

  25. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 5 and 6

  26. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  27. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Compare & confirm: Errors and completion times Time (s) Security failures Non-security failures Mean % % Numeric 6 0 3.3 Alphanumeric 6 13.3 16.7 Words 7 3.3 16.7 Images 8 0 3.3 Country/ 9 0 3.3 City names Sentences 11 0 16.7 Alphanumeric 12 3.3 20 & sound Numeric & 14 3.3 0 sound Melodies 24 6.7 36.7 Between-subjects: p = 0.0007 Within-subjects - time: p = .0000

  28. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Compare & select: Errors and completion times Time Security failures Non-security failures Seconds % % Numeric 9 10 10 Alphanumeric 9 20 30 Between-subjects: p = 0.0000 Within-subjects - time: p = 0.9255

  29. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Copy & enter: Errors and completion times Time Non-security failures Seconds % Numeric 17 13 Alphanumeric 40 23 Between-subjects: p = .7531 Within-subjects - time: p = .0004

  30. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Barcode: Errors and completion times Time Non-security failures Seconds % 37 53

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Introduction HISP OOB Channels Problem definition Proposed methods Security and usability study Conclusion Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan Flechais, A.W. Roscoe Workshop in

650 views • 18 slides
Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan

Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan

Introduction Framework Application Conclusion Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan Flechais, A.W. Roscoe International Workshop on Security and Privacy in Spontaneous Interaction

539 views • 17 slides
3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and

3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and

RADIO SYSTEMS ETI 051 Contents 3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and complex Delay (time) dispersion notation Narrow- versus wide-band Large-scale fading channels

558 views • 12 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem that suddenly arose when computers were invented - its as old as mankind. Data Security falls naturally into two cathegories: * Confidentiality

542 views • 16 slides
Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent

Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent

Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent Georgia Bullen // @georgiamoon Executive Director Simply Secure FOSDEM // 2 February 2020 Everyone deserves technology they can trust. Simply Secure

437 views • 28 slides
Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

753 views • 30 slides
Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

602 views • 39 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed Computing www.disco.ethz.ch Can cryptocurrencies scale? 7 tx/s 20 tx/s 65.000 tx/s Payment Channels Payment Channels Payment Channels Funding

482 views • 37 slides
Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal

Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal

Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University Major Effort: E2E-Encrypted Messaging Government surveillance and/or coercion

577 views • 32 slides
Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives

Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives

Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives cryptographiques Emmanuel Thom e 13 d ec. 2012 HDR E. Thom e 1/34 Algorithmic Number Theory and Applications to the Cryptanalysis of

620 views • 51 slides
Compilers and computer architecture: The RISC-V architecture Martin Berger 1 November 2019 1

Compilers and computer architecture: The RISC-V architecture Martin Berger 1 November 2019 1

Compilers and computer architecture: The RISC-V architecture Martin Berger 1 November 2019 1 Email: M.F.Berger@sussex.ac.uk , Office hours: Wed 12-13 in Chi-2R312 1 / 1 Recall the function of compilers 2 / 1 Introduction In previous

1.63k views • 58 slides
Transactions in India Nandkumar Saravade Friday, March 1, 13 1 Views expressed are personal

Transactions in India Nandkumar Saravade Friday, March 1, 13 1 Views expressed are personal

The People Problem in Security of Financial Transactions in India Nandkumar Saravade Friday, March 1, 13 1 Views expressed are personal and not necessarily of the employer organisation. Friday, March 1, 13 2 Changing Face of Banking

420 views • 23 slides
Web Annotations Building the Experience Annotation An annotation is something added. It is not

Web Annotations Building the Experience Annotation An annotation is something added. It is not

Web Annotations Building the Experience Annotation An annotation is something added. It is not the primary content, or even the secondary content. It is the association. Annotation (cont.) Annotations exist already - Links - Block quotes

452 views • 14 slides
Exploiting Latent I/O Asynchrony in Petascale Science Applications Patrick Widener, Mary Payne,

Exploiting Latent I/O Asynchrony in Petascale Science Applications Patrick Widener, Mary Payne,

Exploiting Latent I/O Asynchrony in Petascale Science Applications Patrick Widener, Mary Payne, Patrick Bridges University of New Mexico Matthew Wolf, Hasan Abbasi, Scott McManus, Karsten Schwan Georgia Institute of Technology The research

560 views • 17 slides
in Group Messaging: Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University

in Group Messaging: Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University

Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University Messaging is Popular 2 Major Effort: E2E-Encrypted Messaging Government surveillance and/or coercion

585 views • 40 slides
Decentralized Deduplication in SAN Cluster File Systems Austin T. Clements Irfan Ahmad

Decentralized Deduplication in SAN Cluster File Systems Austin T. Clements Irfan Ahmad

Decentralized Deduplication in SAN Cluster File Systems Austin T. Clements Irfan Ahmad Murali Vilayannur Jinyuan Li VMware, Inc. MIT CSAIL Decentralized Deduplication in SAN Cluster File Systems Storage Area Networks Decentralized

1.28k views • 117 slides

More recommend