Usable Encryption Class Presentation for CMSC 818D Wei Bai S - - PowerPoint PPT Presentation

usable encryption
SMART_READER_LITE
LIVE PREVIEW

Usable Encryption Class Presentation for CMSC 818D Wei Bai S - - PowerPoint PPT Presentation

Sep 15, 2022 568 likes •847 views

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

slide-1
SLIDE 1

S

Usable Encryption

Class Presentation for CMSC 818D Wei Bai

slide-2
SLIDE 2
slide-3
SLIDE 3

Application

S Hardware Encryption S Web Encryption

S Email Encryption

S

OpenPGP

S

S/MIME S Online Social Network

slide-4
SLIDE 4

Public Key Encryption

S Encryption/Decryption S Signing/Verifying

slide-5
SLIDE 5

Prototype for Public Key Encryption

slide-6
SLIDE 6

Prototype for Signing/Verifying

Bob Alice

slide-7
SLIDE 7

Usable Encryption Design Aspects

Design Aspects Encryption UI (Automatic) Encryption and Decryption Key Management Integration

slide-8
SLIDE 8
  • A. Whitten et al. “Why Johnny can’t encrypt:

a usability evaluation of PGP 5.0”

S One of the pioneer works for encryption usability S Objective: Investigate usability in standard UI

design vs security

S A case study of PGP 5.0 through

S Cognitive walkthrough analysis S Lab Study

slide-9
SLIDE 9

Definitions of Usability for Security

S 1. Reliably made aware of the security tasks they need to

perform

S 2. Able to figure out how to successfully perform those tasks S 3. Don’t make dangerous errors S 4. Comfortable with the interface to continue using it.

slide-10
SLIDE 10

Properties

S 1. The unmotivated user property S 2. The abstraction property S 3. The lack of feedback property S 4. The barn door property S 5. The weakest link property

slide-11
SLIDE 11

Usability Standard for PGP

S Encrypt/decrypt S Sign/verify S Key generation S Own public key publication S Public key acquiring S Avoid dangerous errors S Reasonable time

slide-12
SLIDE 12

Usability Analysis

S Cognitive walkthrough Analysis

S Wide considerations for more factors S Subjective

S Lab Study

S Limited scope of factor testing S Objective

slide-13
SLIDE 13

Cognitive analysis: Flaws in Design

S Key management Issue

S Visual: sign/verify S Different key types

S

RSA for PGP,

S

Hellman/DSS for PGP 5.0 S Key server S Errors playing with keys. Irreversible!

S

Delete the private key, publicize the private key

slide-14
SLIDE 14

Lab study

S Integrate Eudora with PGP

slide-15
SLIDE 15

Lab study

S Confirmed some points: S What keys to use? How to use them?

S Confused about private/public keys S Use own/counterpart’s keys?

slide-16
SLIDE 16

Discussions

S

  • 1. Dangerous errors and the barn door property:

S

If reversible? Regret allowed?

S

  • 2. Whether tutorials about encryption tasks, such as generating keys should be

included?

S

Learnability: Learn by themselves, or taught by others?

S

  • 3. Is signing and verification necessary?

S

Closed circle

S

Phishing exists

S

  • 4. How about separating encryption and decryption tasks, to make study

shorter?

slide-17
SLIDE 17
  • S. Routi et al, “Confused Johnny: when

automatic encryption leads to confusion and mistakes”

S Objective

S Investigate whether it makes more usable if hiding as many

security details as possible S Method:

S Lab study of Pwm (private webmail) system

slide-18
SLIDE 18

Pwm Highlights

S Automatic key management and automatic encryption S Integrate tightly with existing webmail services S Key management by a key escrow

S Advantage:

S

Automatic key management

S

Users never lose their keys

S

Keys ported to new devices automatically S Disadvantage

S

Escrow has access to users’ keys

slide-19
SLIDE 19

Comparative Usability Study

S Task scenario:

S Decrypt an email first S Send an encrypted email S Open a new Gmail session (with Pwm ended)

S Perform well compared to existing webmail tools (w.r.t. SUS

score)

slide-20
SLIDE 20

Key Findings

S Performance of Message Protector is, on par with, slightly

higher than Pwm.

S Too transparent design loses trust to some extent S Reconsider manual encryption

S The idea also comes from “Johnny for Facebook” paper.

slide-21
SLIDE 21

Discussions

S Automatic key management by using a third party service?

S Chicken and egg problem! S Tradeoff between usability/security

slide-22
SLIDE 22

Helping Johnny 2.0 to encrypt His Facebook conversations

S Objective:

S Encryption usability for online social networks (OSNs)

S Methods:

S Two lab studies

slide-23
SLIDE 23

Mockup Lab Study

slide-24
SLIDE 24

Mockup Lab Study

S Encryption schemes:

S Auto/not auto: encryption button

S Key management:

S Manual: send keys over webmail S Auto: Passwords created at the first time, and then web

browser caches it for further use.

slide-25
SLIDE 25

Key findings

S Auto encryption and auto key management is preferable.

S Manual encryption / manual decryption have higher security

feeling, but lower acceptance S Key (password) recovery capability

slide-26
SLIDE 26

Discussions

S Do/show something makes users assured?

S Auto/not auto: encryption button

S Key management:

S Manual: send keys over webmail

S

(chicken and egg problem again?) S Auto: Passwords created at the first time, and then web

browser caches it for further use.

S

Password protection? Guessibility for password is much easier than PKI keys.