giving johnny the keys alma whitten google, inc
TRANSCRIPT
Giving Johnny The Keys
Alma WhittenGoogle, Inc.
The design goal
Software that enables email users to:– trade keys when necessary– encrypt with the correct keys– use digital signatures meaningfully– authenticate keys appropriately– use key signing to authenticate keys
The design goal
Software that enables email users to:– trade keys when necessary– encrypt with the correct keys– use digital signatures meaningfully– authenticate keys appropriately– use key signing to authenticate keys
}New visualmetaphors
The design goal
Software that enables email users to:– trade keys when necessary– encrypt with the correct keys– use digital signatures meaningfully– authenticate keys appropriately– use key signing to authenticate keys } Safe
staging
What’s staging?
• Design for user to gradually progress to increasingly sophisticated modes of use
• Original: Carroll’s training wheels interface– Word processor implementation– Initial stage w/error prone functions walled off– Users learned much faster– Not realistic for consumer software
What’s a stage?
A stage is safe if we immediately convey:
– Which actions are risky– What the risks are– A temporary way to avoid the risks– How to learn to use better security (next stage)
Lime has 3 stages
1) No security
2) Weak security (socially authenticated keys)
3) Strong security (signed keys)
User testing overview
• Preliminary paper test of staging technique– 1 staged, 2 unstaged variants
• Full user test with software implementation– Weak security scenario– Strong security scenario (like PGP user test)– Scenario to test signature metaphors
Test participants
• ~10 per variant for paper test
• 12 for software test
• Wide variety: age, background, gender
• Paid $10/hour for participation
• Prescreened– Experienced at using email– Unfamiliar with public key cryptography
Paper presentation sampleYOUR ELECTRONIC MAIL SECURITY SOFTWARE
Security functions
Your electronic mail security software provides functions for protecting your mail messages against unauthorized reading (eavesdropping) and unauthorized modification (tampering or forgery). To protect a message against unauthorized reading, use the make-unreadable function on it. Then an authorized person will need to use the matching make-readable function in order to read the message, and no-one else will be able to read it at all.
To protect a message against unauthorized modification, including forgery, use the make-tamperproof function on it. People who view the message will then be able to use the matching check-tamperproofing function to see who tamperproofed the message and to verify that no later modification has occurred.
Each of these four functions must be used with a security token.
Staging variationThe simplest way to trade public tokens is usually to send them in mail messages or put them up on personal web pages for downloading. The risk is that an attacker could set up a fake web page or forge an email message so that it appears to be from someone you know. For basic security, protect yourself against these kinds of tricks by asking common sense questions. Have you been to this person’s web page before, and is it at a web address you know that person uses? Does the message with the token in it sound like that person, and mention things that person would know? Does it come from an email address that you know that person uses? Likewise, when you send your public token to other people, include a note that will help them be sure the message came from you.
This level of security is enough to protect your messages against random eavesdropping and simple forgery, and against attackers who are looking for general vulnerabilities and have no reason to work hard to target your messages in particular. If your messages contain very sensitive or valuable data, or if you have some other reason to think an attacker might want to single you out as a target, then you should consider a stronger level of security. You may also need to use the stronger level if you do not know the other person well enough for the common sense questions to be useful.
Sample questionYou have started a small company, with about 30 employees, which is busy developing a new product line, the details of which must be kept secret from the public and from your competitors. Your employees all need to communicate regularly with each other by email to keep each other up to date on the product strategy and progress. You are hiring additional people at the rate of one or two per week, and the new people need to be integrated into the email communications as quickly as possible.
(17) Would you, in real life, think it was worth putting in some extra time to make these messages secure, rather than simply relying on regular email? If yes, how much extra time (in seconds, minutes, hours, or days) would you think it was worth?
(18) If you answered “yes” to question 17, then can you tell, from the software description you were given, which tokens and which functions you and your employees would each need to use? If yes, please list them.
(19) If you answered “yes” to question 17, then can you tell, from the software description you were given, what steps you and your employees would each need to take to get those tokens at an appropriate level of security? If yes, please list them.
(20) Are there any comments you would like to make?
Key signing success criteria
If (B), then did the participant, for any of the scenarios, describe the use of key signing as a method for verifying identity, including both of the following:
a) The participation of a trusted third party whose token the verifier already possesses.
b) That the trusted third party’s can attest to the ownership of another person’s token by using their own token to do make-tamperproof on that person’s token (they must mention make-tamperproof – saying the third party will send it “securely” doesn’t count).
Staging comparison results
0% 20% 40% 60% 80% 100%
SSL(unstaged)
PGP(unstaged)
Lime (staged)
successfailure
Participants who correctly described key signing
User test first scenarioLime Secure Electronic Mail Test: Scenario #1
For the first part of this test, please imagine that you have been seeing articles in the news about how insecure email is, and that you have become curious about software products that offer to protect your privacy on-line. You have acquired a copy of Lime, which is a free software program that is supposed to protect your email, and you want to try it out.
You decide to try sending secure email to your friend Steve. You and Steve have been friends ever since you were kids, and you have fond memories of assembling giant rock collections together when you were ten. You get along really well with his wife Laura, too, although there was a tense moment when you broke one of her favorite wine glasses. Steve works for an advertising agency these days, and you usually use his address there when you email him: [email protected].
You have a copy of Lime on your computer. Please use it to send a private, unforgeable email message to Steve. You will need to do some set-up, and you may also receive email that you need to respond to. The test monitor will let you know when the scenario ends.
User test second scenarioLime Secure Electronic Mail Test: Scenario #2
For the second part of this test, please imagine that you have decided to do volunteer work for a political campaign. The campaign manager, Maria Simmons, has given you the job of campaign coordinator. It is your responsibility to keep the campaign team members up to date on all aspects of the campaign plan.
You will use Lime to communicate with the campaign team members by email. It is very important that no information about the campaign plan gets leaked to the media or to the opposing campaigns. You will therefore need to be very careful to make sure that all your email messages are as private and unforgeable as you can make them.
You have a floppy disk that Maria gave you with her public key on it, and you gave Maria your public key on a floppy disk at the same time. Maria also gave you a printed memo that contains the first campaign plan update.
The campaign team members are:
Ben Dawson ([email protected])Judy Rivera ([email protected])Sam Tyler ([email protected])Maria Simmons ([email protected])
Please send the update information to all of the campaign team members in a private, unforgeable email. When you have done that, follow the directions in any email you receive from a campaign team member. The test monitor will let you
know when the scenario ends.
User test results for basic tasks
0 2 4 6 8 10 12
basicsigning
encryption
key trading
successfailuren/a
Participants
User test results for key signing
0 2 4 6 8 10 12
requiredcertified keys(2nd chance)
requiredcertified keys(1st chance)
got own keycertified
successfailureunclearn/a
Participants
Conclusions
• It works– Minimal trouble with basic crypto use– Reasonable understanding of key signing!– People liked it (eventually)
• Room for improvement– Wizards, error messages, context help…– Some standard usability bugs– Make a real version, set it free (future work!)