Caleb Stepanian, Cindy Rogers, Nilesh Patel

Slides:

Advertisements

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Advertisements

Page 1 of 14 To the Voltage Online Training Course Voltage encryption is used to protect sensitive and personal information sent via to external.

With your instructor, Jeremy Hyland

Off-the-Record Communication, or, Why Not To Use PGP

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

CLaSS Computer Literacy Software A Three Year Student Evaluation Ian Cole Lecturer in Information & Communication Technology University of York.

Shouting from the Rooftops: Improving Security Dr. Maury Pinsk FRCPC University of Alberta Division of Pediatric Nephrology.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Apr 9, 2002Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication The second assignment.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Cryptographic Technologies

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

DePaul Information Security

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.

Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

CSCI 6962: Server-side Design and Programming

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Fine-Grained Access Control (FGAC) in the Cloud Robert Barton.

Usable Security for Webmail and Single Sign-on KENT SEAMONS & SCOTT RUOTI COMPUTER SCIENCE DEPARTMENT BRIGHAM YOUNG UNIVERSITY INTERNET SECURITY RESEARCH.

Masud Hasan Secue VS Hushmail Project 2.

Usability Studies Encryption Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech.

DATA DYNAMICS AND PUBLIC VERIFIABILITY CHECKING WITHOUT THIRD PARTY AUDITOR GUIDED BY PROJECT MEMBERS: Ms. V.JAYANTHI M.E Assistant Professor V.KARTHIKEYAN.

User Centered Learning Design Ranvir Bahl (PMP, CSM)

AUTHENTICATION MELEE A Usability Analysis of Seven Web Authentication Systems Scott Ruoti, Brent Roberts, Kent Seamons Internet Security Research Lab Brigham.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Heuristic evaluation Functionality: Visual Design: Efficiency:

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Types of Electronic Infection

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.

Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .

Encryption Basics Module 7 Section 2. History of Encryption Secret - NSA National Security Agency –has powerful computers - break codes –monitors all.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Mort Anvari Introduction to Encryption Technology To insert your company logo on this slide From the Insert Menu Select “Picture” Locate your logo file.

Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.

Lecture 5 Page 1 CS 236 Online Key Management Choosing long, random keys doesn’t do you any good if your clerk is selling them for $10 a pop at the back.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

An electronic phytosanitary certificate. Is NOT a copy of a printed phytosanitary certificate that is ed. Is a secured data set using XML for transmission.

Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.

M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.

Fix: Windows 10 Error Code 0x in Mail App u/6/b/ /alexwaston14/reimage-system-repair/ /pages/Reimage-Repair-Tool/

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

“We’re on the Same Page”: A Usability Study of Secure Using Pairs of Novice Users Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham.

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0

Key management issues in PGP

Internet Business Associate v2.0

Online Training Course

Security Outline Encryption Algorithms Authentication Protocols

Standard Metrics and Scenarios for Usable Authentication

CS 465 Secure Last Updated: Nov 30, 2017.

IS3230 Access Security Unit 9 PKI and Encryption

Exercise 8: Securing Pretty Good Privacy

Presentation transcript:

Caleb Stepanian, Cindy Rogers, Nilesh Patel Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes Caleb Stepanian, Cindy Rogers, Nilesh Patel

Outline Background Information Who is Johnny? What is usability? What is Johnny's problem? How can we fix it? Results Conclusions

Who’s Johnny?

What is usability? Security software is usable if the people using it: Know the security tasks they need to perform Are able to figure out how to perform them Don’t make dangerous errors Are comfortable enough to continue use

Problem Statement Johnny finds it confusing to encrypt his emails. Email encryption (PGP) is not very usable chicken-and-egg problem lots of manual tools and background knowledge are needed

Hypothesis Johnny doesn’t encrypt because current solutions are not transparent enough.

Transparency To be considered transparent: 1. Cannot require too much effort 2. Must solve chicken-and-egg problem for keys 3. Handle encryption automatically, hiding cipher text

Experiment Have Johnny try transparent encryption and opaque encryption methods to determine his preferences.

Experimental Methodology Find a transparent system that meets criteria Find other more opaque solutions Run one user study for each other solution comparing it to the transparent one Find System Usability Scale (SUS) score for each Draw conclusions

System Usability Scale A set of ten questions that allows one to access the usability of a system on a sliding scale.

Experimental Setup Transparent: Pwm (Private Webmail) Browser extension that overlays automatic encryption over web mail Opaque: MP (Message Protector) Manual encryption with external program

Other Methods Tested Depot Base: Voltage(Voltage SecureMail Cloud) Sign up for an account and verify it. Generic: Encrypt.it (Bookmarklet) Allows you to encrypt the text in any field with a password.

Pwm Example

MP Example

Results Because people did not see the encryption happening, 10% of users didn’t encrypt their emails correctly & some users didn’t innately trust the system. Manual encryption (copy pasting while seeing the ciphertext) and clear separation gave users more confidence in the system.

Comparison Results: PWM v. MP 28 users tried both MP and Pwm Metric Percent users Pwm Study Percent users MP study Successful Decryption 86% 93% Successful Encryption 83% 97% Comprehension* 76% Intuitively decrypt 72% 100% Preferred System 41% *Correctly identifying who would be able to read encrypted messages

Study Results Pwm Usability Study PWM v. Voltage Preference Metric Successful Users out of 25 Setup Pwm 24 Successful Decryption Reply with Encrypted Message 23 Send Encrypted Message Direct 22 44% users reported Voltage was cumbersome to encrypt and decrypt a message 19% preferred Voltage

MP vs. Encipher.it Task 1: Install the given system Task 2: Open Gmail and send encrypted message, decrypt response Task 3: Open Facebook and send encrypted message, then decrypt reply System Task 2 Task 3 MP 89% 96% Encipher.it 57% / 50% 82% / 61%

Conclusions of MP vs. Encipher.it MP had a SUS score of 72.23 Encipher.it had a SUS score of 61.25 MP qualifies as “acceptable” Encipher.it ranks as “low marginal”

Conclusion Encryption needs to be somewhat manual so that users feel secure and know the difference between encryption and plaintext

Limitations User studies were short term lab studies First SUS question was “I think that I would like to use this system frequently”. First MP study assumed secrets were already shared Second MP study assumed Pwm was installed

Thank you! Any Questions?

PGP (Pretty Good Privacy) public and private keypairs private key needed to sign and decrypt public key needed to encrypt and verify signature A user needs to generate a keypair and share their public key before an encrypted message can be sent to them

Key escrow server Trusted third party that generates and stores key material for users Has ability to read all messages and masquerade as any user

Example SUS Survey Choose from 1 (strongly disagree) to 5 (strongly agree). I think that I would like to use this system frequently I found the system unnecessarily complex I thought the system was easy to use I think that I would need the support of a technical person to be able to use this system I found the various functions in this system were well integrated I thought there was too much inconsistency in this system I found the system very cumbersome to use I would imagine that most people would learn to use this system very quickly I felt very confident using the system I needed to learn a lot of things before I could get going with this system