Biometrics and Usability June 8, 2009 Usability and Key Management Information Access Division Visualization and Usability Group Mary Theofanos.

Slides:

Advertisements

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Chapter 17: WEB COMPONENTS

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Lecture 23 Internet Authentication Applications

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Secure Communications … or, the usability of PKI.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Chapter 11: Active Directory Certificate Services

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

S/MIME and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.

Cloud Usability Framework

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Configuring Active Directory Certificate Services Lesson 13.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.

Removing digital certificates from the end-user’s experience of grid environments Bruce Beckles University of Cambridge Computing Service.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Masud Hasan Secue VS Hushmail Project 2.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:

References  Cranor & Garfinkel, Security and Usability, O’Reilly  Sasse & Flechais, “Usable Security: Why Do We Need It? How Do We Get It?”  McCracken.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Unit 1: Protection and Security for Grid Computing Part 2

Configuring Directory Certificate Services Lesson 13.

Biometrics and Usability March 21, 2008 Poor Usability: The Inherent Insider Threat Information Access Division Visualization and Usability Group Mary.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.

PKI Activities at Virginia September 2000 Jim Jokl

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.

Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

In Search of Usable Security: Five Lessons from the Field Presentation by 王志誠.

User Interface Requirement for the Internet X.509 PKI Jaeho Yoon (on behalf of Tae K. Choi) KOREA INFORMATION SECURITY AGENCY August 4, 2004.

Creating and Managing Digital Certificates Chapter Eleven.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

TAG Presentation 18th May 2004 Paul Butler

Challenge/Response Authentication

Key management issues in PGP

Usability and Key Management

TAG Presentation 18th May 2004 Paul Butler

Digital Signatures A digital signature is a protocol that produces the same effect as a real signature: It is a mark that only the sender can make but.

Product Manager, Keon PKI

Install AD Certificate Services

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

Biometrics and Usability June 8, 2009 Usability and Key Management Information Access Division Visualization and Usability Group Mary Theofanos

2 Biometrics and Usability 2

3 3 What makes it so hard?  “Too many engineers consider cryptography to be a sort of magic security dust that they can sprinkle over their hardware or software,[ …]”  “Book after book explained cryptography as a pure mathematical ideal, unsullied by real- world constraints and realities.”  But it’s exactly the real-world constraints and realities that mean the difference between the promise of cryptographic magic and the reality of digital security. ” Ferguson & Schneier in Practical Cryptography (2003)

4 Biometrics and Usability 4 A Reality Check: PKI Deployment for an Enterprise Wireless Network Palo Alto Research Center (PARC)  Idea was to give 200 users an X.509 certificate and to use 802.1x Extensible Authentication Protocol in TLS mode to authenticate to the wireless network ◦ Request and retrieve certificates through web- based interface ◦ Configure through GUI-based 802.1x configuration software ◦ Administrators provided set of detailed instructions

5 Biometrics and Usability 5 And the result Studied 8 users (Ph.D.s in Computer Science):  Process involved 38 distinct steps  Average time to request, receive certificate, and configure system 140 minutes  Almost all followed the instructions mechanically  Many described enrollment as most difficult computer task ever been asked to do  All had little idea of what they had done to their machines  Reduced their ability to configure and maintain their own machines.

6 Biometrics and Usability 6 One of those real-world realities is the Human Computer Interaction Thus the need for Usability ISO defines usability as: “the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use”

7 Biometrics and Usability 7 First Tenet: Know Thy User  Users’ characteristics: abilities and disabilities (accessibility)  Users are task driven ◦ Security is not their primary task  Users will bypass security when it gets in the way of their primary task  User perception influences behavior ◦ Impossible demands ◦ Need-value-benefit ◦ Complexity ◦ Lose respect for security  Users’ understanding of security is weak

8 Biometrics and Usability 8 Mismatch in Conceptual Model  Keys lock and unlock things ◦ “keys” don’t sign things ◦ “Keys” don’t authenticate things ◦ Public and private keys – keys don’t generally work together (half a secret)  Encryption is for secrets  “Signature” indicates that it came from me  What does certificate have to do with identity? In general terms are misleading and overloaded

9 Biometrics and Usability 9 If I’m an end-user here’s what I want to know:  What problem are we trying to solve?  What value/benefit does it provide to me?  How does it make my life easier?  Is it going to get in the way of getting my job done? – and how often? Remember: Computer Security is not the user’s primary goal!

10 Biometrics and Usability 10 Remember PARC Case Study Usable PKI Deployment for Wireless Network  Automated PKI and CA setup  Enrollment Station is locked in room ◦ Intuitive trust model ◦ User and user’s badge ◦ Context of use  Studies shows take 1minute 39 secs  Total of 4 steps to add new device, retrieve certificate and install for use with the wireless network  Positive user satisfaction and confidence

11 Biometrics and Usability 11 Systems are too complex Let’s examine certificates:  “Acquiring a certificate is the single biggest hurdle faced by users” (Gutmann, Plug and Play PKI, 12 th USENIX Security Symposium, 2003), Garfinkel & Miller Johnny )  UK eScience (Grid) Program, users complained about effort involved in obtaining and complexity of using certificates ◦ Had to be stored in correct application directory ◦ Many shared the certificate on that one machine ◦ This important file was difficult to recognize  We have conditioned users to ignore certificate messages and pop-ups

12 Biometrics and Usability 12 Do we really expect users to know all this? 1. How to import a trust anchor. 2. How to import a certificate. 3. How to protect your privates (private keys, that is). 4. How to apply for a certificate in your environment. 5. Why you shouldn't ignore PKI warnings. 6. How to interpret PKI error messages. 7. How to turn on digital signing. 8. How to install someone's public key in your address book. 9. How to get someone's public key. 10. How to export a certificate.

13 Biometrics and Usability 13 And a few more: 11. Risks of changing encryption keys. 12. How to interpret security icons in sundry browsers. 13. How to turn on encryption. 14. The difference between digital signatures and.signature files. 15. What happens if a key is revoked. 16. What does the little padlock really mean. 17. What does it mean to check the three boxes in Netscape/Mozilla? 18. What does "untrusted CA' mean in Netscape/Mozilla? 19. How to move and install certificates and private keys

14 Biometrics and Usability 14 The list for Developers and Administrators: 1. What does the little padlock really mean. 2. How to properly configure mod_ssl. 3. How to move and install certificates and private keys. 4. What.pem,.cer,.crt,.der,.p12,.p7s,.p7c,.p7m, etc mean. 5. How to reformat PKI files. 6. How to enable client authentication during mod_ssl configuration, 7. How to dump BER formatted ASN.1 stuff. 8. How to manually follow a certificate chain. 9. The risks of configuring SSL stuff such that it automatically starts during reboot. 10. How to extract certificates from PKCS7 files, etc

15 Biometrics and Usability 15 And a few more: 11. How to make PKCS12 files. 12. How to use the OpenSSL utilities. 13. What happens if a key is revoked.

16 Biometrics and Usability 16 Usability is more than the User Interface 1. Adopt mantra: Make it easy for users to do the right thing!  Definition of usability: users, goals, context of use 2. Align to the users conceptual model  Defining some of the terms on the interface differently 3. Reduce the complexity for the user 4. Address the certificate pop-ups 5. Eliminate those factors which inhibit adoption of new technologies and encourage those that factors that promote adoption

17 Biometrics and Usability 17 Shouldn’t usability of key management be an oxymoron?

18 Biometrics and Usability 18 References  M. A. Sasse (2006): Has Johnny learnt to encrypt by now? Examining the troubled relationship between a security solution and its users. 5 th Annual PKI R&D Workshop 2006  N. Ferguson & B. Schneier (2003): Practical Cryptography. Wiley.  P. Gutmann (2003)Plug-and-Play: A PKI your Mother can Use. Procs. 12 th USENIX Security Symposium.  S. Garfinkel & R.C. Miller (2005): Johnny 2: A user test key continuity with S/MIME and Outlook Express. Procs. SOUPS  B. Leuf (2002): Peer to Peer: Collaboration and Sharing over the Internet. Addison-Wesley.  D. Balfanz, G. Durfee, & D. K. Smetters (2005): Making the Impossible Easy: Usable PKI. Security and Usability. Eds. L.F. Cranor & S. Garfinkel. O’Reilly.