Giving Johnny The Keys
Alma Whitten
Google, Inc.
The design goal
Software that enables email users to:
–
–
–
–
–
trade keys when necessary
encrypt with the correct keys
use digital signatures meaningfully
authenticate keys appropriately
use key signing to authenticate keys
The design goal
Software that enables email users to:
–
–
–
–
–
}
trade keys when necessary
encrypt with the correct keys
use digital signatures meaningfully
authenticate keys appropriately
use key signing to authenticate keys
New visual
metaphors
The design goal
Software that enables email users to:
–
–
–
–
–
trade keys when necessary
encrypt with the correct keys
use digital signatures meaningfully
authenticate keys appropriately
use key signing to authenticate keys
}
Safe
staging
What’s staging?
• Design for user to gradually progress to
increasingly sophisticated modes of use
• Original: Carroll’s training wheels interface
–
–
–
–
Word processor implementation
Initial stage w/error prone functions walled off
Users learned much faster
Not realistic for consumer software
What’s a stage?
A stage is safe if we immediately convey:
–
–
–
–
Which actions are risky
What the risks are
A temporary way to avoid the risks
How to learn to use better security (next stage)
Lime has 3 stages
1) No security
2) Weak security (socially authenticated keys)
3) Strong security (signed keys)
User testing overview
• Preliminary paper test of staging technique
– 1 staged, 2 unstaged variants
• Full user test with software implementation
– Weak security scenario
– Strong security scenario (like PGP user test)
– Scenario to test signature metaphors
Test participants
•
•
•
•
•
~10 per variant for paper test
12 for software test
Wide variety: age, background, gender
Paid $10/hour for participation
Prescreened
– Experienced at using email
– Unfamiliar with public key cryptography
Paper presentation sample
YOUR ELECTRONIC MAIL SECURITY SOFTWARE
Security functions
Your electronic mail security software provides functions for protecting your mail messages against
unauthorized reading (eavesdropping) and unauthorized modification (tampering or forgery).
To protect a message against unauthorized reading, use the make-unreadable function on it. Then an
authorized person will need to use the matching make-readable function in order to read the message,
and no-one else will be able to read it at all.
To protect a message against unauthorized modification, including forgery, use the make-tamperproof
function on it. People who view the message will then be able to use the matching checktamperproofing function to see who tamperproofed the message and to verify that no later modification
has occurred.
Each of these four functions must be used with a security token.
Staging variation
The simplest way to trade public tokens is usually to send them in mail messages or put them up on
personal web pages for downloading. The risk is that an attacker could set up a fake web page or
forge an email message so that it appears to be from someone you know. For basic security, protect
yourself against these kinds of tricks by asking common sense questions. Have you been to this
person’s web page before, and is it at a web address you know that person uses? Does the message
with the token in it sound like that person, and mention things that person would know? Does it come
from an email address that you know that person uses? Likewise, when you send your public token to
other people, include a note that will help them be sure the message came from you.
This level of security is enough to protect your messages against random eavesdropping and simple
forgery, and against attackers who are looking for general vulnerabilities and have no reason to work
hard to target your messages in particular. If your messages contain very sensitive or valuable data, or
if you have some other reason to think an attacker might want to single you out as a target, then you
should consider a stronger level of security. You may also need to use the stronger level if you do not
know the other person well enough for the common sense questions to be useful.
Sample question
You have started a small company, with about 30 employees, which is busy developing a new product line, the details of
which must be kept secret from the public and from your competitors. Your employees all need to communicate regularly
with each other by email to keep each other up to date on the product strategy and progress. You are hiring additional
people at the rate of one or two per week, and the new people need to be integrated into the email communications as
quickly as possible.
(17) Would you, in real life, think it was worth putting in some extra time to make these messages secure, rather than
simply relying on regular email? If yes, how much extra time (in seconds, minutes, hours, or days) would you think it was
worth?
(18) If you answered “yes” to question 17, then can you tell, from the software description you were given, which tokens
and which functions you and your employees would each need to use? If yes, please list them.
(19) If you answered “yes” to question 17, then can you tell, from the software description you were given, what steps you
and your employees would each need to take to get those tokens at an appropriate level of security? If yes, please list
them.
(20) Are there any comments you would like to make?
Key signing success criteria
If (B), then did the participant, for any of the scenarios, describe the use of key signing as
a method for verifying identity, including both of the following:
a) The participation of a trusted third party whose token the verifier already
possesses.
b) That the trusted third party’s can attest to the ownership of another person’s
token by using their own token to do make-tamperproof on that person’s
token (they must mention make-tamperproof – saying the third party will
send it “securely” doesn’t count).
Staging comparison results
Lime (staged)
success
failure
PGP
(unstaged)
SSL
(unstaged)
0%
20%
40%
60%
80%
100%
Participants who correctly described key signing
User test first scenario
Lime Secure Electronic Mail Test: Scenario #1
For the first part of this test, please imagine that you have been seeing articles in the news about how
insecure email is, and that you have become curious about software products that offer to protect your
privacy on-line. You have acquired a copy of Lime, which is a free software program that is supposed to
protect your email, and you want to try it out.
You decide to try sending secure email to your friend Steve. You and Steve have been friends ever since
you were kids, and you have fond memories of assembling giant rock collections together when you were
ten. You get along really well with his wife Laura, too, although there was a tense moment when you
broke one of her favorite wine glasses. Steve works for an advertising agency these days, and you usually
use his address there when you email him: steve@highconcept.com.
You have a copy of Lime on your computer. Please use it to send a private, unforgeable email message to
Steve. You will need to do some set-up, and you may also receive email that you need to respond to. The
test monitor will let you know when the scenario ends.
User test second scenario
Lime Secure Electronic Mail Test: Scenario #2
For the second part of this test, please imagine that you have decided to do volunteer work for a political campaign. The
campaign manager, Maria Simmons, has given you the job of campaign coordinator. It is your responsibility to keep the
campaign team members up to date on all aspects of the campaign plan.
You will use Lime to communicate with the campaign team members by email. It is very important that no information
about the campaign plan gets leaked to the media or to the opposing campaigns. You will therefore need to be very careful
to make sure that all your email messages are as private and unforgeable as you can make them.
You have a floppy disk that Maria gave you with her public key on it, and you gave Maria your public key on a floppy disk
at the same time. Maria also gave you a printed memo that contains the first campaign plan update.
The campaign team members are:
Ben Dawson (daws@camp2002.org)
Judy Rivera (judy@camp2002.org)
Sam Tyler (samt@camp2002.org)
Maria Simmons (manager@camp2002.org)
Please send the update information to all of the campaign team members in a private, unforgeable email. When you have
done that, follow the directions in any email you receive from a campaign team member. The test monitor will let you
know when the scenario ends.
User test results for basic tasks
key trading
success
failure
n/a
encryption
basic
signing
0
2
4
6
8
Participants
10
12
User test results for key signing
got own key
certified
success
failure
unclear
n/a
required
certified keys
(1st chance)
required
certified keys
(2nd chance)
0
2
4
6
8
Participants
10
12
Conclusions
• It works
– Minimal trouble with basic crypto use
– Reasonable understanding of key signing!
– People liked it (eventually)
• Room for improvement
– Wizards, error messages, context help…
– Some standard usability bugs
– Make a real version, set it free (future work!)