Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0

Slides:

Advertisements

Similar presentations

Page 1 of 14 To the Voltage Online Training Course Voltage encryption is used to protect sensitive and personal information sent via to external.

Advertisements

With your instructor, Jeremy Hyland

Caleb Stepanian, Cindy Rogers, Nilesh Patel

Users vs. security Cyberdefence seminar, Tallinn Technical University Maksim Afanasjev, 2011.

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (

Zero effort security for the home PC users? By Terje Risa.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Usability and Evaluation Dov Te’eni. Figure ‎ 7-2: Attitudes, use, performance and satisfaction AttitudesUsePerformance Satisfaction Perceived usability.

Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

PROBLEM STATEMENT: Our research seeks to understand the current usability situation of files and encryption software. Particularly we focus in Gnupg4win.

Usability Studies Encryption Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech.

Class 20 Usability CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

EE515/IS523 Think Like an Adversary Lecture 7 UI and Psychological Failures Yongdae Kim.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7: Focusing on Users and Their Tasks.

Usability Evaluation June 8, Why do we need to do usability evaluation?

 Is there a difference between working as a group and working as a team? Why or why not? What is the difference?

Nathaniel S. Good Aaron Krekelberg Usability and privacy: a study of Kazaa P2P file- sharing.

EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim.

1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.

Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.

Usability 1 Usability evaluation Without users - analytical techniques With users - survey and observational techniques.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.

Writing to Teach - Tutorials Chapter 2. Writing to Teach - Tutorials The purpose of a tutorial is to accommodate information to the needs of the user.

Aspect Oriented Security Tim Hollebeek, Ph.D.

Intro Why Johnny Can’t Syndicate Jon Udell University of Michigan School of Information January 18, 2013 (And What We Can Do About It)

M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.

Wired Equivalent Privacy. INTRODUCTION Wired Equivalent Privacy (WEP) is a security algorithm for IEEE wireless networks. Introduced as part of.

Usability for Users Abstract: This presentation deals with the issue of software usability from a non- technical user's perspective. The intent is to educate.

8 – Protecting Data and Security

Key management issues in PGP

Web Applications Security Cryptography 1

Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.

Remote Logging, Electronic Mail, and File Transfer

Instructions and Procedures

Online Training Course

Human Computer Interaction Lecture 15 Usability Evaluation

Private Facebook Chat Chris Robison, Scott Ruoti, Tim van der Horst, Kent Seamons Internet Security Research Lab Computer Science Department Brigham Young.

WEP & WPA Mandy Kershishnik.

NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.

Understanding Threat Models for Embedded Devices

A Wireless LAN Security Protocol

Topic 1: Data, information, knowledge and processing

CS 465 Secure Last Updated: Nov 30, 2017.

User Interface Agent Matias Kassala JYPE

SY DE 542 User Testing March 7, 2005 R. Chow

Message Digest Cryptographic checksum One-way function Relevance

Group: Chris, Daniel, Jeff, Kathy, Shirelle, Vincent

Introduction to Computers

Learning Goals and Scales

Trust is a Two-Way Street Ebony Buckley

The Psychology of Security

Usability Testing and Analytics Insights

Outline Using cryptography in networks IPSec SSL and TLS.

Paul Kawachi e-Learning http : / / www . open - ed . net Home

CS305, HW1, Spring 2008 Evaluation Assignment

Project Management How to access the power of projects!

Group 2 module 2 obj 15 explain the meaning of terms related to the security of Information Technology Systems.

ONLINE SECURE DATA SERVICE

Be Aware, Be Consistent, Be Firm, Be Positive

COMP444 Human Computer Interaction Usability Engineering

A Usability Study and Critique of Two Password Managers

CSE 542: Operating Systems

BPSec: AD Review Comments and Responses

Anna Adams Martina Angela Sasse

Presentation transcript:

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0 Alma Whitten and J.D. Tygar Usenix Sec’99 슬라이드 출처 Some of the Slides borrowed from Jeremy Hyland, Yongdae Kim 추가

Alma Whitten

Why Johnny can’t encrypt? PGP 5.0 Pretty Good Privacy Software for encrypting and signing data Plug-in provides “easy” use with email clients Modern GUI, well designed by most standards Usability Evaluation following their definition If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? 보안의 문제 90% 이상이 사용자 문제

Defining Usable Security Software Security software is usable if the people who are expected to use it: are reliably made aware of the security tasks they need to perform. are able to figure out how to successfully perform those tasks don't make dangerous errors are sufficiently comfortable with the interface to continue using it.

Why is usable security hard? The unmotivated users “Security is usually a secondary goal” Policy Abstraction Programmers understand the representation but normal users have no background knowledge. The lack of feedback We can’t predict every situation. The proverbial “barn door” Need to focus on error prevention. The weakest link Attacker only needs to find one vulnerability

Usability Evaluation Methods Cognitive walk through Mentally step through the software as if we were a new user. Attempt to identify the usability pitfalls. Focus on interface learnablity. Results

Cognitive Walk Through Results Irreversible actions Need to prevent costly errors Consistency Status message: “Encoding”?!? Too much information More unneeded confusion Show the basic information, make more advanced information available only when needed.

User Test User Test PGP 5.0 with Eudora 12 participants all with at least some college and none with advanced knowledge of encryption Participants were given a scenario with tasks to complete within 90 min Tasks built on each other Participants could ask some questions through email

User Test Results 3 users accidentally sent the message in clear text 7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem Only 2 users were able to decrypt without problems Only 1 user figured out how to deal with RSA keys correctly. A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails. One user was not able to encrypt at all

Conclusion Reminder If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems? 자른 내용 What other issues? What kind of similar security issues? What do we learn from this paper?

Discussion Usable security is not constrained in software Generally, embedded device’s usability is not good Low quality display -> Not good feedback Analog interface -> Complex -> Usable security is more insufficient! Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Encrypted Mode Clear Mode

Web Browser Security User Interfaces Why these browsers have made changes?

Tradeoff between usability and security Secure Difficult to use Where is the best position? Easy to use Insecure Security Theater? The practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it

Conclusion Design user interface considering usable security Select a proper security protocol depending on application Financial apps need high-level security