Easy PGP Rick Carback, Emily Fetchko, Bryan Pass University of Maryland, Baltimore County 11-30-2005.

Slides:

Advertisements

Similar presentations

Members: Twinkle Agarwal Anjana Bhirde Ravi Madaiah David Hodgson Instructor: Dr. Perez Davila Mentor: Mr. Todd Guillory.

Advertisements

With your instructor, Jeremy Hyland

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Caleb Stepanian, Cindy Rogers, Nilesh Patel

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Lesson 7: Business, , & Personal Information Management

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CSCI 530L Public Key Infrastructure. Who are we talking to? Problem: We receive an . How do we know who it’s from? address Can be spoofed.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Quality Assurance CS 615. Mission Statement The Quality Assurance team will provide assurance to stakeholders in CS-615/616 projects that their projects.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

June is an easy way to communicate. It costs nothing to send an , but it does require a connection to the Internet. You can.

Remote Assistance  Using this program you can allow someone to work on your computer, chat with you and view your screen with your permission  The other.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Security SIG August 19, 2010 Justin C. Klein Keane

Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.

Introduction to VBA. This is not Introduction to Excel We’re going to assume you have a basic level of familiarity with Excel If you don’t, or you need.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

PROBLEM STATEMENT: Our research seeks to understand the current usability situation of files and encryption software. Particularly we focus in Gnupg4win.

Computer Concepts 2014 Chapter 7 The Web and .

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

Back to content Final Presentation Mr. Phay Sok Thea, class “2B”, group 3, Networking Topic: Mail Client “Outlook Express” *At the end of the presentation.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Masud Hasan Secue VS Hushmail Project 2.

Usability Studies Encryption Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Feedback #2 (under assignments) Lecture Code:

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

 Whether using paper forms or forms on the web, forms are used for gathering information. User enter information into designated areas, or fields. Forms.

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

Forms and Server Side Includes. What are Forms? Forms are used to get user input We’ve all used them before. For example, ever had to sign up for courses.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Microsoft Office XP Illustrated Introductory, Enhanced Started with Outlook 2002 Getting.

Confused Johnny WHEN AUTOMATIC ENCRYPTION LEADS TO CONFUSION AND MISTAKES Scott Ruoti, Nathan Kim, Ben Burgon, Tim van der Horst, Kent Seamons Internet.

API Crash Course CWU Startup Club. OUTLINE What is an API? Why are API’s useful? What is HTTP? JSON? XML? What is a RESTful API? How do we consume an.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .

1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Security SIG August 19, 2010 Justin C. Klein Keane

2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.

Chapter 9 Sending and Attachments. Sending and Attachments FAQs: – How does work? – How do I use local ? – How do I use Web-based.

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

START Application Spencer Johnson Jonathan Barella Cohner Marker.

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0

Key management issues in PGP

Web Applications Security Cryptography 1

GnuPG The GNU Privacy Guard

BY GAWARE S.R. DEPT.OF COMP.SCI

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Exercise 8: Securing Pretty Good Privacy

Presentation transcript:

Easy PGP Rick Carback, Emily Fetchko, Bryan Pass University of Maryland, Baltimore County

Easy PGP More users were: Able to complete given tasks correctly Willing to use our extension in the future Inability to make dangerous errors

Overview Motivation New and Significant Related Work Making Easy PGP Survey Survey Results Issues Tradeoffs and Limitations Easy PGP Vision/Future Work Conclusions

Motivation Keys are hard to create and manage Average user Unlikely to understand purpose of keys May not make appropriate decisions not People do not like following directions “Blinking 12:00” “Terms and Conditions” Rebates & Product Registration

Encryption is a pain to get working!

Should it really be this hard? Put yourself in a User’s shoes… What is a Digital ID? Shouldn’t I have one through hotmail or msn already? Why does my recipient need one? Software was current (all patches applied) Shouldn’t they have fixed this if people actually used it? How many people regularly use encryption? Only 3 (of 20), ever, in our study 1 continues to use it Clearly it is too much hassle for its benefits!

New and Significant “ Encryption your grandma can use!” Idea of encryption as a web service “Will people use this?” Vs. “How well can people use this?” Secure, seamless key generation and management system Completely transparent to user

Related Work - Lessons Learned Private Keys Aren’t User’s typically copy them whenever and wherever needed Especially if paid for Options for insecurity Left as an exercise for the user Random Data?

Related Work - Why Johnny Can’t Encrypt Tested PGP 5.0 Considered the best UI out there 1 of 12 used it correctly Most would not use it on their own. Definition: Usable Security Software Required tasks are known Tasks can be done No dangerous errors Continued use

Related Work - Johnny 2 Key management BIG problem in usability Simulated Key Continuity Management running a test similar to Johnny Better task comprehension Uncovered trust issues Did Not: Say if users would use it Have a working prototype

Related Work - Verisign Provides Keys Need to follow directions Key server Requires user to point to it Local key management still a pain to set up and use What about keys that are not from Verisign? User is still unlikely to understand the purpose of keys We do not think they need to know

Related Work - STU III “Push Button Security” for Phone Exactly what we want for We envision extending Easy PGP Interoperability with existing key servers Web service so users can set their options and send from anywhere

Related Work - Enigmail PGP Extension for Thunderbird (aka Sunbird/Firebird, based off of Mozilla/Netscape Communicator) Front-end for GPG Used as base for and tested against Easy PGP

Problems with Enigmail Encourages bad decisions Too many options Why can’t We use our password by default? A key be generated in the background? With most secure options chosen by default

Making Easy PGP Extension Communicates with PHP script Script is an interface to GPG (OpenPGP) Just like Enigmail Keys stored at server Encryption happens at server

Building the Extension Extension built in XUL - a scripting language for mozilla Not as robust as advertised Combines XML, javascript, and CSS Has a large learning curve associated with it Two interfaces Message Composing Message Displaying

Message Composer

Message Display

Code to send message var cmdStr = " + action + "&"; cmdStr += "sender=" + gCurrentIdentity. + "&"; cmdStr += "receiver="; cmdStr += getBasicRecipient s(gMsgCompose.compFields.to); cmdStr += "&message="; var editor = GetCurrentEditor(); gEzPgpPageReq = new XMLHttpRequest(); cmdStr += ezPgpSendableMessage(editor.rootElement.innerHTML); gEzPgpPageReq.open("GET", cmdStr, false); editor.rootElement.innerHTML = ""; gEzPgpPageReq.send(null); editor.insertText(gEzPgpPageReq.responseText);

Header Element Example <overlay xmlns:rdf=" xmlns="

Button CSS Example toolbarbutton#easypgpencrypt-button { list-style-image: url("chrome://messenger/skin/messengercompose/compose- toolbar.png"); -moz-image-region: rect(0px 120px 24px 96px); } toolbarbutton#easypgpsign-button { list-style-image: url("chrome://messenger/skin/icons/mail- toolbar.png"); -moz-image-region: rect(0px 48px 24px 24px); }

PHP Script case 'encrypt': exec( "gpg --homedir $GPG_HOME --no-tty -- encrypt -a -r $receiver -o $outfile $infile 2>&1",$output,$ret ); break; case 'decrypt': exec( "echo \"defaultpassword\" | gpg --homedir $GPG_HOME --no-tty --passphrase-fd 0 --decrypt -u $receiver -o $outfile $infile 2>&1",$output,$ret ); break;

Survey Four Parts Pre-Questionnaire Disclaimer Directions Post-Questionnaire Notes were taken during every trial Approx. completion time for each step Things users had trouble with Other Comments

Survey Results Correct Identification Enigmail: 90% EasyPGP: 97% Ease of Use:

Survey Results (cont.) Avg Time to Complete (minutes): Enigmail: 11.9,  = EasyPGP: 3.5,  =.806 Continued Use: Enigmail: 2.7,  =.781 EasyPGP: 3.6,  =.663

Issues Is https secure enough? Keys are no longer private if http server compromised Only message contents in transit affected if SSL is vulnerable Will it scale? Inter-server communication Trust issues are more prevalent here No user verification, yet

Tradeoffs and Limitations Must unconditionally trust server User choice is limited to what we choose Service depends on network connectivity DoS Centralization makes encryption server a target Security and Integrity of system must be maintained Account hijacking

Easy PGP Vision/Future Work Web Service Spread by users “Want to read this message? Click here!” “Invite a friend!” Funded by Advertisement (Google, Yahoo, Hotmail, etc). More options for advanced users Preferred algorithm, multiple key levels, etc. Trust levels Identity Verification User as untrusted until identity can be verified in some way Post card to listed address Public Records Lookup Could be a “premium service”

Conclusions All encryption can be made easier Not just PGP Interface is not the issue Setup and maintenance are! Security as a Web Service

References Lessons Learned in Implementing and Deploying Crypto Software, Peter Gutmann, USENIX Security ‘02 Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, A. Whitten and J. D. Tygar Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express, S. Garfinkel and R. Miller