Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0

Published byAnis Ginger Walton Modified over 6 years ago

Similar presentations

Presentation on theme: "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0"— Presentation transcript:

1 Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0
Alma Whitten and J.D. Tygar Usenix Sec’99 슬라이드 출처 Some of the Slides borrowed from Jeremy Hyland, Yongdae Kim 추가

2 Alma Whitten

3 Why Johnny can’t encrypt?
PGP 5.0 Pretty Good Privacy Software for encrypting and signing data Plug-in provides “easy” use with clients Modern GUI, well designed by most standards Usability Evaluation following their definition If an average user of feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? 보안의 문제 90% 이상이 사용자 문제

4 Defining Usable Security Software
Security software is usable if the people who are expected to use it: are reliably made aware of the security tasks they need to perform. are able to figure out how to successfully perform those tasks don't make dangerous errors are sufficiently comfortable with the interface to continue using it.

5 Why is usable security hard?
The unmotivated users “Security is usually a secondary goal” Policy Abstraction Programmers understand the representation but normal users have no background knowledge. The lack of feedback We can’t predict every situation. The proverbial “barn door” Need to focus on error prevention. The weakest link Attacker only needs to find one vulnerability

6 Usability Evaluation Methods
Cognitive walk through Mentally step through the software as if we were a new user. Attempt to identify the usability pitfalls. Focus on interface learnablity. Results

7 Cognitive Walk Through Results
Irreversible actions Need to prevent costly errors Consistency Status message: “Encoding”?!? Too much information More unneeded confusion Show the basic information, make more advanced information available only when needed.

8 User Test User Test PGP 5.0 with Eudora
12 participants all with at least some college and none with advanced knowledge of encryption Participants were given a scenario with tasks to complete within 90 min Tasks built on each other Participants could ask some questions through

9 User Test Results 3 users accidentally sent the message in clear text
7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem Only 2 users were able to decrypt without problems Only 1 user figured out how to deal with RSA keys correctly. A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted s. One user was not able to encrypt at all

10 Conclusion Reminder If an average user of feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems? 자른 내용 What other issues? What kind of similar security issues? What do we learn from this paper?

11 Discussion Usable security is not constrained in software
Generally, embedded device’s usability is not good Low quality display -> Not good feedback Analog interface -> Complex -> Usable security is more insufficient! Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Encrypted Mode Clear Mode

12 Web Browser Security User Interfaces
Why these browsers have made changes?

13 Tradeoff between usability and security
Secure Difficult to use Where is the best position? Easy to use Insecure Security Theater? The practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it

14 Conclusion Design user interface considering usable security
Select a proper security protocol depending on application Financial apps need high-level security

Download ppt "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0"

Similar presentations

Page 1 of 14 To the Voltage Online Training Course Voltage email encryption is used to protect sensitive and personal information sent via email to external.

Page 1 of 14 To the Voltage Online Training Course Voltage encryption is used to protect sensitive and personal information sent via to external.
With your instructor, Jeremy Hyland

With your instructor, Jeremy Hyland
Caleb Stepanian, Cindy Rogers, Nilesh Patel

Caleb Stepanian, Cindy Rogers, Nilesh Patel
Users vs. security Cyberdefence seminar, Tallinn Technical University Maksim Afanasjev, 2011.

Users vs. security Cyberdefence seminar, Tallinn Technical University Maksim Afanasjev, 2011.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Zero effort security for the home PC users? By Terje Risa.

Zero effort security for the home PC users? By Terje Risa.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.

Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Usability and Evaluation Dov Te’eni. Figure ‎ 7-2: Attitudes, use, performance and satisfaction AttitudesUsePerformance Satisfaction Perceived usability.

Usability and Evaluation Dov Te’eni. Figure ‎ 7-2: Attitudes, use, performance and satisfaction AttitudesUsePerformance Satisfaction Perceived usability.
Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.

Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
PROBLEM STATEMENT: Our research seeks to understand the current usability situation of files and email encryption software. Particularly we focus in Gnupg4win.

PROBLEM STATEMENT: Our research seeks to understand the current usability situation of files and encryption software. Particularly we focus in Gnupg4win.
Usability Studies Email Encryption Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech.

Usability Studies Encryption Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech.
Class 20 Usability CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 20 Usability CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
EE515/IS523 Think Like an Adversary Lecture 7 UI and Psychological Failures Yongdae Kim.

EE515/IS523 Think Like an Adversary Lecture 7 UI and Psychological Failures Yongdae Kim.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7: Focusing on Users and Their Tasks.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 7: Focusing on Users and Their Tasks.
Usability Evaluation June 8, 2011. Why do we need to do usability evaluation?

Usability Evaluation June 8, Why do we need to do usability evaluation?
 Is there a difference between working as a group and working as a team? Why or why not? What is the difference?

 Is there a difference between working as a group and working as a team? Why or why not? What is the difference?

Similar presentations

Ads by Google