1 / 53

Usable Security for Webmail and Single Sign-on

Usable Security for Webmail and Single Sign-on. Kent Seamons & Scott Ruoti Computer Science Department Brigham Young University Internet Security Research Lab. BYU Computer Science. CS Department has 600 + undergraduates, 80 MS, 30 PhD Focus on undergraduate research mentoring.

nanda
Download Presentation

Usable Security for Webmail and Single Sign-on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable Security for Webmail and Single Sign-on Kent Seamons & Scott Ruoti Computer Science Department Brigham Young University Internet Security Research Lab

  2. BYU Computer Science • CS Department has 600+ undergraduates, 80 MS, 30 PhD • Focus on undergraduate research mentoring

  3. Internet Security Research Lab (ISRL) • Established 2001 • Funding: DARPA, NSF, Industry • Alumni • 24 MS degrees and 1 PhD degree awarded • Placement: Microsoft, Google, IBM, DoD, Sandia, MIT Lincoln Labs, Lockheed-Martin, Blue Coat, Amazon, etc.

  4. ISRL Research Projects • Automated Trust Negotiation • TrustBuilder – exchange attribute certificates as a basis for trust • Convenient Decentralized Authentication using Passwords • Simple Authentication for the Web (SAW) • Luau • Easy, Secure Data Sharing in the Cloud • Private Webmail (Pwm) • Private Facebook Chat (PFC) • Key Escrow (Kiwi) • Privacy • TLS proxies – how to detect and distinguish from TLS MITM attacks • Usable Security

  5. Users and Security • Users want to get their work done • They will sidestep security if it is inconvenient

  6. Usable Security • A significant new research area in the last 10-15 years • Seminal papers • Why Johnny Can’t Encrypt (Whitten and Tygar, 1999) • Users are not the Enemy (Adams and Sasse, 1999) • Research venues with latest research • Symposium on Usability, Privacy, and Security (SOUPS) • ACM Conference on Human Factors in Computing Systems (CHI)

  7. Why Johnny Can’t Encrypt • Usability study of PGP 5.0 • Political campaign scenario • Twelve users were given the software to configure • Users completed a series of tasks

  8. Why Johnny Can’t Encrypt Results • Complete failure that served as a wakeup call to the community • Only four users (33%) were able to correctly send out the encrypted, signed email • Seven users encrypted emails with their own public keys • Another user generated new key pairs for all the other users and tried to encrypt email with those keys • Three users (25%) accidentally emailed the secret message to the other team members without encryption • Lots of challenges with key management

  9. Usable Security Research Examples • Johnny 2 (SOUPS 2005) • Applied automatic key management to S/MIME email • A usability study and critique of two password managers (Usenix Security 2006) • Major usability issues discovered • Usability issues led to insecurity • Most significant problems arose from poor mental models • Social Phishing (CACM 2007) • User study that launched real phishing attack against Indiana University students using social network contact information (71% success rate)

  10. Usable Security Research Examples • What makes users refuse web single sign-on? An empirical investigation of OpenID (SOUPS 2011) • Identified challenges and concerns users face when using OpenID • Many users had incorrect mental model of how the system worked (71%) • Identified changes in the login flow that improves user acceptance • Helping Johnny 2.0 Encrypt his Facebook conversations (SOUPS 2012) • Automatic key management and encryption • Hypothesized that users may not trust transparent encryption

  11. Research Methods • Approaches from Human Computer Interaction (HCI) • Surveys • Likert Scale questions • Laboratory usability studies • Task-based • Difficult to draw conclusions from trust decisions in a laboratory environment • Amazon Mechanical Turks • Cost effective way for large-scale user studies • Ethical and privacy issues • Academic user studies need university review board approval

  12. Metrics - System Usability Scale • System Usability Scale (SUS) [Brook 1996] • Ten questions using 5 point Likert Scale • Alternate negative and positive • Calculation that provides a single number for usability • Bangor compared scores for hundreds of systems

  13. SUS Questions • I think that I would like to use this product frequently. • I found the product unnecessarily complex. • I thought the product was easy to use. • I think that I would need the support of a technical person to be able to use this product. • I found the various functions in the product were well integrated. • I thought there was too much inconsistency in this product. • I imagine that most people would learn to use this product very quickly. • I found the product very awkward to use. • I felt very confident using the product. • I needed to learn a lot of things before I could get going with this product.

  14. Usable Security for Single Sign-On

  15. Single Sign-on Who do we trust? The Internet Password

  16. Simple Authentication for the Web • How can web sites offload user authentication all by themselves? • Already doing it as a secondary means of user authentication • SAW’s approach • Improve the security and convenience of email-based password resets • Use as primary authentication mechanism

  17. How SAW Works User Web Site • Step 1: • The user submits her email address • Step 2: • If her address is authorized, a random secret is generated and split into two shares • Step 3: • The user returns both tokens • Manually: By clicking a link in the email • Automatically: Using the SAW toolbar • Tokens are: • Short-lived • Single-use • From: SAW_TokenGenerator@securecomm.org To: student@some.edu Subject: [SAW-https://securecomm.org/login] ATemail=2fe32... Click on the link below ONLY if you recently initiated a • request to log in to https://securecomm.org/login: https://securecomm.org/login?ATemail=2fe322492847eb5dea... I’m Alice User’s Email Provider

  18. Benefits • Unilateral deployment by web sites • No specialized third party • No client-side software • Reuse existing users identifiers and authenticators external to the web site • Acceptable risk for services that rely on email-based password resets • Advanced features • Delegation and revocation through email forwarding rules • Client-side auditing

  19. The Chicken and the Egg • How do users authenticate to identity providers when they cannot directly communicate? • Giving relying parties the plaintext password is not desirable • Allowing an encrypted tunnel invites misuse and requires IP-level connectivity • Forwarding several small messages of known composition offers a good compromise User (U) Wireless Access Point (RP) Identity Provider (IDP) Msg ID: Alice PW: Peek-a-boo

  20. Luau– High Level Idea • Use a strong password protocol to establish a mutually authenticated session key between user and her identity provider • Use that key to facilitate a SAW token distribution • Unify Web and wireless authentication Secure Remote Password (SRP) User (U) Wireless Access Point (RP) Identity Provider (IDP)

  21. Future Directions • Usability studies comparing SAW to Oauth, OpenID, and some recent proposals to replace passwords • Untrusted Input Problem: Password entry into web forms supplied by the server • We advocate a move to password entry into the browser chrome or O/S in order to thwart password phishing attacks • Train users to never enter credentials into a web page • Users will still be vulnerable to social engineering • If phishing attacks are thwarted, attackers will focus on the end points • Usable solutions to key logging

  22. Confused Johnny: Usable Security for Webmail

  23. Confused Johnny • E-mail encryption for the masses • We developed a system maximizing usability • Made everything transparent • Johnny became confused • Designed another system with manual encryption • This helped Johnny gain clarity

  24. Encrypted E-mail • Exists, but largely goes unused • S/MIME, PGP • Tools available • “Why Johnny can't encrypt: A usability evaluation of PGP 5.0” • Whitten and Tygar, 8th USENIX Security Symposium (1999) • Later research confirmed findings • What can be done?

  25. Usability Issues • Users resist change • Users are using webmail • If security is difficult users will forgo it • Key management is confusing • Hierarchical, web-of-trust • Recipient must already have key • Chicken and egg problem • Cryptography is complicated • Unclear which properties are provided • Unclear which properties are needed

  26. Private Webmail (Pwm) • Pronounced “Poem” • Adds end-to-end encryption to existing webmail systems • Gmail, Hotmail, Yahoo! Mail • Runs on all modern browsers • Designed to maximize usability • Provide good-enough security • Improvement for those already sending sensitive e-mail

  27. Security Overlay • Security overlay • Integrates tightly with existing webmail systems • Users do not need to learnyet-another-system • Tightly integrates with existing systems • Replaces small portions of the interface • Displayed using iFrames • Functionally transparent • Low barrier to adoption • Visually distinctive • Easy to identify

  28. Usability Fixes • Users resist change • Focus on bootstrapping first-time users • Helpful instructions in e-mail • Bookmarklet-based installation • Key management is confusing • Key escrow based on IBE • Simple Authentication for the Web (EBIA) • No user interaction required • Cryptography is complicated • Encryption is automatically handled by Pwm • Users never interact with ciphertext

  29. Pwm: Walkthrough

  30. Pwm: Walkthrough

  31. Pwm: Walkthrough

  32. Pwm: Walkthrough

  33. Pwm: Walkthrough

  34. Pwm User Studies • Two studies • First study measured usability of Pwm • Also evaluated bookmarklets for use during installation • Second study compared Pwm to Voltage Secure Mail Cloud • Voltage Secure Mail Cloud is an existing depot-based secure email system • Pwm was run using a browser extension • Evaluation • Pre- and post-survey questionnaire • Monitored participants actions for unrecognized mistakes • Post-survey interviews

  35. 76 71 63

  36. SUS Score Comparison

  37. Success? • Results are very promising • Very positive reception • Users indicated they wanted to begin using it • Not without problems • Small number sent e-mail without encryption • Participants were confused about security • Wanted to see more details • Unsure of who could read e-mails

  38. Where to go from here? • Simple solutions was to fix UI issues • One student (Nathan Kim) had a different idea • Manual encryption • Decoupled interface • Mocked up these ideas • Message Protector (MP) • Simple Interface • Direct handling of ciphertext • Implied key management

  39. MP: Walkthrough

  40. MP: Walkthrough

  41. MP: Walkthrough

  42. MP: Walkthrough

  43. First MP User Study • Evaluated MP using SUS • Compared against Encipher.it • Bookmarklet-based encryption system • Works in Gmail and Facebook • Evaluation • Pre- and post-survey questionnaire • Monitored participants actions for unrecognized mistakes • Post-survey interviews • The system usability scale • Evaluated comprehension • Survey included questions about comprehension • How to use the system • Who could read messages

  44. 61 72

  45. Second MP User Study • Surprising usability results • Participants had a positive reaction to seeing ciphertext • Similar SUS score to MP • Ran a second study comparing MP to Pwm • Modeled after the first MP study

  46. 76 74

  47. SUS Score Comparison

  48. Other results • MP improved users comprehension • Clearly understood how to use system • Clearly understood who could read messages • Usability scores nearly identical to Pwm • Participants preferred manual encryption of MP • Participants preferred tight integration of Pwm

  49. Study limitations • MP studies ignore bootstrapping new users • Studies assumed software pre-installed • Bootstrapping is a key component of Pwm’s design • Not fully representative of overall usability • Short-term studies • SUS question unclear • “I think that I would like to use this system frequently.” • Participants ranked low even when enthusiastic about the system • Relevant to security studies

  50. Review • Pwm was a success • Participants largely succeeded at using encrypted e-mail • Participants had high praise for Pwm • Succeeding in being easy for new users • Pwm wasn’t perfect • Security was too transparent • Caused users to be confused and make mistakes • Mocked up a system using manual encryption • Users enjoyed manual encryption • Wished it was tightly integrated with the browser • A combination of approaches is needed to solve the problem

More Related