Usable Security for Webmail and Single Sign-on
KENT SEAMONS & SCOTT RUOTI
COMPUTER SCIENCE DEPARTMENT
BRIGHAM YOUNG UNIVERSITY
INTERNET SECURITY RESEARCH LAB
BYU Computer Scienceo CS Department has 600+ undergraduates, 80 MS, 30 PhD
o Focus on undergraduate research mentoring
Internet Security Research Lab (ISRL)oEstablished 2001
o Funding: DARPA, NSF, Industry
oAlumni◦ 24 MS degrees and 1 PhD degree awarded◦ Placement: Microsoft, Google, IBM, DoD, Sandia, MIT Lincoln Labs, Lockheed-Martin, Blue
Coat, Amazon, etc.
ISRL Research Projectso Automated Trust Negotiation
◦ TrustBuilder – exchange attribute certificates as a basis for trust
o Convenient Decentralized Authentication using Passwords◦ Simple Authentication for the Web (SAW)◦ Luau
o Easy, Secure Data Sharing in the Cloud◦ Private Webmail (Pwm)◦ Private Facebook Chat (PFC)◦ Key Escrow (Kiwi)
o Privacy◦ TLS proxies – how to detect and distinguish from TLS MITM attacks
o Usable Security
Users and SecurityoUsers want to get their work done
oThey will sidestep security if it is inconvenient
Usable SecurityoA significant new research area in the last 10-15 years
o Seminal papers◦ Why Johnny Can’t Encrypt (Whitten and Tygar, 1999)◦ Users are not the Enemy (Adams and Sasse, 1999)
o Research venues with latest research◦ Symposium on Usability, Privacy, and Security (SOUPS)◦ ACM Conference on Human Factors in Computing Systems (CHI)
Why Johnny Can’t EncryptoUsability study of PGP 5.0
oPolitical campaign scenario
oTwelve users were given the software to configure
oUsers completed a series of tasks
Why Johnny Can’t Encrypt ResultsoComplete failure that served as a wakeup call to the community
oOnly four users (33%) were able to correctly send out the encrypted, signed email◦ Seven users encrypted emails with their own public keys◦ Another user generated new key pairs for all the other users and tried to encrypt email with
those keys
oThree users (25%) accidentally emailed the secret message to the other team members without encryption
o Lots of challenges with key management
Usable Security Research Examples◦ Johnny 2 (SOUPS 2005)
◦ Applied automatic key management to S/MIME email◦ A usability study and critique of two password managers (Usenix Security 2006)
◦ Major usability issues discovered◦ Usability issues led to insecurity◦ Most significant problems arose from poor mental models
◦ Social Phishing (CACM 2007)◦ User study that launched real phishing attack against Indiana University students using social
network contact information (71% success rate)
Usable Security Research Examples◦ What makes users refuse web single sign-on? An empirical investigation of OpenID
(SOUPS 2011)◦ Identified challenges and concerns users face when using OpenID◦ Many users had incorrect mental model of how the system worked (71%)◦ Identified changes in the login flow that improves user acceptance
◦ Helping Johnny 2.0 Encrypt his Facebook conversations (SOUPS 2012)◦ Automatic key management and encryption◦ Hypothesized that users may not trust transparent encryption
Research MethodsoApproaches from Human Computer Interaction (HCI)
o Surveys◦ Likert Scale questions
o Laboratory usability studies◦ Task-based◦ Difficult to draw conclusions from trust decisions in a laboratory environment
oAmazon Mechanical Turks◦ Cost effective way for large-scale user studies
oEthical and privacy issues◦ Academic user studies need university review board approval
Metrics - System Usability Scaleo System Usability Scale (SUS) [Brook 1996]
oTen questions using 5 point Likert Scale◦ Alternate negative and positive◦ Calculation that provides a single number for usability
oBangor compared scores for hundreds of systems
SUS Questionso I think that I would like to use this product frequently.
o I found the product unnecessarily complex.
o I thought the product was easy to use.
o I think that I would need the support of a technical person to be able to use this product.
o I found the various functions in the product were well integrated.
o I thought there was too much inconsistency in this product.
o I imagine that most people would learn to use this product very quickly.
o I found the product very awkward to use.
o I felt very confident using the product.
o I needed to learn a lot of things before I could get going with this product.
Usable Security for Single Sign-On
Bob’s in-memory password lookup table
password1 ??? Luke
??? Password2 Ducky
Password3 photos Zxcv
letmein ??? ???
pwd12 qwer Lkjh
asdf ??? ???
The Internet
Password
Who do we trust?
Single Sign-on
Simple Authentication for the WeboHow can web sites offload user authentication all by themselves?
◦ Already doing it as a secondary means of user authentication
o SAW’s approach◦ Improve the security and convenience of email-based password resets◦ Use as primary authentication mechanism
How SAW Works Step 1:
◦ The user submits her email address
Step 2:◦ If her address is authorized, a random secret is
generated and split into two shares
Step 3:◦ The user returns both tokens
◦ Manually: By clicking a link in the email
◦ Automatically: Using the SAW toolbar
Tokens are:• Short-lived• Single-use
Web SiteUser
User’s Email Provider
I’m Alice
From: [email protected]: [email protected]: [SAW-https://securecomm.org/login] ATemail=2fe32...
Click on the link below ONLY if you recently initiated a request to log in to https://securecomm.org/login:https://securecomm.org/login?ATemail=2fe322492847eb5dea...
BenefitsoUnilateral deployment by web sites
1. No specialized third party2. No client-side software3. Reuse existing users identifiers and authenticators external to the web site
oAcceptable risk for services that rely on email-based password resets
oAdvanced features◦ Delegation and revocation through email forwarding rules◦ Client-side auditing
oHow do users authenticate to identity
providers when they cannot directly communicate?◦ Giving relying parties the plaintext password is not desirable◦ Allowing an encrypted tunnel invites misuse and requires IP-level connectivity
◦ Forwarding several small messages of known composition offers a good compromise
The Chicken and the Egg
User (U) Identity Provider (IDP)Wireless Access Point (RP)
ID: AlicePW: Peek-a-boo
Msg
1. Use a strong password protocol to establish a mutually authenticated session key between user and her identity provider
2. Use that key to facilitate a SAW token distribution
3. Unify Web and wireless authentication
Luau– High Level IdeaUser (U) Identity Provider (IDP)Wireless Access Point (RP)
Secure Remote Password (SRP)
Future DirectionsoUsability studies comparing SAW to Oauth, OpenID, and some recent proposals
to replace passwords
oUntrusted Input Problem: Password entry into web forms supplied by the server◦ We advocate a move to password entry into the browser chrome or O/S in order to thwart
password phishing attacks◦ Train users to never enter credentials into a web page◦ Users will still be vulnerable to social engineering
o If phishing attacks are thwarted, attackers will focus on the end points◦ Usable solutions to key logging
Confused Johnny: Usable Security for Webmail
Confused JohnnyoE-mail encryption for the masses
oWe developed a system maximizing usability◦ Made everything transparent
o Johnny became confused
oDesigned another system with manual encryption◦ This helped Johnny gain clarity
Encrypted E-mailoExists, but largely goes unused
o S/MIME, PGP◦ Tools available
o “Why Johnny can't encrypt: A usability evaluation of PGP 5.0”◦ Whitten and Tygar, 8th USENIX Security Symposium (1999)◦ Later research confirmed findings
oWhat can be done?
Usability IssuesoUsers resist change
◦ Users are using webmail◦ If security is difficult users will forgo it
oKey management is confusing◦ Hierarchical, web-of-trust◦ Recipient must already have key◦ Chicken and egg problem
oCryptography is complicated◦ Unclear which properties are provided◦ Unclear which properties are needed
Private Webmail (Pwm)oPronounced “Poem”
oAdds end-to-end encryption to existing webmail systems◦ Gmail, Hotmail, Yahoo! Mail◦ Runs on all modern browsers
oDesigned to maximize usability
oProvide good-enough security◦ Improvement for those already sending sensitive e-mail
Security Overlayo Security overlay
◦ Integrates tightly with existing webmail systems
◦ Users do not need to learnyet-another-system
o Tightly integrates with existing systems◦ Replaces small portions of the interface◦ Displayed using iFrames
o Functionally transparent◦ Low barrier to adoption
o Visually distinctive◦ Easy to identify
Usability FixesoUsers resist change
◦ Focus on bootstrapping first-time users◦ Helpful instructions in e-mail◦ Bookmarklet-based installation
oKey management is confusing◦ Key escrow based on IBE◦ Simple Authentication for the Web (EBIA)◦ No user interaction required
oCryptography is complicated◦ Encryption is automatically handled by Pwm◦ Users never interact with ciphertext
Pwm: Walkthrough
Pwm: Walkthrough
Pwm: Walkthrough
Pwm: Walkthrough
Pwm: Walkthrough
Pwm User StudiesoTwo studies
o First study measured usability of Pwm◦ Also evaluated bookmarklets for use during installation
o Second study compared Pwm to Voltage Secure Mail Cloud◦ Voltage Secure Mail Cloud is an existing depot-based secure email system◦ Pwm was run using a browser extension
oEvaluation◦ Pre- and post-survey questionnaire◦ Monitored participants actions for unrecognized mistakes◦ Post-survey interviews
76
71
63
SUS Score Comparison
Success?oResults are very promising
◦ Very positive reception◦ Users indicated they wanted to begin using it
oNot without problems
o Small number sent e-mail without encryption
oParticipants were confused about security◦ Wanted to see more details◦ Unsure of who could read e-mails
Where to go from here?o Simple solutions was to fix UI issues
oOne student (Nathan Kim) had a different idea◦ Manual encryption◦ Decoupled interface
oMocked up these ideas◦ Message Protector (MP)◦ Simple Interface◦ Direct handling of ciphertext◦ Implied key management
MP: Walkthrough
MP: Walkthrough
MP: Walkthrough
MP: Walkthrough
First MP User Studyo Evaluated MP using SUS
o Compared against Encipher.it◦ Bookmarklet-based encryption system◦ Works in Gmail and Facebook
o Evaluation◦ Pre- and post-survey questionnaire◦ Monitored participants actions for unrecognized mistakes◦ Post-survey interviews◦ The system usability scale
o Evaluated comprehension◦ Survey included questions about comprehension◦ How to use the system◦ Who could read messages
61
72
Second MP User Studyo Surprising usability results
◦ Participants had a positive reaction to seeing ciphertext◦ Similar SUS score to MP
oRan a second study comparing MP to Pwm◦ Modeled after the first MP study
76
74
SUS Score Comparison
Other resultsoMP improved users comprehension
◦ Clearly understood how to use system◦ Clearly understood who could read messages
oUsability scores nearly identical to Pwm
oParticipants preferred manual encryption of MP
oParticipants preferred tight integration of Pwm
Study limitationsoMP studies ignore bootstrapping new users
◦ Studies assumed software pre-installed◦ Bootstrapping is a key component of Pwm’s design◦ Not fully representative of overall usability
o Short-term studies
o SUS question unclear◦ “I think that I would like to use this system frequently.”◦ Participants ranked low even when enthusiastic about the system◦ Relevant to security studies
Reviewo Pwm was a success
◦ Participants largely succeeded at using encrypted e-mail◦ Participants had high praise for Pwm◦ Succeeding in being easy for new users
o Pwm wasn’t perfect◦ Security was too transparent◦ Caused users to be confused and make mistakes
o Mocked up a system using manual encryption◦ Users enjoyed manual encryption◦ Wished it was tightly integrated with the browser
o A combination of approaches is needed to solve the problem
Future WorkoManual encryption in Pwm
◦ Don’t automatically send encrypted email◦ “Encrypt” button which puts ciphertext in compose window
o Sidebar◦ Browser sidebar allowing for manual encryption◦ Can be used on any site◦ Fallback for when Pwm has an error
o Long-term studies◦ Larger populations◦ Real tasks
Lessons LearnedoUsability is a key factor in security software
oUsers have expectations about how security works◦ What needs to be exposed?◦ It can impact trust
oThere are tradeoffs◦ Usability vs. security◦ Transparency vs. control◦ No one solution does everything
oResearch needs to focus on real world use cases◦ Collaboration with industry
Questions?