usability and security of out of band channels in secure
play

Usability and Security of Out-Of-Band Channels in Secure Device - PowerPoint PPT Presentation

Aug 20, 2023 •251 likes •670 views

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

  1. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory SOUPS Conference 15-17 July, 2009

  2. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  3. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  4. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Device Pairing Scenario

  5. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Device Pairing Human-Interactive Security Protocols (HISPs) OOB N

  6. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - HISPs Security in HISPs Technical security Security based on formal proofs Depends on the size of the digest/fingerprint b -bits for most protocols

  7. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - HISPs Security in HISPs Technical security Security based on formal proofs Depends on the size of the digest/fingerprint b -bits for most protocols Effective security Secure systems are socio-technical (Sasse et al.) Security of a protocol may depend on human effort Humans forget, make mistakes These mistakes may result in security failures Human failures are not covered by formal proofs Increasing technical security (value of b ) may reduce effective security

  8. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Introduction - Research Question Are proposed OOB methods usably secure to guarantee specified technical security?

  9. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  10. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Manual comparison compare Devices generate fingerprints Fingerprints displayed in appropriate format Users compare fingerprints and indicate on the device a match or lack of it Devices require display and some form of input method

  11. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Manual copying and entering Bluetooth One device displays a fingerprint User copies and types the fingerprint into one or more devices Requires display and keypad Efficiency of entry depends on affordances of devices involved

  12. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Auxiliary devices 2D–Barcode Rely on secondary devices to transfer/compare information Proposed devices include camera phone external storage devices data cable etc May require users to carry extra hardware

  13. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Short-range wireless channels infrared Rely on short range wireless channels Require devices to be no more than a few centimetres apart Proposed methods include: infra-red light distance bounding 1 Most methods lack human verification 1 can also use normal channel

  14. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion HISPs - Proposed OOB Methods Timing methods Rely on transmission of information in well timed intervals Users coordinate the synchronisation Examples include shaking devices (Saxena et al.) pressing a button in response to some stimulus

  15. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  16. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Methods DEFINITIONS Method – refers to a specific mode of comparing/transferring information between devices by humans Representation – refers to specific format in which information is presented to users Method-representation – refers to a combination of a method and representation

  17. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Method-representations Compare & confirm compare Numeric Alphanumeric Words Sentences Country names Numeric & Sound Alphanumeric & Sound Melodies Images

  18. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Method-representations Compare & select Numeric Alphanumeric Copy & enter Numeric Alphanumeric Barcode

  19. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Design Dependent variables 1 Time 2 Number of non-security failures 3 Number of security failures Independent variable 1 Method-representation

  20. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Participants 30 participants were recruited via online advertisement Gender Male: 47% Female: 53% Age 18 - 25 40% 26 - 35 27% 36 - 45 13% 46 - 55 3% 56 - 65 13% 66 - 75 4% Education High School: 27% College: 27% Graduate: 26% Postgraduate: 20%

  21. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Apparatus tools Devices: Nokia N95 and N73 Nokia devices are common Bluetooth enabled Software: P2P payment system Device communication using Bluetooth Software created a log of participant’s actions Digital voice recorder To record interviews Questionnaires Enrolment After scenario (AS) After experiment/exit (AE) Written instructions

  22. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 1

  23. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 2

  24. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design–Procedure: Tasks Figure: Step 3 and 4

  25. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Experimental Design - Procedure: Tasks Figure: Step 5 and 6

  26. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Outline Introduction 1 HISPs — Proposed OOB Methods 2 Experimental Design 3 Results 4 Analysis and Discussion 5 Conclusion 6

  27. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Compare & confirm: Errors and completion times Time (s) Security failures Non-security failures Mean % % Numeric 6 0 3.3 Alphanumeric 6 13.3 16.7 Words 7 3.3 16.7 Images 8 0 3.3 Country/ 9 0 3.3 City names Sentences 11 0 16.7 Alphanumeric 12 3.3 20 & sound Numeric & 14 3.3 0 sound Melodies 24 6.7 36.7 Between-subjects: p = 0.0007 Within-subjects - time: p = .0000

  28. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Compare & select: Errors and completion times Time Security failures Non-security failures Seconds % % Numeric 9 10 10 Alphanumeric 9 20 30 Between-subjects: p = 0.0000 Within-subjects - time: p = 0.9255

  29. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Copy & enter: Errors and completion times Time Non-security failures Seconds % Numeric 17 13 Alphanumeric 40 23 Between-subjects: p = .7531 Within-subjects - time: p = .0004

  30. Outline Introduction HISPs — Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Results - Barcode: Errors and completion times Time Non-security failures Seconds % 37 53

Recommend

Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Introduction HISP OOB Channels Problem definition Proposed methods Security and usability study Conclusion Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan Flechais, A.W. Roscoe Workshop in

650 views • 18 slides
Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan

Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan

Introduction Framework Application Conclusion Secure Mobile Ad-hoc Interactions: Reasoning About Out-Of-Band (OOB) Channels Ronald Kainda, Ivan Flechais, A.W. Roscoe International Workshop on Security and Privacy in Spontaneous Interaction

539 views • 17 slides
3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and

3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and

RADIO SYSTEMS ETI 051 Contents 3 Short review Lecture no: NARROW-BAND CHANNELS WIDE-BAND CHANNELS Radio signals and complex Delay (time) dispersion notation Narrow- versus wide-band Large-scale fading channels

558 views • 12 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem that suddenly arose when computers were invented - its as old as mankind. Data Security falls naturally into two cathegories: * Confidentiality

542 views • 16 slides
Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent

Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent

Beyond the Pile of Knobs: Usability and Design for Privacy, Security, Safety & Consent Georgia Bullen // @georgiamoon Executive Director Simply Secure FOSDEM // 2 February 2020 Everyone deserves technology they can trust. Simply Secure

437 views • 28 slides
Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

753 views • 30 slides
Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

602 views • 39 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed

Payment Channels Designing Secure Watchtowers Zeta Avarikioti ETH Zurich Distributed Computing www.disco.ethz.ch Can cryptocurrencies scale? 7 tx/s 20 tx/s 65.000 tx/s Payment Channels Payment Channels Payment Channels Funding

482 views • 37 slides
How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe

How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe

How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe November 2018 The Perimeter is Dead 2 Keys: The Foundation of the Foundation The foundation of any security model is the crypto layer. *

571 views • 19 slides
Usability Analysis of Secure Pairing Methods 12 , 3 , 23 Ersin Uzun Kristiina Karvonen N.

Usability Analysis of Secure Pairing Methods 12 , 3 , 23 Ersin Uzun Kristiina Karvonen N.

Usability Analysis of Secure Pairing Methods 12 , 3 , 23 Ersin Uzun Kristiina Karvonen N. Asokan 1 University Of California, Irvine 2 Nokia Research Center 3 Helsinki University of Technology Outline What is secure pairing and why is it

533 views • 31 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog; www.isg.rhul.ac.uk/~kp Overview (both lectures) Secure channels and their properties AEAD (revision) AEAD secure channel the [APW09] attack

1.63k views • 72 slides
Security Outline Introduction: what is security? Butler Lampson Principals, the speaks

Security Outline Introduction: what is security? Butler Lampson Principals, the speaks

Security Outline Introduction: what is security? Butler Lampson Principals, the speaks for relation, and chains of responsibility Secure channels and encryption TECS Week 2005 Names and groups January 2005 Authenticating systems

387 views • 24 slides
Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential privacy methods

595 views • 43 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides

More recommend