Florent Robineau Page 1 10/11/2007 CS261 Scribe: Usable security Motivation for usability in security How usability is relevant Usability in security is concerned with taking into account the human factor in security. This is a very important aspect that has been completely overlooked until recently; security experts either assumed that humans don’t make mistakes (while they actually do) or just ignored them, building their system in terms of hardware and software only. Usability is relevant in two ways: 1. Task-oriented view: How easy to use / intuitive / efficient is the security mechanism? 2. Security-oriented view: How does usability affect the security of the system? The main argument for usability is that these two aspects are closely intertwined, and 2) cannot be achieved without 1). How to cope with usability There are two common approaches to deal with the usability of a system: • Change the user by training him: this has been the historical approach taken by airline companies to ensure the safety of the passengers; planes were so secure that in case of crash the blame was put on the human side (“the pilot had misunderstood the instructions”, “both parties did not agree on the unit to be used to measure distances”, etc). • Change the product to make it more intuitive: if the pilots repeatedly make the same error because the plane is unintuitive to use, isn’t it because of a bad design rather than because of the lack of training of the crews? Bolt-on security A common mistake when it comes to security requirements in a system is to add them at the last moment, as if it was a secondary and passive magic layer. However, to be truly effective, security has to be incorporated in the design at the early stages of conception. Human factors A few key points to bear in mind when designing a usable secure schema: • User studies are the only reliable way to assess what works and what does not work. • For users security is an aspect, not a goal in itself, which makes it much harder to check. • How can we measure the usability of a secure system? o Subjective performance: “How easy was it?”, “How does it compare to… ?”Florent Robineau Page 2 10/11/2007 o Objective performance: What percentage of the users in a user study succeeded in doing a task? In what time? o Satisfaction: “Would you use this software personally?” Mistakes in usability Phishing File-sharing software A file-sharing network’s value is function of the amount of files shared. Hence to maximize the incentive for users to join, a file-sharing software had rather share as much of the user’s files as possible; sometimes, this means sharing the whole hard drive, exposing private documents. Possible solutions to this problem include: • Blacklist some directories • Require explicit authorization to share files • Check the visibility of the files The problem is that it is hard to come up with a generic solution: what works for me doesn’t necessarily work for others. Windows Firewall / SELinux Passwords What’s wrong with passwords Passwords are one of the biggest failures of the security community. They have a lot of weaknesses: • Users can’t remember an arbitrary number of passwords, so they most often use the same password everywhere. We all know that a security device is only as strong as its weakest component… hence a single weak system for which this password is used endangers all the other systems for which the user uses the same password. Worse: if one of the systems is malicious, the attacker has a very likely list of usernames and passwords for other websites. • Users sometimes note passwords down on these infamous sticky notes on the screen… • Passwords can be shared, guessed (social engineering) • Passwords have a very low entropy (mostly based on dictionaries) What replacement for passwords? A number of replacements have been proposed:Florent Robineau Page 3 10/11/2007 • Something you know: challenge questions, … • Something you have: hardware fob • Something you are: biometrics • SSH, public key authentication: the computer proves who he is Two-factor authentication Sometimes two of these factors (something you have / you know / you are) are combined; this has been adopted by online banks for instance, and it is called two-factor authentication. It is not clear that the two-factor solutions that are actually deployed work very well. Studies prove that a non-negligible number of users will enter their password even when the sitekey of an online bank is not presented for instance. Password authenticated key exchange This is a nice application of passwords: two entities sharing a secret w can set up a common key K by encrypting the data exchanged in a standard Diffie-Hellman key exchange with w (see further in the document for an explanation of Diffie-Hellman): {gx}w{gy}w{msgs}K where K=gxy The advantages of this technique are: • Eavesdropping is impossible • Spoofing the other computer is impossible (unless the attacker knows the password) • Offline dictionaries attacks are impossible (one would have to guess the password and break Diffie-Hellman, which is considered a hard problem as of today) Warning boxes & Confirm dialogues The confirmation boxes of Windows Vista are so annoying that users do not look at them anymore and blindly click on “authorize”. Similarly: • Users don’t really pay attention to the confirmation boxes • Users don’t pay attention to the SSL warning boxes (“Do you want to trust Foo?”) Lack of encrypted emails Whereas all the technology is here, unencrypted and unsigned emails still make up the vast majority of the mails! Emails are well-known to have absolutely no security embedded in them, and virtually almost anything in an email can be faked; hence emails lend very easily to phishing and spamming for instance.Florent Robineau Page 4 10/11/2007 Viruses Double-clicking on attachments in email clients can spread the virus without the user’s knowledge or consent… Successes in usability SSH (with public key) In this case, the protocol is designed so that I can prove that I have (or that my computer has) possession of a private key without explicitly sending it. The key is typically generated by the machine for the user, so it has much better entropy and is virtually impossible to