How to Design Usable IT Security Mechanisms Using the Example of Email Encryption By: Rudra Gupta
ANALYSIS OF THE USABILITY OF COMMON SECURITY MECHANISMS AND APPLICATIONS ON BASIS OF THE PRESENTED GUIDELINES
Email Encryption using GPGMail • Popular Open-Source email encryption for MAC Users • One-Click Encryption • Key and Trust management requires effort • User has lot of work to do such as • Getting public key of the receiver • Communicate with the owner for Authenticity • Change trust of exchanged public key
GPGMail is compliant with following guidelines Follow Don’t Follow G1 (hard to understand) G3 (complicated trust management) G5 (difficult trust management and process of key verification) G6 (not set to “encrypt all” by default) G8 (not much guidance with trust management) • G2 (user decides on trust relations) • G4 (minimal interaction, one click encryption) • G7 (does not frighten user) • G9 (usually good integration, depends on system mail client)
THUNDERBIRD • Thunderbird is a free email application that’s easy to set up • Its loaded with great features like • Customized emails • One click address book • Remainders • Chats • User has less work to do • Usability is better than GPGMail • Efficient working
Thunderbird is compliant with following guidelines Follow Don’t follow G3 (complicated trust management) G5 (does not lets user to take hard decisions.) G9 (although good integration, its not consistent with its communication.) • G1 (Although Ubuntu is its platform but can be used with other OS) • G2 (user decides on trust relations) • G4 (minimal interaction) • G6 (It is set to “encrypt all” by default) • G7 (does not frighten user) • G8 (guidance with trust management)
Forced Updates • Updates are used to keep the system in track with latest version of the software. • Users are lazy in applying patches • With attacks being increased, concepts of “FORCED UPDATES” came through. • While this concept is important, it fails to consider several situations such as • Downloading huge amount of data • Changes in trust relations • Often forced updates cannot be stopped by the user. • For Example, Windows updates
Forced Updates is compliant with following guidelines Follow Don’t Follow G2 (user can not decide to not apply a patch, user can not decide on time to apply patch) G3 (in some cases user has to wait until patch was applied) G4 (full attention of the user when waiting for process to finish) • G1 (easy to understand) • G5 (System consider user decisions) • G6 (keeps system up-to-date) • G7 (does not fear to force user) • G8 (no user action necessary (or possible)) • G9 (well integrated)
APPLICATION OF THE PRESENTED DESIGN GUIDE:DESIGN OF AN EMAIL ENCRYPTION SOLUTION WITH GOOD USABILITY
Abstract Design PubR PubS PrivS PrivR EMAIL SENDER RECEIVER KEYS USED IN EMAIL ENCRYPTION
Automated Rekeying • Invoked when key is about to expire. • List of all public keys is kept and is regularly checked for expiration. • Now 2 situations occurs
Automated Rekeying with similar email encryption. No No Yes No Yes Yes No Yes
Automated Key exchange using leap of faith Sender Side Receiver Side Stores the random string from first email In the case of same email encryption, it is triggered on the message of key exchange and following steps takes place Store random string together with the sender address. Remove email with random string from mail server. Decrypt message and obtain public key Restore original mail and encrypt with its own public key Compose an email similar to sender • Generate a random string of 20 char which would serve as password. • Send the random string to the receiver in an email that states leap of faith situation. • Sender composes message as follows • Creates an encrypted PDF that includes original text and public key in the ASCII armor • Sender expects an reply with this public key. • Creates a message encrypted with Es • Sender sends this message with some information.
Automated Key Exchange Using Side Channels • Idea was to use side channels. • Compared to leap of faith, side channel fares better. • It removes the possibility of attack. • Side channels include: • Alternative email addresses: many people use more than one email address. • Instant messenger addresses. • Telephone numbers for text messaging. • Just like step 2 of leap of faith The sender sends the email message with the random string not to the same email address as the encrypted email but to a selection of available side channels for a user. • If email is used as side-channel, it is very likely that the receiver collects has more than one email account in the same email client. Hence, the email encryption solution has access to the side channel.
Suggested Email Encryption compliance with guidelines Follows Follows G5 (Only informed decisions): no user actions are necessary G6 (Security as default): emails are encrypted and signed by default G7 (Fearless System): no user actions are necessary. G8 (Security guidance, educating reaction on user errors): no user actions are necessary G9 (Consistency): No user actions are necessary. • G1 (open for all users): Good metaphors used • G2 (Empowered users): user can decide on the key and trust management configuration • G3 (No jumping through hoops): User is not forced to take any decision • G4 (user attention and memorization capability):No user actions are necessary and the user does not have to memory anything