Frontiers of Engineering: Reports on Leading-Edge Engineering from the 2007 Symposium (2008)

DIANA K. SMETTERS

PARC

Palo Alto, California

Security is rapidly emerging as one of the greatest challenges of our modern computer-centric society. One of the least addressed factors crucial to achieving effective computer security is usability. Too often users and their pesky focus on the tasks they are actually trying to accomplish are considered primarily as an impediment to systems security, rather than the reason for building those systems in the first place.

Over the last several years there has been a rapid expansion of research into making systems that are both usable and secure. Beginning with studies that simply characterize the overwhelming flaws of current technologies designed without any thought to the user, it has expanded into interest from the Human-Computer Interaction (HCI) community in designing improved user interfaces to existing security technologies, in the hopes of increasing their usability. While both of these approaches play important roles, we have argued (Smetters and Grinter, 2002; Balfanz et al., 2004a) that only through designing (or redesigning) security technologies and secure systems from the ground up with usability in mind will there be systems sufficiently usable and secure to meet the demands of modern computing environments.

In this paper I will briefly review recent work both on improving the usability of security technologies and in designing systems to be simultaneously usable and secure, with an eye toward the challenges still faced in marrying these two seemingly opposing goals.

There is no more common security technology in use today than that of the ubiquitous user name and password. Easy to understand and implement, passwords play a critical functional role in online society as the secrets that bind real people to their digital information and personas. They require no more of their users than to simply remember them. Unfortunately, they are flawed in both nature and execution—as the simplest form of secret, they are easily given away and reused¹ by attackers. As such, they and other similar forms of “secret” information such as social security numbers are subject to increasingly sophisticated “phishing” attacks, which attempt to trick users into revealing them. They are also deployed in a fashion that overtaxes users’ abilities to manage them securely and effectively. A number of studies have demonstrated clearly what most password users (i.e., all of us) know by experience: people don’t know how to pick good passwords and are asked to remember far too many of them or change them far too often, resulting in poor password choice and passwords being written down or shared (Adams and Sasse, 1999).

Standard password policies are striking in how effectively they minimize usability. Even simple changes in typical password policies can demonstrably increase usability without decreasing security, for example, not requiring password change or increasing the number of password input errors allowed without requiring administrator intervention (e.g., from 3 to 10) (Brostoff and Sasse, 2003).

Unfortunately, the increasing body of research on both traditional text passwords and various forms of new graphical passwords appears to be moving inexorably to the conclusion that passwords in any form cannot be used securely in their “naked” form (i.e., based only on what a user is able to remember on his own) without technological support. Most interestingly, it seems the very universality of passwords is also their downfall. For example, studies suggested that a simple technique for constructing passwords through mnemonic phrases could result in passwords that were as difficult to guess as randomly generated passwords, while at the same time being easy to remember (Yan et al., 2005). Unfortunately, it turns out that in practice most of us pick the same mnemonic phrases from which to generate our passwords, making these hard passwords vulnerable to simple dictionary attacks (Kuo et al., 2006).

Because of their strong appeal, more design activity is going into attempts to improve the security and usability of passwords—with mixed results. Mutual authentication systems, such as SiteKey™, attempt to reduce the risk that users will reveal passwords to other than the websites they intend by providing a supposedly user-friendly image-based method for users to authenticate the website

they are communicating with prior to entering their password. Unfortunately, recent research shows that users do not notice the absence of the correct SiteKey™ security indicators, still entering their passwords into possibly malicious websites (Schechter at al., 2007). Two-factor authentication systems require users to present something other than just a password for access, and attempt to ensure that the other factor is one that is difficult for an attacker to steal. However, perhaps in order to minimize changes required to infrastructure, such systems have been deployed most commonly in a form that gives users one-time passwords to be entered in addition to their standard credentials, either from a list or generated automatically by an electronic token, rather than giving them cryptographic keys to use to authenticate themselves. Unfortunately, these one-time password systems have shown themselves vulnerable in practice to attackers who interpose themselves between the user and the resource as a so-called “man in the middle,” capturing the password from the user and then handing it to the resource provider to gain access, while returning an innocuous-looking error message to the original user (e.g., “You typed your password incorrectly; please try again.”).

Password managers range from simple software assistants that help users keep straight their bewildering number of passwords, to complex pieces of software that provide a number of defenses. The best of these, PassPet (Yee and Sitaker, 2006) and Web Wallet (Wu et al., 2006), act to significantly strengthen passwords as a security measure by asking users to remember a single master password, from which they generate unique passwords for every site a user logs into. By enabling users to have distinct passwords for each site they access, these tools can not only minimize the damage caused by a single stolen password (which is usually significant, as passwords are frequently reused in practice), but can also prevent a user from entering a particular password into the wrong site (e.g., a phishing site). While promising, the most widely deployed of these tools (e.g., the simple password managers built into web browsers) lack the significant protective features required to make a significant impact on password theft. Ideally, new tools, combining the best features from all existing systems, will begin to achieve widespread deployment in the near future.

In the parlance of the introduction, passwords are an existing security technology that have been subject to research, both by attempting to characterize their flaws and to improve their usability through the design of better interfaces and support tools. In this section we turn to the question of combining new and existing security tools to make qualitative changes in users’ experience of secure computing systems—making systems so attractive for their usability that good security is simply a nice bonus.

Take the simple problem of securing a wireless network (WLAN). The secu-

rity options available to a home user to protect such a network involve providing every device on that network with the same secret key. Removing an unwanted device from the network requires changing that key on every other device. Until sometime in 2006 the protection afforded to users that performed all of these steps correctly was in name only; the security mechanisms (WEP, or Wired Equivalent Privacy) built into IEEE 802.11, the most common WLAN standard, were completely ineffective (Walker, 2000; Stubblefield et al., 2002). In 2006 an improved version of the security standards for WLANs brought protection to end users, but still at a cost: vulnerabilities in the shared key-based security intended for home users allowed offline guessing of secret keys and required users to enter very long keys (e.g., 26 hex digits). While recent work by manufacturers to simplify the key distribution process for home users (e.g., WiFi Protected Setup) has improved usability somewhat, it has not made available to those users the more sophisticated forms of WLAN security geared toward enterprises.

Enterprise WLAN security, in contrast, offers a number of alternatives with much higher security guarantees than that provided to home users. At the limit, enterprise WLAN users can be individually authenticated using digital certificates and provided with separate keys for encrypting data; this provides strong authentication and network access control, the ability to revoke individual user’s access easily, and protects network users from one another. However, availing oneself of such high security requires deploying a Public Key Infrastructure (PKI) and issuing digital certificates, something considered so difficult that even most professionally managed enterprises do not attempt it.

Our fundamental approach to building systems that are both usable and secure is to focus on users and their application tasks (which is all they really care about anyway) and see whether we can arrive at system designs that allow them to accomplish those tasks effectively and securely, without adding additional requirements or burdens. In Balfanz et al. (2004b) we turned that approach to the problem of deploying secure WLANs.

One of the most significant usability problems in deploying PKIs, even in enterprise environments, is the idea that such PKIs must be designed in the grand-scale, global infrastructure form in which such tools were first envisioned. If, instead, one changes the focus to building small-scale PKIs, requiring no interoperability or trust with any other infrastructure and targeted only to the task at hand (say the small group of devices allowed onto one WLAN), they turn out to be simple tools that are easy to deploy and manage (Balfanz et al., 2005). By building certification authority software (the sort of software that issues digital certificates) into a wireless access point (AP), as well as an enterprise-style authentication server configured to allow only devices certified by that authority onto the WLAN, we created a standalone, home-use AP that automatically configured itself to provide a highly secure WLAN as soon as it was turned on for the first time, with no user intervention. In a later enterprise form of the same system we wired together our system for enrolling new WLAN clients (see below) into

a standard enterprise certification authority and authentication server to achieve the same effect while allowing enterprise-level management of digital certificates and network access policy.

The other, more critical challenge in designing a user-friendly approach to securing WLANs is how users accomplish the one task they must do, namely, specifying the WLAN they wish their devices to join, and indicating to their access points which devices should be allowed to do so. In the simplest usage of WLANs, networks are totally unsecured and users simply “fall onto” any available network. However, it is not possible to do that and achieve any level of security, particularly the high levels of security we are attempting to provide here. Instead, we would like to ask users to do the minimum work possible, namely, to indicate to the network that they would like to join it and from that simple indication achieve fine-grained security and control.

We achieve this through the use of a technique we refer to as “demonstrative identification.” It is not possible for two devices that share no a priori trust information to authenticate each other over an unsecured medium such as a WLAN without risking a man-in-the-middle attack. So instead of having our candidate wireless device and AP find each other over the airwaves, we ask the user to point out the AP hosting the network they desire to join over what we refer to as a “location-limited channel.” Such a channel is one where the nature of the medium itself makes it difficult for an attacker to transmit information in the channel without being detected, for example, infrared (as with a remote control), physical contact (as with cables or USB tokens), and sound. Over this channel we have the user’s device and the access point exchange public information—the cryptographic digests of their public keys—which can later be used to allow the devices to authenticate each other over any channel they happen to use to communicate (e.g., the WLAN itself).

From the users’ points of view, they are merely indicating their desired WLAN by pointing out the AP (or an enrollment device acting as a proxy for the AP) using infrared, as if they were using a remote control. From the AP’s point of view, it implements a simple access control policy that says if a user is able to walk up to it and communicate with it over infrared (or audio or physical connection), that user and device is allowed on the WLAN. Having exchanged public key authenticators in this manner, along with a certain amount of configuration information, the user’s device can set up a secure, authenticated connection to the AP over the existing wireless network. The AP can then use that connection to download to the device a digital certificate sufficient to allow it to authenticate as a user of the WLAN using standard protocols, and a small amount of software is sufficient to automatically configure the device to use that certificate in this way in the future. So from the point of view of the user, a small demonstrative act, which in experimental tests is perceived as simpler than the amount of manual configuration required to get a device onto a network providing lower levels of security, is all that is required to set his device up on a highly secure WLAN. After that

initial setup phase, use of the secure WLAN is no more complicated than using any other WLAN. From the point of view of the WLAN owner, a highly intuitive security perimeter has been established: to get on the WLAN someone must have physical access (e.g., sufficient to communicate over infrared) to the access point. Without such access they cannot get onto the network. Therefore, securing your WLAN becomes equivalent to locking your front door, or if that isn’t enough, locking the AP in a closet. And at the same time, the resulting network provides best available enterprise-class WLAN security, with per-user encryption keys and the ability to revoke access by any device at any time without requiring reconfiguration of any other device.

This simple system serves as just one example of how taking a slightly different, user-focused approach to the design of secure systems can result in systems that are easier to use than their insecure counterparts, while providing very high degrees of security. We have used this approach over the last several years to construct a number of such proof-of-concept systems, as well as components and tools that make building such systems easier in general.

Adams, A., and M. A. Sasse. 1999. Users are not the enemy: Why users compromise computer security mechanisms and how to take remedial measures. Communications of the ACM 42(12):40-46.

Balfanz, D., G. Durfee, and D. K. Smetters. 2005. Making the impossible easy: Usable PKI. Pp. 319-334 in Security and Usability: Designing Secure Systems that People Can Use, L. F. Cranor and S. Garfinkel, eds. Sebastopol, CA: O’Reilly Media, Inc.

Balfanz, D., G. Durfee, R. E. Grinter, and D. K. Smetters. 2004a. In search of usable security—five lessons from the field. IEEE Security and Privacy Magazine 5(2):19-24.

Balfanz, D., G. Durfee, R. E. Grinter, D. K. Smetters, and P. Stewart. 2004b. Network-in-a-box: How to set up a secure wireless network in under a minute. Pp. 207-222 in Proceedings of the 13th USENIX Security Symposium. Berkeley, CA: USENIX.

Brostoff, S., and M. A. Sasse. 2003. Ten strikes and you’re out: Increasing the number of login attempts can improve password usability. Paper presented at Workshop on Human-Computer Interaction and Security Systems. Fort Lauderdale, FL, April 5-10.

Kuo, C., S. Romanosky, and L. F. Cranor. 2006. Human selection of mnemonic phrase-based passwords. Pp. 67-78 in SOUPS ’06: Proceedings of the Second Symposium on Usable Privacy and Security. New York: ACM Press.

Schechter, S. E., R. Dhamija, A. Ozment, and I. Fischer. 2007. The emperor’s new security indicators. Pp. 51-65 in SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE.

Smetters, D. K., and R. E. Grinter. 2002. Moving from the design of usable security technologies to the design of useful secure applications. Pp. 82-89 in New Security Paradigms Workshop. New York: ACM Press.

Stubblefield, A., J. Ioannidis, and A. D. Rubin. 2002. Using the Fluhrer, Mantin, and Shamir attack to break WEP. Paper presented at the Network and Distributed Systems Security Symposium. San Diego, CA. February 6-8.

Walker, J. 2000. Unsafe at any key size: An analysis of the WEP encapsulation. IEEE Document 802.11-00/362. Washington, DC: IEEE.

Wu, M., R. C. Miller, and G. Little. 2006. Web wallet: Preventing phishing attacks by revealing user intentions. Pp. 102-113 in SOUPS ’06: Proceedings of the Second Symposium on Usable Privacy and Security. New York: ACM Press.

Yan, J., A. Blackwell, R. Anderson, and A. Grant. 2005. The memorability and security of passwords. Pp. 129-142 in Security and Usability: Designing Secure Systems that People Can Use, L. F. Cranor and S. Garfinkel, eds. Sebastopol, CA: O’Reilly and Associates.

Yee, K.-P., and K. Sitaker. 2006. Passpet: Convenient password management and phishing protection. Pp. 32-43 in SOUPS ’06: Proceedings of the Second Symposium on Usable Privacy and Security. New York: ACM Press.

This page intentionally left blank.