An Inconvenient Trust: User Attitudes Toward Security and Usability Tradeoffs for Key-Directory Encryption Systems

Black Hat USA 2016

Presented by: Patrick Gage Kelley
Date: Thursday August 04, 2016
Time: 17:00 - 17:25
Location: Mandalay Bay BCD

Many critical communications now take place digitally, but recent revelations demonstrate that these communications can often be intercepted. To achieve true message privacy, users need end-to-end message encryption, in which the communications service provider is not able to decrypt the content. Historically, end-to-end encryption has proven extremely difficult for people to use correctly, but recently tools like Apple's iMessage and Google's End- to-End have made it more broadly accessible by using key-directory services. These tools (and others like them) sacrifice some security properties for convenience, which alarms some security experts, but little is known about how average users evaluate these tradeoffs. In a 52-person interview study, we asked participants to complete encryption tasks using both a traditional key- exchange model and a key-directory-based registration model. We also described the security properties of each (varying the order of presentation) and asked participants for their opinions. We found that participants understood the two models well and made coherent assessments about when different tradeoffs might be appropriate. Our participants recognized that the less-convenient exchange model was more secure overall, but found the security of the registration model to be "good enough" for many everyday purposes.

Patrick Gage Kelley

Patrick Gage Kelley is an Assistant Professor of Computer Science at theUniversity of New Mexico. My research centers on privacy, visualization,media, and the influence of technology on culture and direct EXIT. I haveworked on projects related to passwords, location-sharing, privacy policies,mobile apps, Twitter, Facebook relationship grouping, and the use ofstandardized, user-friendly privacy displays. My research is funded by theNational Science Foundation and a Google Research Award. I received my PhDfrom Carnegie Mellon University working with the Mobile Commerce Lab and theCyLab Usable Privacy and Security (CUPS) Lab. I dabble in new media arts andinformation visualization, once with CMU's STUDIO for Creative Inquiry.Additionally, I teach and speak on ethical issues in computing and am ACMSIGCHI's CMC Chair for Media+Brand.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats