Can unicorns help users compare crypto key fingerprints?

Conference on Human Factors in Computing Systems - Proceedings

Volumn 2017-May, Issue , 2017, Pages 3787-3798

  Tan, Joshua ^a   Bauer, Lujo ^a   Bonneau, Joseph ^b   Cranor, Lorrie Faith ^a   Thomas, Jeremy ^a   Ur, Blase ^c  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b STANFORD UNIVERSITY   (United States)

^c UNIVERSITY OF CHICAGO   (United States)

Author keywords

Authentication; Key fingerprints; Secure messaging; Usability

Indexed keywords

CRYPTOGRAPHY; HUMAN ENGINEERING; NETWORK SECURITY;

AUTHENTICATION SCHEME; COMPACT REPRESENTATION; FINGERPRINT REPRESENTATION; KEY FINGERPRINTS; MAN IN THE MIDDLE ATTACKS; SECURE MESSAGING; USABILITY; USABILITY AND SECURITY;

AUTHENTICATION;

EID: 85038934323     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/3025453.3025733     Document Type: Conference Paper

References (37)

1. akwizgran. 2014. Basic English: Encode random bitstrings as pseudo-random poems. (2014). https://github.com/akwizgran/basic-english
2. J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. 2007. OpenPGP message format. (2007). https://tools.ietf.org/html/rfc4880
3. Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze. 2011. Why (special agent) Johnny (still) can't encrypt: A security analysis of the APCO Project 25 two-way radio system. In Proceedings of the 20th USENIX Conference on Security (SEC'11). http://dl.acm.org/citation.cfm?id=2028067.2028071
4. Terrence Cole. 2011. Vash: Visually pleasing and distinct abstract art, generated uniquely for any input data. (2011). https://github.com/thevash/vash
5. Colin Davis. 2016. Robohash. (2016). https://robohash.org/
6. Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, and Matthew Smith. 2016. An empirical study of textual key-fingerprint representations. In 25th USENIX Security Symposium (USENIX Security 16). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/dechand
7. Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. 2013. SafeSlinger: Easy-to-use and secure public-key exchange. In Proceedings of the 19th Annual International Conference on Mobile Computing & Networking (MobiCom '13). DOI: http://dx.doi.org/10.1145/2500423.2500428
8. J. Galbraith and R. Thayer. 2006. The Secure Shell (SSH) public key file format. (2006). https://www.ietf.org/rfc/rfc4716.txt
9. Simson L. Garfinkel and Robert C. Miller. 2005. Johnny 2: A user test of key continuity management with S/MIME and Outlook Express. In Proceedings of the 2005 Symposium on Usable Privacy and Security (SOUPS '05). DOI: http://dx.doi.org/10.1145/1073001.1073003
10. Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. 2006. Secrecy, flagging, and paranoia: Adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '06). DOI: http://dx.doi.org/10.1145/1124772.1124862
11. Hsu-Chun Hsiao, Yue-Hsun Lin, Ahren Studer, Cassandra Studer, King-Hang Wang, Hiroaki Kikuchi, Adrian Perrig, Hung-Min Sun, and Bo-Yin Yang. 2009. A study of user-friendly hash comparison schemes. In 2009 Annual Computer Security Applications Conference. DOI: http://dx.doi.org/10.1109/ACSAC.2009.20
12. Jun Ho Huh, Hyoungshick Kim, Rakesh B. Bobba, Masooda N. Bashir, and Konstantin Beznosov. 2015. On the memorability of system-generated PINs: Can chunking help?. In Eleventh Symposium On Usable Privacy and Security (SOUPS '15). https://www.usenix.org/conference/soups2015/proceedings/presentation/huh
13. Antti Huima. 2000. The Bubble Babble binary data encoding. (2000). http://web.mit.edu/kenta/www/one/bubblebabble/spec/jrtrjwzi/draft-huima-01.txt
14. Ronald Kainda, Ivan Flechais, and A. W. Roscoe. 2009. Usability and security of out-of-band channels in secure device pairing protocols. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). DOI: http://dx.doi.org/10.1145/1572532.1572547
15. Ruogu Kang, Stephanie Brown, Laura Dabbish, and Sara Kiesler. 2014. Privacy attitudes of Mechanical Turk workers and the U.S. public. In Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS '14). https://www.usenix.org/conference/soups2014/proceedings/presentation/kang
16. Alfred Kobsa, Rahim Sonawalla, Gene Tsudik, Ersin Uzun, and Yang Wang. 2009. Serial hook-ups: A comparative usability study of secure device pairing methods. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). DOI: http://dx.doi.org/10.1145/1572532.1572546
17. Arun Kumar, Nitesh Saxena, Gene Tsudik, and Ersin Uzun. 2009. Caveat eptor: A comparative study of secure device pairing methods. In 2009 IEEE International Conference on Pervasive Computing and Communications. DOI: http://dx.doi.org/10.1109/PERCOM.2009.4912753
18. Raph Levien and Donald Johnson. 1998. Snowflake. (1998). http://dlakwi.net/snowflake/snowflake.html
19. Dirk Loss, Tobias Limmer, and Alexander von Gernler. 2009. The drunken bishop: An analysis of the OpenSSH fingerprint visualization algorithm. (2009). http://dirk-loss.de/sshvis/drunken-bishop.pdf
20. Skylar Nagao. 2016. Avatars. (Oct 2016). https://peerio.zendesk.com/hc/en-us/articles/202729949-Avatars
21. Off-the-Record Messaging. 2016. Fingerprints. (2016). https://otr.cypherpunks.ca/help/fingerprint.php
22. OpenSSH. 2008. OpenSSH 5.1 release announcement. (2008). https://www.openssh.com/txt/release-5.1
23. Adrian Perrig and Dawn Song. 1999. Hash visualization: A new technique to improve real-world security. (1999). https://users.ece.cmu.edu/~adrian/projects/validation/
24. Plasmoid. 2003. Fuzzy fingerprints: Attacking vulnerabilities in the human brain. (2003). https://www.thc.org/papers/ffp.pdf
25. David Roundy. 2014. Visual hash. (2014). http://visual-hash.readthedocs.io/en/latest/
26. Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, and Kent Seamons. 2013. Confused Johnny: When automatic encryption leads to confusion and mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13). DOI: http://dx.doi.org/10.1145/2501604.2501609
27. Maliheh Shirvanian and Nitesh Saxena. 2015. On the security and usability of crypto phones. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). DOI: http://dx.doi.org/10.1145/2818000.2818007
28. Ryan Stedman, Kayo Yoshida, and Ian Goldberg. 2008. A user study of Off-the-Record Messaging. In Proceedings of the 4th Symposium on Usable Privacy and Security (SOUPS '08). DOI: http://dx.doi.org/10.1145/1408664.1408678
29. Marc Stevens, Pierre Karpman, and Thomas Peyrin. 2016. Freestart collision for full SHA-1. In Proceedings of the 35th Annual International Conference on Advances in Cryptology (EUROCRYPT 2016). DOI: http://dx.doi.org/10.1007/978-3-662-49890-3-18
30. Zettabyte Storage. 2011. Vash: The visual hash. (2011). https://web.archive.org/web/20130127121849/http://www.thevash.com
31. Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. 2015. SoK: Secure messaging. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP '15). DOI: http://dx.doi.org/10.1109/Sp.2015.22
32. Ben Dumke v. d. Ehe. 2012. Unicornify! How does it work? (2012). https://unicornify.appspot.com/making-of
33. Serge Vaudenay. 2005. Secure communications over insecure channels based on Short Authenticated Strings. In Proceedings of the 25th Annual International Conference on Advances in Cryptology (CRYPTO'05). DOI: http://dx.doi.org/10.1007/11535218-19
34. WhatsApp. 2016. WhatsApp encryption overview: Technical white paper. (April 2016). https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
35. Alma Whitten and J. D. Tygar. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium (SSYM'99). http://dl.acm.org/citation.cfm?id=1251421.1251435
36. Wickr. 2016. What is the key verification feature? (2016). https://wickr.desk.com/customer/en/portal/articles/2342342-what-is-the-key-verification-feature
37. Min Wu, Robert C. Miller, and Greg Little. 2006. Web Wallet: Preventing phishing attacks by revealing user intentions. In Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS '06). DOI: http://dx.doi.org/10.1145/1143120.1143133