Results 1-2 of 2.
((uid:50030235))

Bookmark and Share    
Full Text
Peer Reviewed
See detailDetecting misalignments between system security and user perceptions: a preliminary socio-technical analysis of an E2E email encryption system
Stojkovski, Borce UL; Vazquez Sandoval, Itzel UL; Lenzini, Gabriele UL

in 4th European Workshop on Usable Security - 2019 IEEE European Symposium on Security and Privacy Workshops (2019)

The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security ... [more ▼]

The set of impressions that a user has about distinct aspects of a system depends on the experience perceived while interacting with the system. Considering the effects of these interactions in a security analysis allows for a new class of security properties in terms of misalignments between the system’s technical guarantees and the user’s impressions of them. For instance, a property that we call “false sense of insecurity” identifies a situation in which a secure system injects uncertainty in users, thus improperly transmitting the degree of protection that it actually provides; another, which we call “false sense of security”, captures situations in which a system instills a false sense of security beyond what a technical analysis would justify. Both situations leave room for attacks. In this paper we propose a model to define and reason about such socio-technical misalignments. The model refers to and builds on the concept of security ceremonies, but relies on user experience notions and on security analysis techniques to put together the information needed to verify misalignment properties about user’s impressions and system’s security guarantees. We discuss the innovative insight of this pilot model for a holistic understanding of a system’s security. We also propose a formal model that can be used with existing model checkers for an automatic analysis of misalignments. We exemplify the approach by modelling one specific application for end-to-end email encryption within which we analyze a few instances of misalignment properties. [less ▲]

Detailed reference viewed: 96 (25 UL)
Full Text
Peer Reviewed
See detailA Protocol to Strengthen Password-Based Authentication
Vazquez Sandoval, Itzel UL; Lenzini, Gabriele UL; Stojkovski, Borce UL

in Emerging Technologies for Authorization and Authentication (2018, November)

We discuss a password-based authentication protocol that we argue to be robust against password-guessing and o -line dictionary attacks. The core idea is to hash the passwords with a seed that comes from ... [more ▼]

We discuss a password-based authentication protocol that we argue to be robust against password-guessing and o -line dictionary attacks. The core idea is to hash the passwords with a seed that comes from an OTP device, making the resulting identity token unpredictable for an adversary. We believe that the usability of this new protocol is the same as that of password-based methods with OTP, but has the advan- tage of not burdening users with having to choose strong passwords. [less ▲]

Detailed reference viewed: 135 (60 UL)