smart phones
DESCRIPTION
Smart Phones. Edgardo Vega. Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech. Smart Phones. Device-enabled authorization in the Grey system(2005) Lujo Bauer, Scott Garriss, Jonathan M. McCune, Michael K. Reiter, Jason Rouse, Peter Rutenbar - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/1.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Smart Phones
Edgardo Vega
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 2: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/2.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Smart Phones Device-enabled authorization in the Grey
system(2005) Lujo Bauer, Scott Garriss, Jonathan M. McCune,
Michael K. Reiter, Jason Rouse, Peter Rutenbar Lessons learned from the deployment of a
smartphone-based access-control system(2007) Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter,
Kami Vaniea
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 3: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/3.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Introduction Grey is a flexible platform that provides
ubiquitous access control to both physical and virtual resources, via smartphones.
At the core is a flexible and provably sound authorization framework based on proof-carrying authorization( PCA), extended with a new distributed proving technique that offers significant efficiency and usability advances
![Page 4: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/4.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Introduction (continued) Delegates authority in a convenient fashion. Relies on cryptographic key management. Also incorporates capture resilience Takes advantage of Bluetooth, cellular data
(GPRS), and messaging protocols (SMS and MMS)
![Page 5: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/5.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
COMPONENTS
Graphical IdentifiersCapture-Resilient CryptographyProof-Carrying Authorization
![Page 6: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/6.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Graphical Identifiers Person
Photograph – less failure-prone Public Key
Two-dimensional barcode of the hash Network Address
Two-dimensional barcode of the address Circumvent the high-latency of device discovery in
Bluetooth
![Page 7: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/7.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Capture-Resilient Cryptography Protects the phones private key by using a
remote capture-protect server User can disable the key if the phone has
been lost or can temporarily disable to protect from dictionary attacks
Server is an untrusted space user’s key information is not passed back and forth
Decentralized system each user can use their own server (i.e., desktop computer)
![Page 8: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/8.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Proof-Carrying Authorization Utilizes formal logic directly in the
implementation of the system. Directly manipulates fragments of the logic
and represents credentials/proofs of access as constructed in formal logic.
Contains an automated theorem prover and checker
Client is responsible to prove that access should be granted
![Page 9: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/9.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
USAGE SCENARIOS
![Page 10: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/10.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Alice Bob
![Page 11: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/11.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 12: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/12.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 13: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/13.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 14: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/14.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 15: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/15.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 16: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/16.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 17: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/17.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 18: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/18.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
![Page 19: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/19.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
SOFTWARE ARCHITECTURE
Graphical User InterfacesProverVerifierCommunication FrameworkPerformance
![Page 20: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/20.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Graphical User Interfaces Phone
Address Book Access requests to a resource Reactive policy creation
Computer Groups Roles Policy Creation
![Page 21: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/21.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Prover Distributed proving
Eager – completely unable to make progress Lazy - ask for help as soon as he isolates a
theorem that someone else might help with
![Page 22: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/22.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Prover
![Page 23: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/23.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Verifier Simple, lightweight, and device independent
![Page 24: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/24.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Communication Framework Support for multiple transport layers Reliable, flexible message routing Light user burden
![Page 25: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/25.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Communication Framework Application Layer Management Layer Carriers
![Page 26: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/26.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Performance
![Page 27: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/27.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
PILOT APPLICATIONS
Office AccessWindows XP Login
![Page 28: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/28.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Office Access Enables access to office doors Standard electrical door strike and embedded
PC (4.55×3.75×1.70 inches). Bluetooth and RS-485 relay controller
![Page 29: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/29.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Windows XP Login
![Page 30: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/30.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
LESSONS LEARNED
![Page 31: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/31.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Introduction 9 months and 19 participants Periodic interviews and logs generated by the
system Principles of concern:
Usability downfalls Network effects New flexibility End use behavior
![Page 32: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/32.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Floor Plan
![Page 33: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/33.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Users Faculty, staff, students in the building 19 users Demographics:
6 CS and ECE 3 Technical Staff 1 Administrative Staff 16 male and 3 female
![Page 34: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/34.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Procedure Conducted an initial interview Given the phone Basic Instructions Interviewed in a month and then every 4 to 6
weeks All at desk or conference room
![Page 35: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/35.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Data One year of data 19,500 Grey and 236,900 total access
attempts Video of 70 accesses 30 hours of interview data Resources: 7.4 average (15 max, 2 min) Users: 5.7 average (11 max, 3 min) 18 still use the system
![Page 36: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/36.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Lessons Learned1. Perceived speed and convenience are critical to
a user’s satisfaction and acceptance2. A single failure can strongly discourage adoption3. Users won’t user features they don’t understand4. Systems that benefit from the network effect are
often untenable for small user populations5. Low overhead for creating and changing policies
encourages policy change6. Unanticipated uses can bolster acceptance
![Page 37: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/37.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Perceived speed and convenience are critical to a user’s satisfaction and acceptance
![Page 38: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/38.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
A single failure can strongly discourage adoption Getting locked out caused user to go from 28
system requests to 7 Delegation took so long that users thought it
was broken Lent someone their phone
![Page 39: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/39.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Users won’t user features they don’t understand Passed up more effective ways of delegation
for simpler to use
![Page 40: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/40.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Systems that benefit from the network effect are often untenable for small user populations To really start to be able to do amazing thing
you need large user population and installation base
![Page 41: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/41.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Low overhead for creating and changing policies encourages policy change Role based key policy of students, staff, and
faculty Spare and hidden keys Delegation more casual, 11 received access
to resource they did not have before Users ideal policy for 95% of access controls
![Page 42: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/42.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Unanticipated uses can bolster acceptance Could open doors from the inside Satisfying clicking noises the door made
![Page 43: Smart Phones](https://reader035.vdocument.in/reader035/viewer/2022070504/5681692b550346895de06c7e/html5/thumbnails/43.jpg)
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech
Discussion Why do technical users behave like non
technical users? What access problems does this technology
introduce? Is a smart phone the correct device to use? Is there a better distributed server system
than desktop computers?