Can unicorns help users compare crypto key fingerprints?

Joshua Tan, Lujo Bauer, Joseph Bonneau, Lorrie Faith Cranor, Jeremy Thomas, Blase Ur

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.

Original languageEnglish (US)
Title of host publicationCHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems
Subtitle of host publicationExplore, Innovate, Inspire
PublisherAssociation for Computing Machinery
Pages3787-3798
Number of pages12
Volume2017-May
ISBN (Electronic)9781450346559
DOIs
StatePublished - May 2 2017
Event2017 ACM SIGCHI Conference on Human Factors in Computing Systems, CHI 2017 - Denver, United States
Duration: May 6 2017May 11 2017

Other

Other2017 ACM SIGCHI Conference on Human Factors in Computing Systems, CHI 2017
CountryUnited States
CityDenver
Period5/6/175/11/17

Fingerprint

Authentication
Experiments

Keywords

  • Authentication
  • Key fingerprints
  • Secure messaging
  • Usability

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Graphics and Computer-Aided Design
  • Software

Cite this

Tan, J., Bauer, L., Bonneau, J., Cranor, L. F., Thomas, J., & Ur, B. (2017). Can unicorns help users compare crypto key fingerprints? In CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems: Explore, Innovate, Inspire (Vol. 2017-May, pp. 3787-3798). Association for Computing Machinery. https://doi.org/10.1145/3025453.3025733

Can unicorns help users compare crypto key fingerprints? / Tan, Joshua; Bauer, Lujo; Bonneau, Joseph; Cranor, Lorrie Faith; Thomas, Jeremy; Ur, Blase.

CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems: Explore, Innovate, Inspire. Vol. 2017-May Association for Computing Machinery, 2017. p. 3787-3798.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Tan, J, Bauer, L, Bonneau, J, Cranor, LF, Thomas, J & Ur, B 2017, Can unicorns help users compare crypto key fingerprints? in CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems: Explore, Innovate, Inspire. vol. 2017-May, Association for Computing Machinery, pp. 3787-3798, 2017 ACM SIGCHI Conference on Human Factors in Computing Systems, CHI 2017, Denver, United States, 5/6/17. https://doi.org/10.1145/3025453.3025733
Tan J, Bauer L, Bonneau J, Cranor LF, Thomas J, Ur B. Can unicorns help users compare crypto key fingerprints? In CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems: Explore, Innovate, Inspire. Vol. 2017-May. Association for Computing Machinery. 2017. p. 3787-3798 https://doi.org/10.1145/3025453.3025733
Tan, Joshua ; Bauer, Lujo ; Bonneau, Joseph ; Cranor, Lorrie Faith ; Thomas, Jeremy ; Ur, Blase. / Can unicorns help users compare crypto key fingerprints?. CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems: Explore, Innovate, Inspire. Vol. 2017-May Association for Computing Machinery, 2017. pp. 3787-3798
@inproceedings{6d9527755ff9467b8670f03db53d4ca1,
title = "Can unicorns help users compare crypto key fingerprints?",
abstract = "Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6{\%} of the time; the worst 72{\%}. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.",
keywords = "Authentication, Key fingerprints, Secure messaging, Usability",
author = "Joshua Tan and Lujo Bauer and Joseph Bonneau and Cranor, {Lorrie Faith} and Jeremy Thomas and Blase Ur",
year = "2017",
month = "5",
day = "2",
doi = "10.1145/3025453.3025733",
language = "English (US)",
volume = "2017-May",
pages = "3787--3798",
booktitle = "CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Can unicorns help users compare crypto key fingerprints?

AU - Tan, Joshua

AU - Bauer, Lujo

AU - Bonneau, Joseph

AU - Cranor, Lorrie Faith

AU - Thomas, Jeremy

AU - Ur, Blase

PY - 2017/5/2

Y1 - 2017/5/2

N2 - Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.

AB - Many authentication schemes ask users to manually compare compact representations of cryptographic keys, known as fingerprints. If the fingerprints do not match, that may signal a man-in-the-middle attack. An adversary performing an attack may use a fingerprint that is similar to the target fingerprint, but not an exact match, to try to fool inattentive users. Fingerprint representations should thus be both usable and secure. We tested the usability and security of eight fingerprint representations under different configurations. In a 661-participant between-subjects experiment, participants compared fingerprints under realistic conditions and were subjected to a simulated attack. The best configuration allowed attacks to succeed 6% of the time; the worst 72%. We find the seemingly effective compare-and-select approach performs poorly for key fingerprints and that graphical fingerprint representations, while intuitive and fast, vary in performance. We identify some fingerprint representations as particularly promising.

KW - Authentication

KW - Key fingerprints

KW - Secure messaging

KW - Usability

UR - http://www.scopus.com/inward/record.url?scp=85038934323&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85038934323&partnerID=8YFLogxK

U2 - 10.1145/3025453.3025733

DO - 10.1145/3025453.3025733

M3 - Conference contribution

AN - SCOPUS:85038934323

VL - 2017-May

SP - 3787

EP - 3798

BT - CHI 2017 - Proceedings of the 2017 ACM SIGCHI Conference on Human Factors in Computing Systems

PB - Association for Computing Machinery

ER -