[messaging] Informing the user they have the wrong key

Michael Farb mwfarb at cmu.edu
Mon Sep 29 08:43:31 PDT 2014

I'm not sure what the best way to do this in the asynchronous case, where I may have keys but have not validated their correctness and I want a process where I can verify against public data on a server at anytime. 

However, for synchronous cases, where 2 or more users are leveraging an existing physical meeting, video chat, or phone call, we establish key correctness (and initial exchange if needed) resolving some of these issues. SafeSlinger reports MITM interference in the exchange to the UI and aborts its protocol for all users, and prevents habituation of click-through by forcing users communicate out of band to choose matching words among some decoys.

But this case is active verification, I think you're referring to passive verification. I'd be interested to hear what others have to say. We use language like "unexpected data found in the exchange" in the active case. Perhaps the passive case should include a system of time sensitive escalation. Notifications come to the user about the suspect key that its authenticity is suspicious and can be used but will be reported compromised by the directory in X amount of time. Perhaps there should be rectification process with the directory publisher to troubleshoot keys before the X time?


Michael W. Farb
Research Programmer, Carnegie Mellon University CyLab
M 412-965-4725 - www.cylab.cmu.edu/safeslinger

On Sep 26, 2014, at 10:05 PM, Tony Arcieri <bascule at gmail.com> wrote:

> If we build fancy systems to detect things like misadvertised keys or MitM attacks, how can we reasonably inform an end user what is amiss in an actionable way that won't confuse them with too many false positives to avoid taking action when something bad actually happens?
> I recently went to SOUPS and saw a number of presentations on the general difficulty of communicating security-actionable information to users. From what I saw I'd say the problem is twofold:
> 1) How does the system provide a high confidence level that when it tries to communicate a security-actionable event, it's fairly certain it's not a false positive? False positives condition users to ignore security warnings
> 2) How do you express what's happening to the user in such a way that they will actually take action on it and not just click-through dismiss it?
> Given the wide-ranging number of scenarios, the answer will of course be contextual, and I'd be curious to hear any replies about how systems try to solve the "right key" user experience problem in general.
> That said, the messaging use-case (in conjunction with a "key directory" system) is particularly interesting to me.
> If an end-to-end encrypted messaging system which relies on a centrally-managed key directory (e.g. iMessage) were to by coersion or compromise publish a poison key to their directory to facilitate a MitM attack, but the system creators wanted to make such action obvious to their users, how can the systems reasonably detect and reflect this in such a way that such users aren't conditioned to ignore such alerts for routine events (e.g. the SSH "SOMETHING NASTY" message) and actually feel compelled to take action on that knowledge?
> And then what? How can we help someone who is a victim of an attack like this actually compile all of the necessary information for someone to figure out what actually happened? How can encryption tools compile incident reports that experts can scrutinize to determine what happened?
> -- 
> Tony Arcieri
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140929/92bfa7b8/attachment.html>

More information about the Messaging mailing list