From: Bryce <wilcoxb@taussky.cs.colorado.edu>
Date: Tue, 12 Dec 1995 15:05:35 +0800
To: Nathaniel Borenstein <nsb+limbo@nsb.fv.com>
Subject: Re: Usability of Cryptography (was Re: More FUD from First Virtual)
In-Reply-To: <Ikn1ZhGMc50eA2iscn@nsb.fv.com>
Message-ID: <199512112006.NAA15060@taussky.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

 An entity known as "Tense Hot Alien in Barn" wrote:
>
> This is exactly right.  In fact, it isn't even just bad programmer
> decisions; some of the complexity is really inherently needed for
> security.  PGP's notion of who you trust to certify keys, for example,
> confuses the heck out of naive users, who want to "trust" anyone they
> believe is a good person, not just people they believe are sophisticated
> enough to sign keys.  It's really hard to explain to some people why
> they should say, "No, I don't trust Grandma."
> 
> What a lot of people don't seem to realize is that, in crypto software,
  ***********************************************************************

> there is a fundamental tradeoff between usability and security.  You can
  ***************************************************************

> simplify PGP (or similar software) to the point where it's easy to deal
> with key management, but it will then be far more susceptible to
> compromise.


I'm glad that you are willing to state this opinion,
Nathaniel, and take the flack that you are taking.  I think
that as the goals of cypherpunkism (ewww... I just invented a
new "ism"...) *really* pertain to the *use* of cryptography by
large groups of people-- and not merely to the mathematical
details of cryptography-- that this issue is going to become
overwhelmingly important in the very near future.


I challenge you, however, to go beyond pointing this problem
out and start suggesting some approaches to alleviating it.
With your experience in doing security for a successful 
Internet transaction system, I would hope that you have 
valuable insights which can benefit all of us.


To get to the point, I want to know if this "fundamental 
tradeoff" that you refer to is in fact *fundamental*.  That is
to say: is the product of the "security factor" and the
"usability factor" a constant?  Or are there methods which can
be practically implemented to make strong cryptography easier
for Joe Average to use without exposing Joe to unnecessary
risks?


I'm sure in a trivial sense that there are some such methods.  
For example (to pick on everyone's favorite 
crypto-for-the-masses), if PGP v1 and v2 had come in a nice
menu-oriented shell, or with a nice API, then a hell of a lot
more people would be using PGP now, and without reducing its
effectiveness as far as I can see.  I'm sure that the PGP
guys are aware of this problem, and I am looking forward (as
I'm sure many of us are) to PGP v3 with much anticipation.


But this kind of gooey "user friendliness" is not sufficient 
to make crypto *really* convenient to learn and to use, nor 
is it sufficient to make Joe Average's use of crypto really 
secure.  (Note the extreme sparsity of the current PGP Web O 
Trust, and the oft-lamented weakness of Joe's passphrase.)


I have made a clumsy first shot at envisioning the kind of
strong, convenient crypto that could perhaps bring the 
capabilities that we talk about here to the masses.  
I submitted this article to cpunks last week entitled "My
conception of the ideal encryption tool for the masses", and 
it was picked up Robert Hettinga and echoed to his e$pam list.  
Unfortunately I have not received a single response to this 
article either in personal mail or in public.  Was my article 
so poorly written?  Or are the cpunks failing to realize the 
importance of the usability/security issue?


I sincerely hope that Nathaniel and others can make progress
in addressing this issue.  Ultimately it will be as important 
as any issue in cryptography.


Regards,

Bryce

P.S.  I just went and re-read "My conception of the ideal
encryption tool for the masses" and I think I failed to make
something clear.  The crypto device that I envision is *not*
just useful for buying a pack of cigarettes at the grocery
store.  I could imagine it being used for *every*
user-authentication purpose.  You sit down at a terminal, plug
your pocket-crypto-box into it, and read your private e-mail.  
You walk into a secure building, pass your pocket-crypto-box 
in front of the infra-red IO device, and the door opens for
you.  You negotiate a million-cyber-credit deal, you plug
your pocket-c'box into the Net, and sign the contract.
Etc. etc.  In short, for the vast majority of your crypto
needs you depend *entirely* upon the pocket-c'box and not upon
passphrases and floppy disks.


P.P.S.  I am aware that this makes a physical attack upon your 
c'box into one of the few remaining viable attacks.  
I recommend that everyone carries a handgun next to their 
pocket c'box.  Deadman switches, good police forces and other
physical security, etc. will also be important.  Since this
technology is empowering individuals, it is also increasing 
the value of loot than can be gained by robbing an individual.
Alley-bash the right person and you might be able to steal a
personal fortune.  Another issue that we who seek a better
future through technology need to address.


P.P.P.S.  I can see that there is a major problem with my idea 
regarding the IO between the pocket-c'box and the user.  
Perhaps the pocket-c'box will have to come with trusted IO 
hardware (screen, keyboard, pointer-device, audio, 
vox-recog...  but I digress...).


P.P.P.P.S.  Also note that the pocket c'box should probably 
hold many of your pseudonyms (i.e., many of your pseudonyms' 
private keys) and your Chaumian pseudonym-exchangeable 
credentials.


P.P.P.P.P.S.  Remember those under-$600.00 netstations?  
Even if they don't pan out this year, they will soon.  And 
then they will move into our pockets, and into our 
wristwatches, etc etc.  The cypherpunks need to be ready to 
offer Joe a *secure* computer to put into his pocket, so 
that he is carrying new capabilities and renewed privacy in 
his pocket, rather than carrying a little chunk of Big 
Brother.



signatures follow


      "To strive, to seek, to find and not to yield."  -Tennyson
            <a href="http://www.c2.org/~bryce/Niche.html">

                          bryce@colorado.edu                </a>



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMMyPLfWZSllhfG25AQHPRQP/fwhKqyUdOv2/t/YCc68GQrNMOhCT69KE
PVE27Fp3CYnx+lGgzynnh1kr9DlH/bOOQRGf+fjqbPswr7PDHUoMaTAnBFr8gzf3
eXPd9moyixjNvHXacMpl0I5A/0tr6Lt2N/L5FUTyMf5zecMzbEbuKyiQE8pOYajx
COKJyTTk794=
=4spo
-----END PGP SIGNATURE-----