Abstract
Communication security has become an indispensable demand of smartphone users. End-to-end encryption is the key factor for providing communication security, which mainly relies on public key cryptography. The main and unresolved issue for public key cryptography is to correctly match a public key with its owner. Failing to do so could lead to man-in-the-middle attacks. Different public key verification methods have been proposed in the literature. The methods which are based on verification by the users themselves are preferable with respect to cost and deployability than the methods such as digital certificates that involve the use of trusted third parties. One of these methods, fingerprinting was recently replaced by a method called safety number in the open source messaging application, SIGNAL. The developers of SIGNAL claimed this change would bring usability and security advantages however no formal user study was conducted supporting this claim. In this study, we compare the usability and security aspects of these two methods with a user study on 42 participants. The results indicate with significance that the safety number method leads to more successful results in less time for public key verification as compared to the fingerprint method.
Keywords
- Public key verification
- Safety number
- Fingerprint
- Usability
- SIGNAL
This is a preview of subscription content, access via your institution.
Buying options
References
Bicakci, K., Atalay, N.B., Kiziloz, H.E.: Johnny in internet café: user study and exploration of password autocomplete in web browsers. In: Proceedings of the 7th ACM Workshop on Digital Identity Management, pp. 33–42. ACM (2011)
Budington, B.: Whatsapp rolls out end-to-end encryption to its over one billion users (2016). https://www.eff.org/deeplinks/2016/04/whatsapp-rolls-out-end-end-encryption-its-1bn-users. Accessed 20 Apr 2018
Fry, A., Chiasson, S., Somayaji, A.: Not sealed but delivered: the (un) usability of s/mime today. In: Annual Symposium on Information Assurance and Secure Knowledge Management (ASIA 2012), Albany, NY (2012)
Garfinkel, S.L., Margrave, D., Schiller, J.I., Nordlander, E., Miller, R.C.: How to make secure email easier to use. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 701–710. ACM (2005)
Marlinspike, M.: Safety number updates (2016). https://signal.org/blog/safety-number-updates/. Accessed 20 Apr 2018
Renaud, K., Volkamer, M., Renkema-Padmos, A.: Why doesn’t Jane protect her privacy? In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 244–262. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_13
Schröder, S., Huber, M., Wind, D., Rottermanner, C.: When signal hits the fan: on the usability and security of state-of-the-art secure mobile messaging. In: First European Workshop on Usable Security (EuroUSEC 2016) (2016)
Tan, J., Bauer, L., Bonneau, J., Cranor, L.F., Thomas, J., Ur, B.: Can unicorns help users compare crypto key fingerprints? In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 3787–3798. ACM (2017)
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: USENIX Security Symposium, vol. 348 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Bicakci, K., Altuncu, E., Sahkulubey, M.S., Kiziloz, H.E., Uzunay, Y. (2018). How Safe Is Safety Number? A User Study on SIGNAL’s Fingerprint and Safety Number Methods for Public Key Verification. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)