2nd Annual PKI Research Workshop
The workshop announcement listed the goals of the workshop as "to cross-pollinate existing research efforts, to identify the key remaining challenges in deploying public key authentication and authorization, and to develop a research agenda addressing those outstanding issues."
After opening remarks by Ken Klingenstein and Carl Ellison, Sean Smith set the tone for the meeting with the following quote from Radia Perlman et. al.: "Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)" Over the next two days, much of the discussion — presentation, Q&A, and hallway — revolved around how to build PKIs that are compatible with these ubiquitous devices.
Human factors. Alma Whitten's invited talk served as a keynote for the workshop, and was worth flying in for all by itself. After reviewing the central conclusion of "Why Johnny Can't Encrypt" — that a majority of even savvy, motivated users can't get public-key cryptography to work — Whitten explained this with the observation that "security is weird." Security is different from end-user applications because the user can't explore safely, can't undo errors, can't define goals, and can't recognize success. (Whitten identified backups as the one thing in end-user software that's somewhat like security — "a peripheral task that you really want people to do" — but noted that backups are much simpler than security.) Security software is different from safeware in that users aren't preselected for ability and can't count on having specialized training. The oft-stated goal of making security invisible runs up against intractable ethical and practical problems. The solution Whitten is pursuing is to accept the necessity of making public key cryptography a tool requiring skill to use, rather than an appliance requiring little or none. The just-in-time approach to user education is a bad fit for security because it sets people up to accept the unacceptable — for example, dialog boxes that say, in effect, "This is really dangerous — click OK to proceed." Instead, software designers should use the "well-in-advance principle," reserving user mindshare for security.
Whitten is implementing her ideas in Lime Secure Electronic Mail. Lime uses large graphics and carefully thought-out visual metaphors to explain what's going on one step at a time, giving the user a chance to learn the simple tasks first. This "staged" approach to security explains which actions are risky, what the risks are, how to avoid them for now, and how to learn what you need to know to better avoid them in the future. For example, Lime provides many roads to a "ways to trade public keys" box. At the first encounter with this box, the user is only expected to come away with a sense that "there's an issue here"; over subsequent visits they gradually figure out which approaches to getting public keys work best for them. Tests in which users are asked to perform assorted cryptographic tasks with Lime, PGP, and S/MIME have resulted in 0% success with S/MIME, 10% with PGP, and 45% with Lime. Whitten noted that a common pattern in testing Lime is that in the first ten minutes users say things like "this is too complicated, it should be automatic" — then, when they begin to understand what's happening, their responses suddenly change to things like "oh, cool." Many users have been taught to expect security to be automatic, but nonetheless they can take pleasure in using the tool; all that's needed is a little help in learning to do so. In this connection Whitten noted Bruce Schneier's point that house keys were seen as an unreasonable inconvenience when they were first introduced.
Discussion of human factors was also prominent in three of the four refereed-paper topic areas.
The Enrollment session opened with Mike Just presenting his work on public-key cert support for Canada's Government Online (GOL) initiative. A central CA issues a GOL participant a single certificate, called an "epass", which can be used for transactions with multiple government programs. But, each program manages individual identities independently; an "MBUN" — Meaningless But Unique Number — indexes program-specific identifiers to the registration with the common CA. This compartmentalization is driven by strong demand for privacy among the Canadian public.
Marco Antonio Carnut presented his work on Collaborative Trust Scoring. FreeIGP.org (IGP is PKI in Portuguese) aims to combine the scalability of X.509 with the easy certificate acquisition of PGP. FreeIGP provides easy-to-get provisional certs, which compliant apps treat as guests, and communicates an expectation that the user will upgrade soon. The system scores certs along the axes of credibility, introduction, and suspicion, and explains the calculation of these scores to the user. Revocation is handled as "a game in which people contend for the possession of an identity". If you lose your cert, you just enroll again and start competing with your old self — as you are in fact yourself, you can easily best your old self at showing that you are who you say you are. Users accused of imposture are notified so they can defend themselves. The presentation included a hilarious demonstration of how drawn-out and alarming the cert install process is in Internet Explorer (Mozilla and Netscape are much better). Carnut noted that his project badly needs volunteers, especially perl coders and documentation writers.
Jon Callas introduced his talk on Self-Assembling PKI with the observation that when security is a hassle, users strongly prefer to have no security with no hassle, particularly when security gets in the way of getting work done: "people are really good at frustrating policy to avoid getting fired." Self-Assembling PKI replaces the telephone model of traditional PKI with a postal model. When someone sends you a package, you don't have to show ID to receive it; a signature is all that's required. The idea is to "trade absolute security against deployment issues, because the users will find some other messenger" if security is inconvenient. Cert validity is promoted via "freshness, rather than revocation;" new users are brought in with messages like "X wants to send you secure mail; click here for it." The system is being instrumented to measure how much it increases use.
In the Authorization session, Yucel Karabalut presented his work on Mediating Between Strangers. The motivating scenario for this work is project PIs needing to be granted the status and privileges of visiting researchers. The basic problem is to establish interoperability between entities of heterogeneous and autonomous security domains. The traditional solution is to create coalitions based on agreements, but this solution requires that the entities involved agree on common formats and CPs; Karabulut's solution, called "credential-based secure f-mediation", aims to obviate this requirement.
Mart Saarepera presented a signature system using only a small number of private keys. According to Saarepera, most of the complexity and scalability problems of PKI stem from having one cert per user. Saarepera noted that secure electronic signatures currently require understanding complex systems and using complex tools; he claims that his server-based solution is both cheaper and easier to use than current approaches. Saarepera is designing around the observations that "trust relationships can't be imposed by technology — they evolve in natural ways," and that at least in the near term, "blind trust to technology is inevitable." Anders Rundgren observed that "this is really the year for server-based PKI," citing Visa's current deployment as an example.
Alex Iliev wrapped up the session with a presentation on privacy-enhanced credential services. Centralized attribute services can learn a lot from what attributes are requested about users — how to prevent them from doing so? Iliev's prototype uses a secure coprocessor to shuffle results and keep them from the attribute service proper; the current version is fast enough for use with X.509 directories and Shibboleth attribute authorities in higher education.
Pekka Laitinen opened the Attacks session with an outline of his work "on the usefulness of proof of possession." Proof of possession (PoP) takes place during enrollment in many systems, when the end entity submitting a public key proves that it knows the corresponding private key. Many PKI standards call PoP essential, and Laitinen does not disagree, but none of them describe what threats it addresses. Laitinen concludes that PoP is not needed if applications and protocols are designed properly, but that given common failings of application design, PoP can be useful. In any case, it does no harm.
John Marchesini presented his work on "keyjacking" techniques, used to gain unauthorized use of client-side keystores. Marchesini presented quite a collection of tricks that can be used to achieve this aim, ranging in sophistication from "you need to send us your private key" social engineering (a more widely effective approach than you might think) through badly designed web applications, bad browser implementations and insecure default settings, to threats from viruses. Marchesini noted that "we consistently found that tools for PKI don't work — the model of what the tools are supposed to be doing has to match what they actually do." Neal McBurnett pointed out that it is possible, though difficult, to address these problems via proper application design and user education; it was also suggested that these problems largely stem from trying to do PKI with general-purpose web and email clients. James Heimberg observed that leaving control of the key to the browser leads to all the problems described by Marchesini; but that giving control to the user leads to all the problems described by Whitten.
Apart from human factors, three other themes were prominent at the workshop:
Securing CAs was the theme of the remaining refereed-paper session. Xunhua Wang's work on password-enabled PKI builds on Ravi Sandhu's work on virtual smartcards and virtual soft tokens, presented at last year's workshop. Sandhu's work is intended as a bridge from passwords to strong PKI; Wang aims to remove its vulnerability to the breach of a single server, the compromise of which opens the system to a dictionary attack. The solution involves using multiple servers to store the password-protected private key; a certain number of these servers can be compromised without the private key becoming susceptible to a dictionary attack.
Satoshi Koga presented work on using digital signatures to decentralize CAs. This approach involves using multiple cross-certified CAs, with multiple private keys that change frequently, to construct a distributed CA model with short path lengths.
Seung Yi presented MOCA, a MObile Certification Authority for wireless networks. Motivated by scenarios involving battle, rescue, and disaster recovery, Yi is trying to answer the question, "Can we provide PKI in ad hoc networks without relying on any infrastructure support?" MOCA is a distributed-CA scheme; any N nodes can reconstruct the private key.
Transports were the subject of two panels: Transports for Trust and X.509 attribute certificates vs. SAML attribute assertions.
Trust models were addressed by a panel discussion with Ken Klingenstein and Rich Guida, as well as a federations BoF that ran late into Monday night.
Finally, the eight very short presentations at the work-in-progress session covered a variety of topics; a summary is here.
Usability. Usability is sorely lacking in virtually all PKI deployments; the focus of the community seems to be shifting toward addressing this problem.
Tailoring PKI. A consensus is emerging that PKI needs to be seen as not one thing, but many, as a large number of pieces that need to be combined in different ways to meet different needs. A couple of the presenters' papers cited Peter Gutmann's well-regarded "PKI: It's Not Dead, Just Resting", which develops the theme of using certs in a variety of different ways to cope with a variety of situations. This squares nicely with the sense of both this year's and last year's PKI Research Workshops.
Coming to grips with how bad things are now. The presentations of Whitten and Marchesini are excellent examples; we need more work along these lines.
Do more experiments with real users. Everything from laboratory experiments like Whitten's work with Lime, to a wide variety of real-world deployments like those being developed by Carnut, Callas, and Saarepera.
Compile existing knowledge. The approach taken in Gutmann's paper — the compilation of generally accepted PKI "folklore" that hadn't been written down elsewhere — is being attempted on a much larger scale by Eugene McDowell in his "PKI 102" book project. The book will include a section listing various criticisms of PKI and offering the opportunity to make rebuttals. "PKI 102" will be a public-domain document, available on the Web and periodically updated. All are invited to contribute; see http://www.cio.gov/fpkisc/.
Keep holding these workshops. As was the case last year, there was a strong sense that we're on to something here. Program Chair Carl Ellison closed the workshop with an exhortation to come to him with anything you really wish you'd had more of a chance to discuss, for next year's planning.