Real World Crypto 2021 - Session 5: Humans, Policy, and Crypto
Session video
Katharina Krombholz (CISPA/SBA Research Saarbruecken) / Mental Models of Cryptographic Protocols - Understanding Users to Improve Security / video slides
Two of her related recent papers:
- “If HTTPS were secure, I wouldn’t need 2FA - end-user and administrator mental models of HTTPS” / IEEE S&P'19)
- “User Mental MOdels of Cryptocurrency Systems - A Grounded Theory Approach” (Mai et al.) / SOUPS'20)
She describes a spectrum of the humans involved in cryptosystems, from theory through to practice.
(theory) cryptographer - protocol designer - API designer - software developer - system integrator -adminstrator - decision maker - end-user (practice)
Human-centric perspective on all the different positions on the timeline from cryptographer through to end-user in which humans cause problems with supposedly secure protocols. Many end-users are ‘scared of crypto’ or have ‘absolutely no idea what I’m doing (with crypto)’. Even administrators often have no idea what their decisions wrt crypto end up causing.
end-users' mental models tend to be conceptual, whereas adminstrators' mental models are protocol-based. for cryptocurrencies users' mental models are based on the tools they have to use.
Aside: see cryptodoneright
Sarah Scheffler (Uni Boston) / Protecting Cryptography against compelled self-incrimination / paper video
Robert Andrews v State of New Jersey, in which RA was compelled to provide the code to unlock his iPhone, but he claimed his 5th amendment rights to refuse to do so.
• Legal implications of using cryptography - can the law compel folk to decrypt devices?
• using crypoography to understand the law - using cryptographic simulation to understand the ‘foregone conclusion doctrine’
Testimony protected under 5th Amendment = ‘pure testimony’ + ‘implicit testimony’ - ‘foregone conclusion’