Visible to the public SaTC: CORE: Small: Usable Key Management and Forward Secrecy for Secure EmailConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2018 - Aug 31, 2021

Institution(s)

Brigham Young University

Award Number


Sending and receiving information securely online is a basic need in our connected world. However, one of the most frequently used online applications, email, remains largely insecure for all but the most expert users. The researchers will gather data to better understand why users do not adopt secure email. They will also identify the most practical, usable practices for users to safeguard their secure email from hackers, and make sure they do not lose access to their secure email by forgetting the password or key that unlocks their sensitive emails. The initial studies will be conducted in a laboratory environment, utilizing a novel methodology the researchers have developed that tests whether two novice users can adopt a secure email system without help from an outside expert. Toward the end of the project, the researchers will conduct long-term usability studies with the best-of-class systems they have developed to understand how people integrate secure email into their everyday email habits.

This project addresses the long-standing problem of providing usable, secure email for the general public. Key management is a core problem. The researchers will explore a trust-on-first-use (TOFU) key exchange, followed by a variety of methods that improve trust in the exchanged keys. Starting with TOFU key exchange prioritizes deployability and usability, while additional methods can increase security, for example, by using a public ledger and forward secrecy. Keys will be exchanged only with regular or approved contacts so that it is not easy for spammers to deliver encrypted spam and malware to large numbers of users. The researchers will also develop usable key storage software, including key portability and backup. Potential solutions include purely local storage, encrypted cloud storage, a smartphone app, and hardware tokens. For backup, we will evaluate a variety of methods to help users store a master key in a secure location, without requiring technical expertise to manage the key. The researchers will support forward secrecy for secure email using key ratcheting. By developing for email, with its generality and interoperability requirements, advances in usable key management will be broadly applicable to a wide variety of other applications, including instant messaging.