[Infowarrior] - CMU Cylab SafeSlinger for mobiles

Richard Forno rforno at infowarrior.org
Sun Oct 13 13:14:08 CDT 2013


---SafeSlinger App for mobile devices

http://www.cylab.cmu.edu/safeslinger/

SafeSlinger makes sending secure messages easy. Just keep your passphrase a secret, and only you and the other party can read messages. Messages cannot be read by your cellular carrier, Internet-provider, employer, or anyone else.

SafeSlinger is the result of research at Carnegie Mellon’s CyLab that resolves a specific security problem. The problem: How can we start a trusted relationship between people, on the fly, without people having sophisticated knowledge of security protocols?

Users regularly experience a crisis of confidence on the Internet. Is that email truly originating from the claimed individual? Is that Facebook invitation indeed from that person or is it a fake page set up by an impersonator? These doubts are usually resolved through a leap of faith, expressing the desperation of users.

To establish a secure basis for Internet communication, we have implemented SafeSlinger, a system leveraging the proliferation of smartphones to enable people to securely and privately exchange their  public keys. Through the exchanged authentic public key, SafeSlinger establishes a secure channel offering secrecy and authenticity, which we use to support secure messaging and file exchange. Essentially, we support an abstraction to safely “sling” information from one device to another. SafeSlinger also provides an API for importing applications’ public keys into a user’s contact information. By slinging entire contact entries to others, we support secure introductions, as the contact entry includes the SafeSlinger public keys as well as other public keys that were imported. As a result, SafeSlinger provides an easy-to-use and understand approach for trust establishment among people.

Cryptography alone cannot address this problem. We have many useful protocols such as SSL or PGP for entities that already share authentic key material, but the root of the problem still remains: how do we obtain the authentic public key from the intended resource or individual? The global certification process for SSL is not without drawbacks and weaknesses, and the usability challenges of decentralized mechanisms such as PGP are well-known.

The problem of human-oriented, trust establishment is fundamental; no amount of automation and “fail-safe” defaults can avoid the need for basic trust decisions to be made by humans (system administrators and ordinary users alike), since they ultimately assume the risks of digital communication, accessing remote sites, allowing remote access to their local resources, and employing other users’ services.

Of course ordinary users can extensively rely on system administrators’ help in making trust decisions. However, ordinary users inevitably face challenging decisions alone; most users at home, on travel, on vacation, or in small businesses do not benefit from skilled help. All this while the need and temptation to use new online services steadily increases.

To realize the vision of secure online communication, we need to overcome several human challenges: some users are ambivalent about security or privacy, most users lack security expertise, and many users prefer convenience over security and may not want to expend much effort for security.

To counteract these challenges, we designed SafeSlinger as an easy-to-use application that offers many benefits to drive usage. Per Metcalfe’s law, the utility of a system grows with the square of the number of users. Our goal is thus to provide immediate utility to enable epidemic growth.

We achieve immediate utility through the robust exchange of contact list information between different smartphone platforms, which does not require any location information or leak private information outside the participating phones. SafeSlinger also provides simple and secure messaging and file transfer that is immediately usable. Because the messages are encrypted and require a password to access, many teens may find this appealing to protect their messages from peers and parents.

Through free multi-platform applications available on smartphone markets, open documentation, and open-source code, we anticipate wide adoption of SafeSlinger. Assuming wide adoption, we hope to provide usable and secure communication for the masses, and a security platform that will enable numerous security services and applications.

Just because i'm near the punchbowl doesn't mean I'm also drinking from it.



More information about the Infowarrior mailing list