SaTC: CORE: Small: Understanding Socio-Technical Failure Modes in Public Key Infrastructures

SaTC：核心：小型：了解公钥基础设施中的社会技术故障模式

• 批准号: 1814518
• 负责人: Linda Camp
• 金额: $ 10万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-08-01 至 2020-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814518&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Understanding; Socio

To avoid phishing and to know which website to trust people are told to "look for the lock" and "read the url." However, the display of a lock or other signals of safety does not guarantee that the site is trustworthy, safe from malware, or not a phishing attack. This research includes consultation with industry technical professionals and policy makers in all sectors of the economy to better understand the gaps between ideal safety and practice. One of these potential gaps is between what citizens using the Internet believe about public key certificates, and the knowledge that technologists assume people have. Another potential gap is between how policy makers want to use certificates and encryption to achieve a set of security goals, and what is already built into the infrastructure that may prevent such security. The core goals of this work are to characterize the expectations of nontechnical groups, enumerate the assumptions of technologists, and use this understanding to help to bridge that understanding to move towards shared goals for a more trustworthy network. The focus and level of interventions required to create a shared and trustworthy infrastructure requires domain knowledge to understand the specific risks, for example in transportation, as opposed to routing communications. This knowledge requires empirical investigation to understand the risk perceptions of the various stakeholders. Customization of interventions may depend on demographic variables, or more transient variables such as expertise or time spent interacting with a system. This research will involve investigation of one or more domains with the result being either a recommendation for a change in the implementation of the Public Key Infrastructure (PKI), an interaction design, risk communication, integrated network sensing, or some combination of all of these. This project is for planning appropriate methodologies to design, implement, and evaluate these potential solutions.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

为了避免网络钓鱼和知道哪个网站值得信任，人们被告知要“寻找锁”和“阅读网址”。“但是，显示锁或其他安全信号并不能保证该网站是值得信赖的，免受恶意软件的攻击，或者不是钓鱼攻击。这项研究包括与所有经济部门的行业技术专业人员和政策制定者进行磋商，以更好地了解理想安全与实践之间的差距。其中一个潜在的差距是使用互联网的公民对公钥证书的看法与技术人员假设人们拥有的知识之间的差距。另一个潜在的差距是政策制定者希望如何使用证书和加密来实现一系列安全目标，以及基础设施中已经内置的可能阻止这种安全性的内容。这项工作的核心目标是描述非技术群体的期望，列举技术人员的假设，并利用这种理解来帮助弥合这种理解，以实现更值得信赖的网络的共同目标。创建共享和值得信赖的基础设施所需的干预措施的重点和水平需要领域知识，以了解具体的风险，例如运输，而不是路由通信。这方面的知识需要进行实证调查，以了解各利益攸关方的风险认知。干预措施的定制可能取决于人口统计变量，或更多的瞬态变量，如专业知识或与系统交互所花费的时间。这项研究将涉及一个或多个领域的调查，其结果是在公共密钥基础设施（PKI）的实施，交互设计，风险沟通，集成网络传感，或所有这些的一些组合的变化的建议。这个项目是规划适当的方法来设计，实施和评估这些潜在的解决方案。这个奖项反映了NSF的法定使命，并已被认为是值得通过使用基金会的智力价值和更广泛的影响审查标准进行评估的支持。

项目成果

A Complete Study of P.K.I. (PKI’s Known Incidents)

P.K.I 的完整研究

• DOI: 10.2139/ssrn.3425554
• 发表时间: 2019
• 期刊: SSRN Electronic Journal
• 作者: Serrano, Nicolas;Hadan, Hilda;Camp, L. Jean
• 通讯作者: Camp, L. Jean

Making IoT Worthy of Human Trust

• DOI: 10.2139/ssrn.3426871
• 发表时间: 2019-07
• 期刊: SSRN Electronic Journal
• 作者: Hilda Hadan;Nicolás Serrano;Sanchari Das;L. Camp

Best Practices Would Make Things Better in the IoT

最佳实践将使物联网变得更好

• DOI: 10.1109/msec.2020.2987780
• 发表时间: 2020
• 期刊: IEEE Security & Privacy
• 影响因子: 1.9
• 作者: Momenzadeh, Behnood;Dougherty, Helen;Remmel, Matthew;Myers, Steven;Camp, L. Jean
• 通讯作者: Camp, L. Jean