CAREER: Identifying, quantifying, and explaining design principles and user practices that enable effective long-term key management

职业：识别、量化和解释设计原则和用户实践，以实现有效的长期密钥管理

• 批准号: 2238001
• 负责人: Scott Ruoti
• 金额: $ 65.42万
• 依托单位: University of Tennessee Knoxville
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-05-01 至 2028-04-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2238001&HistoricalAwards=false
• 关键词: CAREER; Identifying; quantifying; explaining; design

Many new security-related technologies have the potential to revolutionize individuals’ lives—for example, cryptocurrencies. However, the adoption of these technologies is stymied by their reliance on needing users to manage cryptographic keys (long strings of random characters). Prior research has shown users struggle to manage cryptographic keys, with existing key management systems often causing more problems than they solve. To improve the design of key management, this project investigates how key management is used in the real world. Data from these studies help identify which designs best promote utility, usability, and security, which designs fail to do so, and what new designs are needed. This project can improve our understanding of how to design key management systems that can be integrated with security-related technologies to increase their chance of being adopted. Results are being used to update and generate new curricula for university and K–12 students, helping educate and prepare the next generation of cybersecurity experts. The project will positively impact societal welfare and national defense.This project includes collecting quantitative and qualitative data about the utility, usability, and security of existing systems that rely on key management. Data are gathered from users who have successfully adopted key management systems, such as developers using end-to-end email encryption and novice users adopting a key management system for the first time. The studies examine general usage, how usage changes over time, how users manage multiple cryptographic keys, how they synchronize keys between devices, and how they recover access to lost keys. Methods include interviews, surveys, observational studies, and usability studies. Design principles identified throughout this research will be presented on a public-facing website that synthesizes this project’s results in a manner easily digested by cryptographic system vendors and other researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

许多与安全相关的新技术有可能彻底改变个人的生活，例如加密货币。然而，这些技术的采用受到阻碍，因为它们依赖于需要用户管理加密密钥（长串随机字符）。先前的研究表明，用户很难管理加密密钥，现有的密钥管理系统往往造成比它们解决的问题更多的问题。为了改进密钥管理的设计，本项目研究了在现实世界中如何使用密钥管理。来自这些研究的数据有助于确定哪些设计最好地促进了实用性、可用性和安全性，哪些设计不能做到这一点，以及需要哪些新设计。这个项目可以提高我们对如何设计可以与安全相关技术集成的密钥管理系统的理解，以增加其被采用的机会。研究结果被用于更新和生成大学和K-12学生的新课程，帮助教育和培养下一代网络安全专家。该项目将对社会福利和国防产生积极影响。该项目包括收集关于依赖密钥管理的现有系统的效用、可用性和安全性的定量和定性数据。数据收集自已成功采用密钥管理系统的用户，例如使用端到端电子邮件加密的开发人员和首次采用密钥管理系统的新手用户。这些研究检查了一般用法、用法如何随时间变化、用户如何管理多个加密密钥、他们如何在设备之间同步密钥，以及他们如何恢复对丢失密钥的访问。方法包括访谈、调查、观察性研究和可用性研究。在整个研究过程中确定的设计原则将在一个面向公众的网站上展示，该网站以一种容易被加密系统供应商和其他研究人员消化的方式综合了这个项目的结果。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。