CAREER: Identifying, quantifying, and explaining design principles and user practices that enable effective long-term key management

职业：识别、量化和解释设计原则和用户实践，以实现有效的长期密钥管理

• 批准号: 2238001
• 负责人: Scott Ruoti
• 金额: $ 65.42万
• 依托单位: University of Tennessee Knoxville
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-05-01 至 2028-04-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2238001&HistoricalAwards=false
• 关键词: CAREER; Identifying; quantifying; explaining; design

Many new security-related technologies have the potential to revolutionize individuals’ lives—for example, cryptocurrencies. However, the adoption of these technologies is stymied by their reliance on needing users to manage cryptographic keys (long strings of random characters). Prior research has shown users struggle to manage cryptographic keys, with existing key management systems often causing more problems than they solve. To improve the design of key management, this project investigates how key management is used in the real world. Data from these studies help identify which designs best promote utility, usability, and security, which designs fail to do so, and what new designs are needed. This project can improve our understanding of how to design key management systems that can be integrated with security-related technologies to increase their chance of being adopted. Results are being used to update and generate new curricula for university and K–12 students, helping educate and prepare the next generation of cybersecurity experts. The project will positively impact societal welfare and national defense.This project includes collecting quantitative and qualitative data about the utility, usability, and security of existing systems that rely on key management. Data are gathered from users who have successfully adopted key management systems, such as developers using end-to-end email encryption and novice users adopting a key management system for the first time. The studies examine general usage, how usage changes over time, how users manage multiple cryptographic keys, how they synchronize keys between devices, and how they recover access to lost keys. Methods include interviews, surveys, observational studies, and usability studies. Design principles identified throughout this research will be presented on a public-facing website that synthesizes this project’s results in a manner easily digested by cryptographic system vendors and other researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

许多与安全相关的新技术有可能彻底改变个人的生活，例如加密货币。但是，这些技术的采用被他们的退休所困扰，需要用户管理加密密钥（随机字符的长字符串）。先前的研究表明，用户难以管理加密密钥，现有的密钥管理系统通常会导致比他们解决的更多问题。为了改善关键管理的设计，该项目研究了现实世界中如何使用密钥管理。这些研究的数据有助于确定哪些设计最能促进实用性，可用性和安全性，而设计无法做到，以及需要哪些新设计。该项目可以提高我们对如何设计可以与安全相关技术集成的关键管理系统的理解，以增加其被采用的机会。结果被用来更新和为大学和K -12学生生成新课程，帮助教育和准备下一代网络安全专家。该项目将积极影响社会福利和国防。该项目包括收集有关依赖密钥管理的现有系统的实用性，可用性和安全性的定量和定性数据。数据是从已成功采用密钥管理系统的用户那里收集的，例如使用端到端电子邮件加密的开发人员和第一次采用密钥管理系统的新颖用户。研究研究了一般用法，使用时间如何随着时间而变化，用户如何管理多个加密密钥，如何同步设备之间的密钥以及如何恢复对丢失键的访问。方法包括访谈，调查，观察性研究和可用性研究。在整个研究中确定的设计原则将在面向公共面的网站上介绍，该网站以密码系统供应商和其他研究人员轻松消化的方式综合了该项目的结果。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子优点和更广泛影响的评估审查标准来通过评估来获得的支持。