ISRI SEMINAR SERIES The PhD Program in Computation, Organizations, and Society Presents: Improving the user interface for server authentication based on public-key cryptography José Carlos Brustoloni, University of Pittsburgh Thursday, September 15, 2005, 12 pm, NSH 1305 Lunch will be provided Abstract: Many network protocols, including SSL/TLS, SSH, and PEAP, use public-key cryptography to authenticate servers. Users often have no training in cryptography and do not understand how client applications authenticate servers. However, when a server authentication error occurs, many applications ask whether the user accepts the server despite the error. (This is the case of most Web browsers and SSH clients.) Most users accept such unauthenticated servers, defeating the security that cryptography would provide and becoming vulnerable to man-in-the-middle attacks. On the other hand, applications that do not provide the option to accept unauthenticated servers can be difficult to use. (This is the case of some PEAP supplicants.) We propose Context-Sensitive Certificate Verification (CSCV), a novel user interface technique that interviews the user to determine the particular context in which a server's authentication failed. Using this information, CSCV gives the user detailed instructions for correcting (rather than ignoring) the error. User studies suggest that CSCV significantly improves the security of existing Web browsers and SSH clients and the usability of PEAP supplicants, when the "human in the loop" is considered. Bio: José Carlos Brustoloni obtained his Ph.D. degree in Computer Science from Carnegie Mellon University, after getting an M.S. degree in Electrical Engineering from University of São Paulo, Brazil, and a B.E. degree in Electronics Engineering from Instituto Tecnológico de Aeronáutica, Brazil. José joined the University of Pittsburgh's faculty in August of 2002. Previously, he was a researcher at Bell Laboratories, Lucent Technologies. His research interests include computer networks, operating systems, security, quality of service, and embedded systems.