Addressing human factors in the design of cryptographic solutions: a two-case study in item validation and authentication

Abstract

Designing secure cryptographic solutions from a purely theoretical perspective is not enough to guarantee their success in a realistic scenario. Many times, the assumptions under which these solutions are designed could not be further from real-world necessities. One particular, often-overlooked aspect that may impact how the solution performs after deployment is how the final user interacts with it (i.e., human factors). In this work, we take a deeper look into this issue by analyzing two well known application scenarios from Information Security research: The electronic commerce of digital items and Internet banking. Fair exchange protocols have been widely studied, but are still not implemented on most e-commercetransactions available. For several types of digital items (e-goods),the current e-commerce business model fails to provide fairness tocustomers. A critical step in fair exchange is item validation, which still lacks proper attention from researchers.We believe this issue should be addressed in a comprehensive and integrated fashion before fair exchange protocols can be effectively deployed in the marketplace. More generally, we also believe this to be the consequence of ongoing system-oriented security solution design paradigms that are data-centered, as opposed to user-centered, thus leading to methods and techniques that often disregard users' requirements.We contextualize how, byoverlooking the subtleties of the item validation problem, thefor buying and selling digital items fails to provideguarantees of a successful transaction outcome to customers, thusbeing unfair by design. We also introduce the concept of ReversibleDegradation, a method for enhancing buy-sell transactions concerningdigital items that inherently includes the item validation step in thepurchase protocol in order to tackle the discussed problems. As a proof of concept, we produce a deliverable instantiation of Reversible Degradation based on systematic error correction codes (SECCs), suitable for multimedia content. This method is also the byproduct of an attempt to include users' requirements into the cryptographic method construction process, an approach that we further develop into a so-called item-aware protocol design.From a similar perspective, we also propose a novel method for user and transaction authentication for Internet Banking scenarios. The proposed method, which uses Visual Cryptography, takes both technical and user requirements into account, and is suitable as a secure -- yet intuitive -- component for practical transaction authentication scenarios.