Michael Farb is a Research Programmer with Carnegie Mellon CyLab. Michael comes to CyLab after many years in industry as a mobile device developer in publishing, logistics, transportation, and after one too many encounters as an identity theft victim. He is working with researchers at CyLab to provide smartphone end-users with practical solutions for securely exchanging their identity data.
posted by Richard Power
CyLab Chronicles: From smartphones to tablets, from wireless to GPS, from mobile apps to the Cloud, Mobility is rapidly and profoundly changing computing all around us; what do you see as the challenges and opportunities in this space of Mobility and Security? How does mobility impact security? How is Security impacting Mobility?
Michael Farb: Mobile applications provide instant gratification for our rapidly inflating to-do lists. The more we get done, the more we want to get done. The security challenge is to prevent us from deluding ourselves that since we perform a task quickly there is little chance anyone is “watching” us digitally. Mobile applications also make it easier and faster for us release information when may have not been very thoughtful about the personal ramifications. What does all this data about us add up to? If it misrepresents us, what can we do about it? The challenge here is how to prevent the aggregation of our public data to protect users anonymity. We are constantly moving more of our analog and stationary digital tasks to mobile digital tasks, many of which only access our data stored in the cloud. Fortunately, there is a grand opportunity to take advantage of these mobile platforms to enhance security since their small screens demand very simple interfaces. Privacy warnings can be graphically represented on attention-grabbing areas of the screen. Similarly, when a secure channel is missing, users may be made aware. Complex security tasks, such as exchanging public keys and ensuring their owner's identity, can be simplified to a few smartphone device screen comparisons in person, which is exactly what our KeySlinger application does.
CyLab Chronicles: Tell us about KeySlinger. What does it do? What issue does it address? What problem does it solve? What capability does it provide?
Farb: KeySlinger is the result of research at Carnegie Mellon’s CyLab that resolves a specific security problem. The problem: How can we start a trusted relationship between people, on the fly, without people having sophisticated knowledge of security protocols? In the past, people may meet to digitally sign each other’s PGP keys, which leverages physical proximity to bootstrap trust. This method, however, requires all parties to have some sophisticated knowledge of security protocols. Another method would be to use a certificate authority that signs keys. The latter method requires considerable investment in infrastructure and administration and, as such, is not a good fit for small, spontaneous groups. To solve this, we easily bootstrap secure communication in-person with a smartphone, which most people already own, in just a few easy steps. KeySlinger is designed to allow users to store any data, such as a public key, in their phone’s address book. When users run KeySlinger, they select their own key from the address book, enter a pair of short numbers and confirm a 3-word list matches that displayed by other users' phones.
CyLab Chronicles: How does one get a hold of KeySlinger? How is it installed? How is it used? What can users expect from it?
Farb: KeySlinger is available for Android, iPhone, iPad, and iPod Touch devices from the Android Market and iTunes App Store. One instance of the application is installed on each user's phone, and two or more users can establish trustworthy communications. KeySlinger can be used stand-alone for secure contact exchange, but even better, can be used in combination with compatible third-party applications, such as the encrypted SMS application TextSecure by Whisper Systems. KeySlinger is intended as a tool that any developer can use from their application to exchange their custom data. The result is a set of imported keys for each user in the phone’s address book. Attacks are automatically detected via the word list confirmation, and users can be confident that trustworthy communication is possible when complete. No central administration or sophisticated security knowledge is needed.
CyLab Chronicles: What are your thoughts about mobile apps, and mobile security apps in particular? What are the benefits and disadvantages of operating in such an environment, both for developers and users?
See all CyLab Chronicles articles