We are delighted to announce that 3 of our publications will appear in the 33rd USENIX Security Symposium, USENIX Security ‘24, Philadelphia, PA, USA. Congratulations to the authors!
- “You have to read 50 different RFCs that contradict each other”: An Interview Study on the Experiences of Implementing Cryptographic Standards. Nicolas Huaman, Jacques Suray, Jan H. Klemmer, Marcel Fourné, Sabrina Amft, Ivana Trummová, Yasemin Acar and Sascha Fahl. In 33rd USENIX Security Symposium, USENIX Security ‘24, Philadelphia, PA, USA, August 14-16, 2024.
Implementing cryptographic standards is crucial for the cryptographic ecosystem, but past incidents have shown that it can be challenging and potentially compromise security. To understand the difficulties faced by those implementing these standards, researchers conducted 20 semi-structured interviews with experienced cryptographers and cryptographic software engineers. The study identified common practices in implementing standards, including the importance of reference and third-party implementations, test vectors for verification, and the open standard community for support and reviews. Based on their findings, the researchers recommend transparent standardization processes, strong verification methods, improved support for comparing implementations, and addressing updates and error handling in the standardization process.
- A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service. Sandra Höltervennhoff, Noah Wöhler, Arne Möhle, Marten Oltrogge, Yasemin Acar, Oliver Wiese and Sascha Fahl. In 33rd USENIX Security Symposium, USENIX Security ‘24, Philadelphia, PA, USA, August 14-16, 2024.
Recovery codes are a crucial backup mechanism for online services, especially for end-to-end encrypted services where user data is inaccessible to the service provider. A study was conducted to investigate end-user perceptions and management strategies of recovery codes through a survey of 281 users of an encrypted email service and analysis of 197 support requests on Reddit. The research revealed that most participants stored their recovery codes, with password managers being the most common storage method, and users generally appreciated the security of recovery codes but found their usability lacking. The study also uncovered obstacles such as lost access to recovery codes, non-functioning codes, and security misconceptions, often stemming from users not fully understanding the underlying security implications.
- On The Challenges of Bringing Cryptography from Papers to Products: Results from an Interview Study with Experts. Konstantin Fischer, Ivana Trummová, Phillip Gajland, Yasemin Acar, Sascha Fahl and Angela Sasse. In 33rd USENIX Security Symposium, USENIX Security ‘24, Philadelphia, PA, USA, August 14-16, 2024.
Cryptography is essential for modern information security and privacy, but many research outputs in this field are inadequately implemented or not implemented at all. To investigate the challenges of bringing cryptographic innovations from papers to products, researchers conducted 21 semi-structured interviews with experienced cryptography experts from various sectors. The study identified several obstacles, including miscommunication among stakeholders, unclear responsibilities, conflicting incentives, and usability issues when transitioning from theoretical papers to end-user products. Based on their findings, the researchers recommend better support for cross-disciplinary engagement between cryptographers, standardization organizations, and software developers to increase cryptography adoption.