SoylentNews

fliptop [soylentnews.org] writes:

Any seasoned IT veteran will tell you that users are almost always the weakest link in the security chain. So it comes as no surprise when it's revealed that, pertaining to using encrypted apps to communicate, mistakes made by users in the authentication process can make using these apps less secure [technologyreview.com]:

The apps, which include RedPhone and Signal, may ask people calling or texting each other to verbally compare a short string of words they see on their screens (often referred to as a checksum or short authentication string) to make sure a new communication session hasn’t been breached by an intruder. The idea is that if a call’s security is compromised, these words won’t match up.

To test out how well this works, researchers the University of Alabama at Birmingham set up a study that mimicked a cryptophone app. Researchers had participants use a Web browser to make a call to an online server. Then they listened to a random two- or four-word sequence and determined if it matched the words they saw on the computer screen in front of them. The participants were also asked to verify whether the voice they heard was the same as one they’d heard previously reading a short story.

The researchers found that study participants frequently accepted calls even if they heard the wrong sequence of words, and often denied calls when the sequence was spoken correctly. Beyond that, researchers say that using a four-word checksum instead of a two-word checksum seemed to decrease security, even though a longer checksum should increase security exponentially.

[...]In addition, the researchers noticed that participants accepted four-word strings that were incorrect about 40 percent of the time, and rejected ones that were correct 25 percent of the time.

Originally spotted on Bruce Schneier's blog [schneier.com].

Related: Silent Circle Encrypted Phone App Cleared for U.S. Gov't Use [soylentnews.org]

Original Submission