ABSTRACT: In this talk I will outline my research that aims to bridge the gap between cryptography experts on the one side, and end users on the other side. Cryptography comes in many different shapes: we see it in password storage, digital signatures, encrypting files, and secure network connections. When implementations are less than ideal, security properties are lost. End users rarely have a chance to make informed choices about where to use which method of securing their data or communications, and crypto experts rarely implement the crypto all the way down to the application level that is actually used by end users. In-between are various actors, and their overarching problem can be summarized as “You are not your user”. Library developers, who implement crypto algorithms and make them available to software developers, may be crypto experts, but are rarely focused on library usability.
Software developers, the users of crypto libraries, are rarely crypto experts, and are rarely focused on human factors to the degree that they can meaningfully communicate security features (or the lack thereof) to end users. My research aims to connect the dots to secure end users by helping developers write secure code.
Yasemin Acar is a researcher at Leibniz University Hannover, where she works on human-centered security and privacy. She is the winner of the John Karat Usable Security and Privacy Student Research Award 2018. One of her papers on the impact of documentation usability on code security won the NSA Best Scientific Cybersecurity Paper Competition in 2016. She was a visiting researcher at the National Institute of Standards and Technology (NIST, USA) in the summer of 2019, where she worked on improving privacy workflows for professionals as well as helping developers choose secure software libraries. She has previously been a researcher at the Center of Information Security and Privacy (CISPA) at Saarland University.