Versions Compared

Old Version 19

changes.mady.by.user Unknown User (ndsheth@mit.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Kenneth R Schumacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Later that day, Stephen receives a message from someone claiming to be on Team Pullman. He asks to establish a secure messaging connection with Stephen, which Stephen agrees to. The other person turns out to be Tom Duffy, campaign manager of Team Pullman, and he suspiciously suggests that Stephen ought to consider working for Team Pullman instead of Team Morris. Stephen does not like where the conversation is heading, and decides to end the conversation. He also erases any record of the conversation occurring and removes Tom as a contact, to ensure that no trace of the conversation can be found.

Design 1

Task #1Design Notes: These were drawn in pencil (a ui mockup program) as my hand writing is pretty much illegible. I specifically chose to use Comic Sans as the font to indicate to users that this is not a finished product (as no sane designer would use comic sans).

First, in order to establish a secure connection, Stephan meets with Team Morris and shares his identity. He does this by going to his Contacts panel and clicking share.

Learnability: The "share" action is somewhat ambiguous and may confuse new users (the user may wonder what they are sharing). The use of the standard contacts list should help learnability.

Efficiency: Adding and sharing contact information from the same panel groups temporally related operations and helps make them more efficient.

Safety: The are no unsafe actions available from this screen.

Image Added

This brings up a Stephan's QR code along with his key. Users can manually enter the key or take a picture of the QR code. In this scenario, Stephan prints out the ID page and passes it around to the other members of Team Morris (the lock button is provided in case the user wants to pass around his or her phone). Image Removed Image Removed

...

Storyboard

...

Learnability

...

Efficiency

...

Safety

Learnability: Most potential users will be familiar with QR codes so this screen shouldn't pose a learnability problem. As the key looks like a serial number under a bar code, the user should pick this out as a numerical representation of the QR code.

Efficiency: QR codes are extremely efficient as the user only needs to take a picture of it.

Safety: If an attacker takes a picture of this QR code or writes down the key, it could allow them to attempt a fishing attack (as seen in this scenario).

Image Added

Each member of team morris goes to his or her contacts panel and clicks Add. When they do so, they are shown the following, click By QR Codem and are taken to a standard QR code reader. The contact is then added.

Learnability: Again, most users are familiar with QR codes so adding by QR code should be easy. Sadly, many users are also familiar with entering software activation keys and shouldn't have a problem entering the key manually if they need to.

Efficiency: QR Codes are efficient.

Safety: There are two potential safety problems: the user could be tricked into adding the wrong contact or fail to enter they key correctly. Dealing with the former is beyond the scope of this application and the latter can be dealt with by including error detection in the key.

Image Added

To allow Stephan to contact them, each member of Team Morris clicks the Actions button next to Stephan's name in their contacts page. They are then presented with the following dialog from which they select Send Contact Information.

Learnability: Learning that one can send contact information to a user by clicking on Actions is not obvious and will probably have to be taught by another user. However, putting a button on the contact itself would clutter the interface and confuse the user further.

Efficiency: This method of sharing contact information is very efficient and requires very little work on the coordinator's part.

Safety: This method of sharing contact information could lead a user to accidentally tell the wrong person who they are. However, contacts are generally assumed to be mutual so this shouldn't be a problem.
Image Added

As Stephan created this identity for this event, he knows that it is only known to members of Team Morris. As such, Stephan trusts any new contact information at face value. Stephan receives these requests as messages.
Learnability: As it uses the messaging system, there is nothing new to learn.
Efficiency: Adding multiple contacts could be slow.
Safety: The user could easily be tricked into adding an untrusted contact. Time sensitive codes could be used to mitigate this.

Image Added
Later that day, when Stephan learns that the members of Team Morris should move back to the city, he sends a message to Mark Dunn by browsing to the contacts page, clicking Actions next to his name, and clicking Send Message.
Learnability: This is fairly standard and straight forward.
Efficiency: Sending a message to multiple contacts is inefficient.
Safety: Explicitly choosing the recipient reduces the risk of sending to the wrong person.

Image Added
Stephan is then presented with a send message dialog.
Learnability: Like email.
Efficiency: Typing speed.
Safety: Including the recipient in the send button further reduces the changes of sending to the wrong person.
Image Added
Mark receives the message as the following.

Learnability: Like email.

Efficiency: Only one message per screen may cause a problem.

Safety: The message clearly indicates the sender and the encryption status.
Image Added

As it turns out, Stephan lost the sheet of paper with his contact QR code. Tom Duffy picks it up and sends Stephan his contact information. Stephan makes the mistake of trusting him and adds him to his contacts. They converse in the manner shown above and eventually Stephan catches on and removes Tom Duffy (known to Stephan as Bob) from his contacts, erasing all evidence of communication.
Learnability: By the point where a user feels the need to erase evidence of communication, he or she should be familiar enough with the interface to have seen the Actions menu. However, he or she may not know that there exists an option to remove records of communication. This should not be a problem as he or she will see this feature as he or she attempts to delete the contact.

Efficiency: This action is inefficient and requires 4-5 clicks. In this case, this is a non-issue because this feature will only be used rarely.

Safety: The user cannot undo deleting a contact (for security reasons). The application tries to communicate this to the user to reduce the changes of an error. Additionally, the interface repeatedly mentions the name of the contact being removed.

Image Added Image Added Image Added Image Added

Design 2

Adding/Managing Contacts

...

Task #2

...

Storyboard

...

Learnability

...

Efficiency

...

Safety

...

Task #3

SB#1
Description of Storyboard
Pros:
Cons:
Pros:
Cons: Pros:
Cons: SB#2
Description of Storyboard Pros:
Cons: Pros:
Cons: Pros:
Cons: SB#3
Description of Storyboard Pros:
Cons: Pros:
Cons: Pros:
Cons:

Storyboard

Learnability

Efficiency

Safety

Design 2

Task #1

...

Storyboard

...

Learnability

...

Efficiency

...

Safety

...



Image AddedKey Management

Stephen must add the new teammates to his list of
secure contacts. The SecureConnect application allows him to log
onto the Key Server set up by the campaign to manage public
keys. He finds that two of the new volunteers had public keys
created for them when issued their mobile phones, so he
adds them to his personal contact list, which include their
mobile phone number and public key. One user was not yet present
in the key server, so Stephen had to help generate a new key for
them.

This design is meant to mimic a standard phone text messaging
layout which the user is likely familiar with, then overlaying
the metaphor of user keys necessary to facilitate encrypted
messaging.

Pros:  The look and feel mimics the standard
text messaging application on a typical smartphone.
Concepts of contacts carry over, with additional public
key data added as an additional facet of contact data.


Cons:

Pros:  Key Server enables contacts to be
added without manual text entry on the phone.

Cons: User is required to obtain public key before
secure communication is possible.

Pros:  Multiple graphical cues suggest that a contact
cannot be securely communicated with until a public key
is stored for that user.
Adding via the Key Server automatically grabs public key data.



Cons: User must be continuously reminded of the unsecure
nature of their conversations until they successfully add a key.
Contacts may still be added even without a key, leaving open
the possibility of communicating without encryption.

Image Added
Contact Management
Once the new contacts were added from the Key Server,
Stephen is able to view them the contacts tab of the app. Each
newly added secure contact with a stored public key is displayed
with a key icon next to their name at all times. Contacts without a
stored key are also present, and can have a public key entered
on the contact editor in order to make them a secure contact.

Public keys can be entered manually via the keyboard, pasted from
the phone's clipboard (the contact could have sent their key via
email or unsecure text, or could have been located via web
browser).

Pros:  Look and Feel is similar to contact manager on
most smartphones.
Key metaphor is carried throughout to suggest a secure
contact vs an unsecure one.

Cons: Users must learn how to enter/obtain the public
key for a user that was not obtain from the key server.

Pros:  Contacts auto populated from key server

Cons: Manual entry of Public key can be tedious.
Perhaps alternate automated entry methods are
possible here.

Pros: Few safety issues here, as contact data is always updatable.

Cons: Removing a contact implies removing all trace of communication
with them, which the user must confirm before allowing this action.

Messaging (Secure and Unsecure)

...

Task #2

Storyboard

Learnability

Efficiency

Safety



Secure Chat Window
Description of Storyboard
Pros:
Cons:
Pros:
Cons: Pros:
Cons: Unsecure Chat Window|confluence/download/attachments/82324422/photo3.jpg?version=1&modificationDate=1331520439531\
Description of Storyboard Pros:
Cons: Pros:
Cons: Pros:
Cons:

Task #3

...

Storyboard

...

Learnability

...

Efficiency

...

Safety

...


Stephen must now update the team with new orders. On the Messaging tab,
Stephen can see a conversation with an individual or group, much like the
standard chat application on his phone. In this case, his can message John Doe
securely because he has a public key stored for him. The application reminds him
that he can securely communicate via color (background color), and each past
message that was sent with encryption is also set off by color and a lock icon. Groups
can be handled similarly to individuals with a group key.

Touching on the message area to enter a message brings up the keyboard and a lock
button, giving access to encryption options for the message (encrypt via personal
private key or public key of John Doe). The default encrypts via public key to ensure
safety, but Stephen can remove this if he decides encryption is not necessary for a particular message.

. Image Added
|||||||||\Unsecure Chat Window

This is the same view of the messaging window but for a contact without a stored
public key. The background color is red, reminding Stephen that no message can
be sent securely, and the lock icon near the message window is disabled.

Pros:  Mimics Conversation/Chat flow concepts.
Multiple signals for secure or unsecure communications
(lock icon near name, Lock on each securely sent/received
message, background color, message bubble color).

Cons: User must learn difference between using public or
private key. 

Pros:  Streamlined interface for all secure and
unsecure communications with a single person or
group.

Default option uses secure public key encryption,
which requires user intervention if a different option
is desired (assumes this is the most likely selected
option).

Cons: Receiving a secure message
requires decryption using either personal private
or contact's public key, requiring extra time.

Pros:  Multiple visual cues to signify message security.

Cons: User can still send an unsecure message, so there
is still risk of secret information being sent unsecurely.

Erasing Contacts and Communication Trail

...

Design 3

Task #1

Storyboard

Learnability

Efficiency

Safety

SB#1

Description of Storyboard

Pros:

Cons:

Pros:

Cons:

Pros:

Cons:

SB#2

Description of Storyboard

Pros:

Cons:

Pros:

Cons:

Pros:

Cons:

SB#3

Description of Storyboard

Pros:

Cons:

Pros:

Cons:

Pros:

Cons:

Design 3

This design focuses on being very straightforward/simple for any one to use.

Adding and managing secure contactsTask #2

SB#1
Description of Storyboard
Pros:
Cons:
Pros:
Cons: Pros:
Cons: SB#2
Description of Storyboard Pros:
Cons: Pros:
Cons: Pros:
Cons: SB#3
Description of Storyboard Pros:
Cons: Pros:
Cons: Pros:
Cons:

Storyboard

Learnability

Efficiency

Safety


Image Added

Stephen first wants to send a key to Mike Smith. He begins
to type his name into the empty field, and auto-complete
shows him contacts with the same characters for him to pick.
He explcitly sees that Mike Smith is going to be added when he
hits the send key button. After hitting "Send Key", Mike Smith is
notified and given a key upon accepting the request.

Pros: Straightforward to operate for new users, as most of the 
cryptograhpic lingo is abstracted away and the users deal with
only clear statements.

Cons: More knowledgeable users may feel like they're missing
something do to the sheer simplicity.

Pros: Quick and easy.

Cons: Not as efficient as a QR code
transfer when the person is nearby.

Pros: Very clear what's going to happen.

Cons:

Image Added

Mike Smith then shows up on the list of available contacts contacts.
Clicking the contact will take him to the messaging page. Clicking the
explicitly labeled edit buttons will take him to a simple edit page. From
there he can delete the contact, wipe all messages, or issue a new key.
Confirmations are required for each action.

Pros: Straightforward interface. Clear what does what.

Cons: May not be obvious that clicking on a name opens up
the messaging page for that person.

Pros: Quick access to all the needed
commands.

Cons:

Pros: All actions are very explicit and require
confirmation. This is what should happen in a
situation where sensitive information is being
dealt with.

Cons:

Secure chatTask #3

Storyboard

Learnability

Efficiency

Safety

Image Added

The chat window is in the same style as many other messaging programs
to keep it easy to use. After Stephen clicks on Mike Smith on the contact list,
he can message as he's used to. He's explicitly told the communication is
secure so there is no uncertainty. If the communications were unencrypted,
the the background would turn red, signifying the user should be cautious
and the "Secure" at the top would turn to "Insecure."

Pros: Just like standard text messaging interfaces
that most people are very familiar with. SB#1
Description of Storyboard
Pros:
Cons:
Pros:
Cons: Pros:
Cons: SB#2
Description of Storyboard Pros:
Cons: Pros:

Cons:

Pros:
Cons: SB#3
Description of Storyboard Pros:
 As efficient as a standard chat interface
once the user is in it.

Cons:

Pros:
Cons:  Explicitly states if the communication is secure
or not. Pros:

Cons: