Secure and Usable E-Mail

This is joint work with Kai Richter and Tobias Straub.


Support for strong electronic mail security is widely available yet only few communicants appear to make use of these features. Apparently, the operational overhead of security outweighs its perceived benefits.

The costs are determined primarily by the cognitive effort required to operate electronic mail security. This implies that users install the necessary software and generate cryptographic keys. The difficulty lies in exchanging keys, building trust in the received keys, authorizing cryptographic operations, and in diligently and competently reacting to prompts and warnings of the security software. However, the majority of users only has limited understanding of the underlying trust models and concepts. Consequently, they avoid or improperly operate the security software.


Towards the goal of more user-friendly secure mail, we explore a non-intrusive approach that works without certification authorities, and rather focuses on transparent message encryption and integrity protection. In our approach, we separate key exchange from binding keys to identities.

The best effort key exchange and key maintainance scheme that we devise operates transparently for the user. We also developed and studied complementary visualization and interaction techniques that communicate the security state of sent and received mail to users in a non-intrusive fashion.

Towards a practical assessment of the overheads of binding keys to identities, we conducted a quantitative analysis of users' mail behavior. Some results of our analysis are displayed below. For instance, we found that on average 50% of all mail was exchanged with 10 or fewer peers. In 50% of all weeks, the number of peers with whom subjects exchanged mail was 10 or fewer on average. In 50% of all weeks, subjects encountered 2 or fewer new peers on average.

Left: Cumulative distribution of e-mails exchanged per number of peers. Right: Cumulative distribution of weeks per number of new e-mail correpsondents with bi-directional e-mail exchange.
We argue that for individual non-commercial users, out-of-band verification of keys could be more economical than building trust in public key certificates issued by third parties. Key exchange can furthermore be optimized by verifying the key of the peer with whom most of the mail is exchanged, which has the greatest immediate quantitative (security) benefit.

Selected Publications

  1. Volker Roth, Tobias Straub, and Kai Richter.
    Security and usability engineering with particular attention to electronic mail.
    International Journal of Human-Computer Studies, 63:51-73, July 2005.
    Special Issue HCI research in privacy and security.
    [pdf] Search on Scholar
  2. Kai Richter and Volker Roth.
    Encyclopedia of Human Computer Interaction, chapter Human-Computer Interaction and Security.
    Information Science Publishing, Idea Group, Inc., USA, December 2005.
    Search on Scholar