A Closer Look at SQRL Research Findings

A Closer Look at SQRL Research Findings

A closer look at SQRL Agenda • SQRL introduction • Related work • SQRL design details • Research questions • Research method • Research findings • Conclusion UvA-SNE-RP1 presentation 1 A closer look at SQRL SQRL introduction: trigger Secure Quick Reliable Login UvA-SNE-RP1 presentation 2 A closer look at SQRL SQRL introduction: how it works QR-scanning QR-tapping QR-clicking UvA-SNE-RP1 presentation 3 A closer look at SQRL SQRL introduction: design goals SSO 2FA out-of-band (OOB) authentication no secret(s) exchange anonymity no (additional) TTP low friction deployment UvA-SNE-RP1 presentation 4 A closer look at SQRL Related work: SSO • Open standards • OpenID • TiQR UvA-SNE-RP1 presentation 5 A closer look at SQRL SQRL design details: crypto ID site (fixed) specific secret 1-F secret 2-F Brute Elliptic Force Curve UvA-SNE-RP1 presentation 6 A closer look at SQRL SQRL design details: more crypto Compromised ID ? • ID revocation support • proves ID ownership • uses additional keys • Lock (disable) • Unlock (enable/change) UvA-SNE-RP1 presentation 7 A closer look at SQRL SQRL design details: messages UvA-SNE-RP1 presentation 8 A closer look at SQRL Research questions • How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? • What additional features are relevant to extend deployability? • What attacks remain feasible and what countermeasures are to be considered? UvA-SNE-RP1 presentation 9 A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • user mistakes UvA-SNE-RP1 presentation 10 A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design: • uses TLS • covers MiTM • covers eavesdropping • uses HMAC • no reverse operation • uses scrypt • covers brute-force UvA-SNE-RP1 presentation 11 A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • no current (mature) app/server UvA-SNE-RP1 presentation 12 A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • user mistakes UvA-SNE-RP1 presentation 13 A closer look at SQRL Research method: attacks SQRL user interaction • SQRL-app installation • SQRL Identity password generation & use • SQRL Master Key backup & restore • SQRL (Un)lock Key backup & restore SQRL design dependencies • Responsible users • No malware installed • No shoulder surfing • Master Key safely stored (QR on paper) • (Un)lock Key safely stored (QR on paper) UvA-SNE-RP1 presentation 14 A closer look at SQRL Research findings: attacks Malware needs to be Crypto in crypto-chip addressed UvA-SNE-RP1 presentation 15 A closer look at SQRL Research findings: attacks Malware needs to be Crypto in nfc-chip addressed UvA-SNE-RP1 presentation 16 A closer look at SQRL Research findings: research question 2 • What additional features are relevant to extend deployability? • Site-specific key-pairs -E-mail -Membership -Registration UvA-SNE-RP1 presentation 17 A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? SSO 2FA out-of-band (OOB) authentication no secret(s) exchange anonymity no (aditional) TTP ID revocation facility UvA-SNE-RP1 presentation 18 A closer look at SQRL Related work: SSO-Open standards • SURFnet • OCRA (OATH Challenge Response Algorithm) RFC6287 UvA-SNE-RP1 presentation 19 A closer look at SQRL Related work: SSO-Open standards • OpenID Authentication 2.0 • Support of algorithms (not prescribed) UvA-SNE-RP1 presentation 20 A closer look at SQRL Related work: SSO-Open standards TiQR OpenID SQRL SSO (?) 2FA ? OOB ? No secret(s) exchange Ҳ ? Anonymity (?) ? No (additional) TTP Ҳ Low Friction Deploy ID revocation Ҳ ? 21 UvA-SNE-RP1 presentation A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? User: • SSO • 2FA security • anonymity • no cross-site coupling of ID’s • ID revocation support Website: • authenticated identity • alongside alternative solutions UvA-SNE-RP1 presentation 22 A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? • HTTP over TLS • user responsibility/awareness UvA-SNE-RP1 presentation 23 A closer look at SQRL Conclusion SQRL is • open • no new technology • a combination of Best Practices • unique in its offered properties • not operational yet SQRL depends on • responsible users SQRL needs • additional secret protection UvA-SNE-RP1 presentation 24 A closer look at SQRL Questions UvA-SNE-RP1 presentation 25 .

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    25 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us