Related work SQRL design details Research questions Research - - PowerPoint PPT Presentation

▶

May 19, 2023 137 likes •397 views

A closer look at SQRL Agenda SQRL introduction Related work SQRL design details Research questions Research method Research findings Conclusion UvA-SNE-RP1 presentation 1 A closer look at SQRL SQRL introduction:

SLIDE 1

A closer look at SQRL Agenda

SQRL introduction
Related work
SQRL design details
Research questions
Research method
Research findings
Conclusion

UvA-SNE-RP1 presentation 1

SLIDE 2

A closer look at SQRL SQRL introduction: trigger Secure Quick Reliable Login

UvA-SNE-RP1 presentation 2

SLIDE 3

A closer look at SQRL SQRL introduction: how it works

UvA-SNE-RP1 presentation 3

QR-scanning QR-tapping QR-clicking

SLIDE 4

A closer look at SQRL SQRL introduction: design goals

 SSO  2FA  out-of-band (OOB) authentication  no secret(s) exchange  anonymity  no (additional) TTP  low friction deployment

UvA-SNE-RP1 presentation 4

SLIDE 5

A closer look at SQRL Related work: SSO

UvA-SNE-RP1 presentation 5

Open standards
OpenID
TiQR

SLIDE 6

A closer look at SQRL SQRL design details: crypto

UvA-SNE-RP1 presentation 6

secret 1-F secret 2-F site specific ID (fixed) Elliptic Curve Brute Force

SLIDE 7

A closer look at SQRL SQRL design details: more crypto

UvA-SNE-RP1 presentation 7

Compromised ID ?

ID revocation support
proves ID ownership
uses additional keys
Lock (disable)
Unlock (enable/change)

SLIDE 8

A closer look at SQRL SQRL design details: messages

UvA-SNE-RP1 presentation 8

SLIDE 9

A closer look at SQRL Research questions

How does SQRL improve authentication

security compared to related solutions?

What does SQRL offer to both parties?
What constraints must be met to

guaranty this behaviour?

What additional features are relevant to

extend deployability?

What attacks remain feasible and what

countermeasures are to be considered?

UvA-SNE-RP1 presentation 9

SLIDE 10

A closer look at SQRL Research method: attacks

Attacks exploit vulnerabilities
Causes of vulnerabilities
design errors
implementation errors
user mistakes

UvA-SNE-RP1 presentation 10

SLIDE 11

A closer look at SQRL Research method: attacks

Attacks exploit vulnerabilities
Causes of vulnerabilities
design:
uses TLS
covers MiTM
covers eavesdropping
uses HMAC
no reverse operation
uses scrypt
covers brute-force

UvA-SNE-RP1 presentation 11

SLIDE 12

A closer look at SQRL Research method: attacks

Attacks exploit vulnerabilities
Causes of vulnerabilities
design errors
implementation errors
no current (mature) app/server

UvA-SNE-RP1 presentation 12

SLIDE 13

A closer look at SQRL Research method: attacks

Attacks exploit vulnerabilities
Causes of vulnerabilities
design errors
implementation errors
user mistakes

UvA-SNE-RP1 presentation 13

SLIDE 14

A closer look at SQRL Research method: attacks SQRL user interaction

SQRL-app installation
SQRL Identity password generation & use
SQRL Master Key backup & restore
SQRL (Un)lock Key backup & restore

SQRL design dependencies

Responsible users
No malware installed
No shoulder surfing
Master Key safely stored (QR on paper)
(Un)lock Key safely stored (QR on paper)

UvA-SNE-RP1 presentation 14

SLIDE 15

A closer look at SQRL Research findings: attacks

UvA-SNE-RP1 presentation 15

Malware needs to be addressed Crypto in crypto-chip

SLIDE 16

A closer look at SQRL Research findings: attacks

UvA-SNE-RP1 presentation 16

Malware needs to be addressed Crypto in nfc-chip

SLIDE 17

A closer look at SQRL Research findings: research question 2

UvA-SNE-RP1 presentation 17

Site-specific key-pairs
E-mail
Membership
Registration
What additional features are relevant to

extend deployability?

SLIDE 18

A closer look at SQRL Research findings: research question 1

UvA-SNE-RP1 presentation 18

SSO 2FA

ut-of-band (OOB) authentication

no secret(s) exchange anonymity no (aditional) TTP ID revocation facility

How does SQRL improve authentication security compared to related solutions?

What does SQRL offer to both parties?
What constraints must be met to

guaranty this behaviour?

SLIDE 19

A closer look at SQRL Related work: SSO-Open standards

UvA-SNE-RP1 presentation 19

SURFnet
OCRA (OATH Challenge Response Algorithm) RFC6287

SLIDE 20

A closer look at SQRL Related work: SSO-Open standards

UvA-SNE-RP1 presentation 20

OpenID Authentication 2.0
Support of algorithms (not prescribed)

SLIDE 21

A closer look at SQRL Related work: SSO-Open standards

UvA-SNE-RP1 presentation 21

TiQR OpenID SQRL SSO  (?)   2FA  ?  OOB  ?  No secret(s) exchange Ҳ ?  Anonymity  (?) ?  No (additional) TTP  Ҳ  Low Friction Deploy    ID revocation Ҳ ? 

SLIDE 22

A closer look at SQRL Research findings: research question 1

UvA-SNE-RP1 presentation 22

User:

SSO
2FA security
anonymity
no cross-site coupling of ID’s
ID revocation support

Website:

authenticated identity
alongside alternative solutions

How does SQRL improve authentication security compared to related solutions?

What does SQRL offer to both parties?
What constraints must be met to

guaranty this behaviour?

SLIDE 23

A closer look at SQRL Research findings: research question 1

UvA-SNE-RP1 presentation 23

HTTP over TLS
user responsibility/awareness

How does SQRL improve authentication security compared to related solutions?

What does SQRL offer to both parties?
What constraints must be met to

guaranty this behaviour?

SLIDE 24

A closer look at SQRL Conclusion

UvA-SNE-RP1 presentation 24

SQRL is

pen
no new technology
a combination of Best Practices
unique in its offered properties
not operational yet

SQRL depends on

responsible users

SQRL needs

additional secret protection

SLIDE 25

A closer look at SQRL Questions

UvA-SNE-RP1 presentation 25