related work
play

Related work SQRL design details Research questions Research - PowerPoint PPT Presentation

A closer look at SQRL Agenda SQRL introduction Related work SQRL design details Research questions Research method Research findings Conclusion UvA-SNE-RP1 presentation 1 A closer look at SQRL SQRL introduction:


  1. A closer look at SQRL Agenda • SQRL introduction • Related work • SQRL design details • Research questions • Research method • Research findings • Conclusion UvA-SNE-RP1 presentation 1

  2. A closer look at SQRL SQRL introduction: trigger Secure Quick Reliable Login UvA-SNE-RP1 presentation 2

  3. A closer look at SQRL SQRL introduction: how it works QR-scanning QR-tapping QR-clicking UvA-SNE-RP1 presentation 3

  4. A closer look at SQRL SQRL introduction: design goals  SSO  2FA  out-of-band (OOB) authentication  no secret(s) exchange  anonymity  no (additional) TTP  low friction deployment UvA-SNE-RP1 presentation 4

  5. A closer look at SQRL Related work: SSO • Open standards • OpenID • TiQR UvA-SNE-RP1 presentation 5

  6. A closer look at SQRL SQRL design details: crypto ID site (fixed) specific secret 1-F secret Elliptic Brute 2-F Curve Force UvA-SNE-RP1 presentation 6

  7. A closer look at SQRL SQRL design details: more crypto Compromised ID ? • ID revocation support • proves ID ownership • uses additional keys • Lock (disable) • Unlock (enable/change) UvA-SNE-RP1 presentation 7

  8. A closer look at SQRL SQRL design details: messages UvA-SNE-RP1 presentation 8

  9. A closer look at SQRL Research questions • How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? • What additional features are relevant to extend deployability? • What attacks remain feasible and what countermeasures are to be considered? UvA-SNE-RP1 presentation 9

  10. A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • user mistakes UvA-SNE-RP1 presentation 10

  11. A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design: • uses TLS • covers MiTM • covers eavesdropping • uses HMAC • no reverse operation • uses scrypt • covers brute-force UvA-SNE-RP1 presentation 11

  12. A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • no current (mature) app/server UvA-SNE-RP1 presentation 12

  13. A closer look at SQRL Research method: attacks • Attacks exploit vulnerabilities • Causes of vulnerabilities • design errors • implementation errors • user mistakes UvA-SNE-RP1 presentation 13

  14. A closer look at SQRL Research method: attacks SQRL user interaction • SQRL-app installation • SQRL Identity password generation & use • SQRL Master Key backup & restore • SQRL (Un)lock Key backup & restore SQRL design dependencies • Responsible users • No malware installed • No shoulder surfing • Master Key safely stored (QR on paper) • (Un)lock Key safely stored (QR on paper) UvA-SNE-RP1 presentation 14

  15. A closer look at SQRL Research findings: attacks Malware needs to be Crypto in crypto-chip addressed UvA-SNE-RP1 presentation 15

  16. A closer look at SQRL Research findings: attacks Malware needs to be Crypto in nfc-chip addressed UvA-SNE-RP1 presentation 16

  17. A closer look at SQRL Research findings: research question 2 • What additional features are relevant to extend deployability? • Site-specific key-pairs -E-mail -Membership -Registration UvA-SNE-RP1 presentation 17

  18. A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? SSO 2FA out-of-band (OOB) authentication no secret(s) exchange anonymity no (aditional) TTP ID revocation facility UvA-SNE-RP1 presentation 18

  19. A closer look at SQRL Related work: SSO-Open standards • SURF net • OCRA (OATH Challenge Response Algorithm) RFC6287 UvA-SNE-RP1 presentation 19

  20. A closer look at SQRL Related work: SSO-Open standards • OpenID Authentication 2.0 • Support of algorithms (not prescribed) UvA-SNE-RP1 presentation 20

  21. A closer look at SQRL Related work: SSO-Open standards TiQR OpenID SQRL  (?)   SSO   2FA ?   OOB ? Ҳ  No secret(s) exchange ?  (?)  Anonymity ?   Ҳ No (additional) TTP    Low Friction Deploy Ҳ  ID revocation ? 21 UvA-SNE-RP1 presentation

  22. A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? User: • SSO • 2FA security • anonymity • no cross- site coupling of ID’s • ID revocation support Website: • authenticated identity • alongside alternative solutions UvA-SNE-RP1 presentation 22

  23. A closer look at SQRL Research findings: research question 1 How does SQRL improve authentication security compared to related solutions? • What does SQRL offer to both parties? • What constraints must be met to guaranty this behaviour? • HTTP over TLS • user responsibility/awareness UvA-SNE-RP1 presentation 23

  24. A closer look at SQRL Conclusion SQRL is • open • no new technology • a combination of Best Practices • unique in its offered properties • not operational yet SQRL depends on • responsible users SQRL needs • additional secret protection UvA-SNE-RP1 presentation 24

  25. A closer look at SQRL Questions UvA-SNE-RP1 presentation 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend