robust pseudonymous identity for the internet a practical
play

Robust Pseudonymous Identity for the Internet (A Practical Username - PowerPoint PPT Presentation

Nov 29, 2023 •466 likes •898 views

Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure,

  2. Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement)

  3. S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity lifecycle management… For the Internet.

  4. W hy SQRL w ill succeed • Supports a single master identity, for everything. • Incorporates practical identity lifecycle management. • Secure against website breaches (no secrets to keep). • Minimal 2-party solution. No central third party to trust. • Pseudonymous, unlinkable, prevents tracking. • Simple, straightforward, open, non-proprietary & free. • Provably secure, understandable & easily auditable. • Most complexity resides in the client to ease server-side development. Client and server code available and free. • Plays well with others. Easily coexists with any other identity/ authentication solutions for low-friction adoption.

  5. Pseudonym ous I dentity • You are just a number. • SQRL doesn’t know who you are, and neither does any website you visit (unless you choose to tell it). • For every website you visit, your single lifelong, SQRL identity creates a static, unique, unlinkable, 256-bit “token” which represents your identity at that site. • After you have logged in traditionally, you “ associate ” your unique SQRL token with your existing account. This tells the site “this is who I am with SQRL, to you.” • From then on, you may use SQRL to identify yourself to login and approve other identity-dependent actions. Here’s how the whole system works…

  6. SQRL in a nutshell • A user’s master SQRL identity is a randomly derived, static, long-term, high entropy 256-bit token. • This master identity keys an HMAC-256, which maps a website’s domain name into a per-website elliptic curve private/ public key pair. • The resulting public key identifies the user to the website. • Users associate this public key with their existing identity at a website and are subsequently identified by this public key. We call this “ creating a SQRL identity association .” • Returning users must reassert their identity by signing a server-supplied nonce with their matching private key.

  7. SQRL in a nutshell

  8. W hat does this m ean? • User identities are per-site, pseudonymous & unlinkable. • No per-site data needs to be stored by the SQRL client. • The use of a unique nonce prevents any replay or reuse. • No third party intermediary is required for authentication. • Websites receive a public key that is only useful to them. • The website’s public key can only be used to identify and confirm a visitor’s identity. It cannot be used to assert an identity. • SQRL does not give websites any secrets to keep.

  9. The server’s role • SQRL’s server-side requirements could not be simpler: • There is, of course, the need for SQRL protocol support and many implementation details. But, the only server cryptography required is signature verification!

  10. Secure encryption of user data • Security conscientious websites would like to securely store user data without risk of post breach decryption. • SQRL can (optionally) key an HMAC of a server-provided token to return a unique, user and site-specific, static key which can be used for server-side storage encryption.

  11. Desktop & m obile m odes “Same Device” login: (desktop, laptop, or mobile) • SQRL clients register the “sqrl” URL scheme and respond when a user clicks the S QR L code in any local browser. • The SQRL client receives the sqrl: / / URL containing a unique nonce. It converts the URL to https: / / and queries the website’s SQRL authentication service at that URL. • Every SQRL query includes the user’s public key identity and is signed by the user’s private key for that site. • The site verifies the signature of all SQRL client queries, performs any requested actions, and returns status to the client.

  12. Desktop & m obile m odes “Cross Device” login: (mobile –to – > desktop, laptop) • SQRL can be used with camera-equipped devices to securely authenticate its user to websites displaying a S QR L code: • The standard optical QR code encodes the same sqrl: / / URL as its clickable link. The SQRL client contacts the website’s SQRL authentication service and securely asserts its user’s identity. The browser session is transparently logged-in with no keyboard interaction.

  13. The devil is in the details We still need to authenticate the user to their device. • SQRL becomes a proxy for the user’s identity, able to assert it on their behalf. But this means we must somehow protect against its abuse. • We need simple, per-use, user re-authentication. • Smartphone biometrics is convenient where available. • GRC’s SQRL client allows the use of an abbreviated password (“ShortPass”) for quick re-authentication during the same sitting. This eliminates the annoyance of frequent redundant re-entry of a long and secure password during a single session.

  14. The m an-in-the-m iddle threat • All online authentication systems suffer from various forms of MITM and spoofing vulnerabilities. SQRL does finally solve this problem robustly for same-device authentication when the SQRL client is embedded in the browser (i.e. as an add-on, or with native support). • But non-embedded external clients, and cross device authentication, remains a problem and a challenge. • An unwitting user visits a malicious website which invites them to login with SQRL. But the SQRL URL they are given is for “Amazon.com”, which the malicious site first received from Amazon. If the user authenticates to that SQRL URL, the malicious site’s session would be logged in as the user.

  15. Defeating m an-in-the-m iddle • “Client Provided Session” (CPS) allows the SQRL client to directly provide the server’s authenticated session login token to the user’s local browser. This prevents any possible man-in-the-middle from obtaining the token. • The IP of the SQRL code requester is also incorporated into the SQRL URL nonce. The server compares this IP with the subsequent SQRL client query IP and notifies the client when the two do not match. This easily and robustly prevents an unwitting user from authenticating a MITM located at a different IP. • IP-based MITM mitigation will not detect the case where an attacker can arrange to have the same public IP as the user’s SQRL client. So, at best, it is only a “mitigation.”

  16. Defeating m an-in-the-m iddle • Since SQRL URLs are not user-readable, we must also protect the user from a simple attack where the visited site obtains a SQRL URL from another site and presents that SQRL URL to the user for authentication. • SQRL URLs incorporate a “Site Friendly Name” (SFN) which is prominently displayed in the client’s login permission prompt. The SFN cannot be spoofed since the client returns the full URL to the authenticating server. • Users can thereby verify that they are authenticating to the site they believe they are visiting and not some other. • This does transfer responsibility to irresponsible users. But without the CPS solution it’s the best we can do.

  17. Creating a practical solution • W ithout any 3 rd party, the user has no recourse. • There is no one they can go to for password recovery. While this presents problems, it also makes SQRL vastly more secure, since impersonation, social engineering, and other attacks on password recovery are commonplace. SQRL eliminates them all. • “I forgot my password!” • “I just changed my password, but I forgot the new one!” • The whole point of SQRL is that websites can no longer help. If they could… they could be hacked too. • “Malware got into my machine and stole my SQRL ID!”

  18. I ntroducing the “Rescue Code” • SQRL needs a secure em ergency recovery system . A “get out of jail free” card that functions on the client side without any 3 rd party (because there is no 3 rd party). Identity Synthesis Process (performed once)

  19. I ntroducing the “Rescue Code” • SQRL identities carry the “root” identity encrypted by a system supplied, maximum-entropy 24-digit “rescue code” and, also, the derived master identity, encrypted under the user chosen (lower-entropy) access password. • This allows for the recovery of a forgotten password by decrypting the root identity with the 24-digit rescue code. • The rescue code is NEVER stored in any client. It always remains offline and inaccessible to client compromise.

  20. The Rescue Code 1 4 8 4 -3 6 0 6 -4 2 5 3 -9 5 7 7 -0 2 3 3 -6 0 7 0 (sample) • The rescue code is a maximum entropy 24-digit key. • It is burdensome, but it is very rarely, if ever, needed. • Most users will use SQRL throughout their lives without ever needing their SQRL rescue code… even once. • It is NEVER stored by any SQRL client. It must be written down or printed, just once, when a SQRL identity is created… and it cannot later be recreated. • In addition to enabling password recovery, the rescue code enables some additional valuable capabilities. . .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the

These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the

These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual

668 views • 51 slides
Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas

Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas

Pseudonymous Authentication and Authorization enhancing ubiquitous Identity Management Thomas Hildmann hildmann@prz.tu-berlin.de Berlin University of Technology (TUB) Content Motivation Advantages of pseudonymous A+A

733 views • 14 slides
Internet Identity Initiatives Internet Identity Initiatives RL Bob Morgan University of

Internet Identity Initiatives Internet Identity Initiatives RL Bob Morgan University of

Internet Identity Initiatives Internet Identity Initiatives RL Bob Morgan University of Washington and Internet2 EMC2 Mlaga, S pain October 2006 Topics Topics Internet identity buzzwords/ proj ects: user-centric, sxip, dix,

395 views • 18 slides
Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management

Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management

Towards Deploying a Scalable & Robust Vehicular Identity and Credential Management Infrastructure M. Khodaei, H. Jin, and P. Papadimitratos Networked Systems Security Group www.ee.kth.se/nss Royal Institute of Technology (KTH) Stockholm,

302 views • 26 slides
Internet Identity Workshop IIW 2008b Introduction Johannes Ernst NetMesh Inc.

Internet Identity Workshop IIW 2008b Introduction Johannes Ernst NetMesh Inc.

Internet Identity Workshop IIW 2008b Introduction Johannes Ernst NetMesh Inc. http://netmesh.info/jernst Johannes Ernst Modern Identity History Facebook Proprietary et al. Yadis URL-based Age of identity Card-based interop

1.01k views • 24 slides
A pseudonymous trust system for a decentralized anonymous

A pseudonymous trust system for a decentralized anonymous

Na?onal Technical University of Athens School of Electrical and Computer Engineering Department of Computer Science A pseudonymous trust system for a

1.21k views • 83 slides
SECMACE: Scalable and Robust Identity and Credential Infrastructure in Vehicular Communication

SECMACE: Scalable and Robust Identity and Credential Infrastructure in Vehicular Communication

SECMACE: Scalable and Robust Identity and Credential Infrastructure in Vehicular Communication IEEE Transactions on Intelligent Transportation Systems (IEEE ITS), vol. 19, no. 5, May 2018 Mohammad Khodaei, Hongyu Jin, and Panos Papadimitratos

689 views • 54 slides
SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular

SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular

KTH ROYAL INSTITUTE OF TECHNOLOGY SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular Communication Systems M. Khodaei, H. Jin and P . Papadimitratos Networked Systems Security Group (NSS) In IEEE

464 views • 42 slides
S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity

840 views • 38 slides
Digital Identity as a Basis for Internet Security Infrastructure Ing. Radovan Semank

Digital Identity as a Basis for Internet Security Infrastructure Ing. Radovan Semank

Digital Identity as a Basis for Internet Security Infrastructure Ing. Radovan Semank Business Global Systems Agenda Introduction Unified User Management Public Key Infrastructure Digital Identity Conclusion Introduction

337 views • 12 slides
Intelligent Networks with a Owner-Centric design. ENABLING NEXT THE GENERATION INTERNET IoT is

Intelligent Networks with a Owner-Centric design. ENABLING NEXT THE GENERATION INTERNET IoT is

Intelligent Networks with a Owner-Centric design. ENABLING NEXT THE GENERATION INTERNET IoT is not a Cloud game It is a Network game What is IoT? Non-Legal Identity Legal Identity Legal Identity Non-Legal Identity IAM Legal Identity

248 views • 22 slides
Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder Topics Internet identity update Technology updates ISOC, IETF Identity,

601 views • 23 slides
Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I

Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I

Effect Decomposition with Structural Nested Models A Practical Multiply Robust Approach Ashley I Naimi Stijn Vansteelandt 1 Overview 1. Preliminaries & Review 2. Marginal Structural vs Structural Nested Models 3. Practical MR Estimation

419 views • 38 slides
Rapid and Robust Impact Assessment of Software Changes in Large Internet-based Services Shenglin

Rapid and Robust Impact Assessment of Software Changes in Large Internet-based Services Shenglin

Rapid and Robust Impact Assessment of Software Changes in Large Internet-based Services Shenglin Zhang, Ying Liu, Dan Pei Yu Chen, Xianping Qu, Shimin Tao, Zhi Zang 6/22/18 CoNEXT 2015 1 Internet-based Services l Search l Shopping l Social l

1.94k views • 93 slides
What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the

What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the

What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the Internet of Everything. The goal of Blockpass is global realization of identity for the Internet of Everything. Through the use of blockchain

300 views • 25 slides
Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security,

Internet Identity and Access Control Dr Ken Klingenstein, Director, Middleware and Security, Internet2 Topics Whats happening/ impacts See lunch talk The Research Angle Researchers as users Security Researchers New

499 views • 10 slides
OERs, Authentication and MOOCs http://web.peralta.edu/or prepared by Dr. Fabian Banga

OERs, Authentication and MOOCs http://web.peralta.edu/or prepared by Dr. Fabian Banga

OERs, Authentication and MOOCs http://web.peralta.edu/or prepared by Dr. Fabian Banga Authentication Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Student authenticity

221 views • 11 slides
Beta Presentation Integrated Silent Authentication via Symantec VIP The Capstone Experience

Beta Presentation Integrated Silent Authentication via Symantec VIP The Capstone Experience

Beta Presentation Integrated Silent Authentication via Symantec VIP The Capstone Experience Team Symantec Scott Binter Tyler Erskine James Mariani Daniel Parlin Chris Perry Department of Computer Science and Engineering Michigan State

261 views • 4 slides
How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session

How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session

How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201 Other personal info on chip Other less common data fields that may be in your passport Custody Information Travel Record

703 views • 31 slides
SAME Presentation on Cybersecurity Andy Knauf CIO Mead & Hunt INTERNET SECURITY TESTING

SAME Presentation on Cybersecurity Andy Knauf CIO Mead & Hunt INTERNET SECURITY TESTING

SAME Presentation on Cybersecurity Andy Knauf CIO Mead & Hunt INTERNET SECURITY TESTING The engineers will scan Internet-visible hosts, identify services running on the hosts, and conduct testing for vulnerabilities to known exploits.

671 views • 15 slides
UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on

UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on

UNM Wireless Updates Current status of the continued efforts to increase wireless coverage on campus, wireless authentication and improvements June 6 7, 2019 Wireless Improvements Top Areas of Improvement 2018 Chemistry Duck

773 views • 17 slides
Project Plan Secure Application Layer API Proxy The Capstone Experience Team Symantec Lauren

Project Plan Secure Application Layer API Proxy The Capstone Experience Team Symantec Lauren

Project Plan Secure Application Layer API Proxy The Capstone Experience Team Symantec Lauren Allswede Steven Kneiser Jacob Carl TJ Kelly Yili Luo Department of Computer Science and Engineering Michigan State University Fall 2017 From

265 views • 12 slides
Special Initiatives Darrell K Dohrman, Project Manager MAJOR ACCOMPLISHMENTS Projects

Special Initiatives Darrell K Dohrman, Project Manager MAJOR ACCOMPLISHMENTS Projects

Special Initiatives Darrell K Dohrman, Project Manager MAJOR ACCOMPLISHMENTS Projects Processes BIG-IP Change Management CAS Central Sign-On Communication Digital Signage Committee

376 views • 16 slides
Bond Authorization & Related Supplemental Appropriation Presentation to the Capital Planning

Bond Authorization & Related Supplemental Appropriation Presentation to the Capital Planning

San Francisco International Airport Bond Authorization & Related Supplemental Appropriation Presentation to the Capital Planning Committee October 21, 2019 Introduction CPC Action: Recommend approval authorizing Airport Commission to issue

162 views • 14 slides

More recommend