Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.

Installation & User Guide

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Cryptography 101 Frank Hecker

Setting Up your School iPad A quick guide. 1. Setting up iCloud When you turn it on for the first time, your iPad will take you through a set up process.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Digital Certificate Installation & User Guide For Class - 2 Certificates.

PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.

CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Masud Hasan Secue VS Hushmail Project 2.

IT security By Tilly Gerlack.

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Parent Guide for staying connected. To Begin using Skyward Family Access you will need:  A computer connected to the internet  A web browser (Windows.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Lecture 11: Strong Passwords

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Downloading and Installing Autodesk Revit 2016

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

Module 2: Consumer Experience Intuit Financial Services University Internet Banking Certification Training.

Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Using LastPass. Great password management is impossible w/o a great tool Auto-fill (hands-free login) will save you approximately one hour per month You.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 1: Introduction to IS2803 Rob Gleasure

Page 1 of 17 To the ETS – Password Reset Online Training Course Clients have the ability to automatically update passwords at any time through the automated.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

COOKIES AND SESSIONS.

Gmail Password Recovery Process Find Gmail technical support for Gmail password recovery, recover Gmail password, reset Gmail password, change Gmail password,

START Application Spencer Johnson Jonathan Barella Cohner Marker.

IT Security Awareness Day October 19, 2016

Outline The basic authentication problem

PPP – Point to Point Protocol

Introduction to Networking

Trezor Support Phone Number For You!! Round The Clock

Get Solution at Trezor Support Phone Number

Multifactor Authentication & First Time Login

Online Purchase :- Purchase MS Office 365 online as it is an easy procedure which merely takes a few minutes. You just need to visit.

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

Installation & User Guide

MyLion Registration Website | Mobile device

Presentation transcript:

Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional. ● Official (still informal) specification proposed by Steve Gibson at ● Work in progress. Still maturing.

Secure Quick Reliable Login ● Why all this? What's the purpose? – To replace usernames and passwords as the de facto standard for user authentication in websites and on-line services in general. ● Is this the end of all passwords? – No, not really. Hold that thought.

Secure Quick Reliable Login ● What's the matter with my passwords? – Nothing! ● Are they not safe? – Not with the way websites use them today. ● How's that? – Websites receive your password and try their “best” to protect it. Time and experience has proven beyond any doubt that their best is not good enough.

Secure Quick Reliable Login ● Is it perfect? – Of course not! SQRL does not intend to solve every security and privacy problem on the Internet. It is, however, an alternative which is simple to use, easy to implement and provides superior security over the long standing tradition of storing usernames and passwords on web servers across the Internet.

Secure Quick Reliable Login ● Is it compatible? – Yes! It is low friction and provides backwards compatibility. Websites that wish to support SQRL do not need to abandon usernames and passwords. They only need to offer it as an alternative.

Secure Quick Reliable Login ● Are you saying with SQRL, my personal password will never leave my local device? – Correct. It will never travel on-line – Websites cannot lose it because they will never have it. – SQRL works by using cryptographic public keys and digital signatures to prove to the website who you are. – Your password is only used locally to unlock these keys.

Secure Quick Reliable Login ● So, how does it work? – From the user's perspective, it's dead simple. 1)Have a SQRL client app installed locally. 2)Visit a website that supports SQRL. 3)You will be presented with a QR code*. * QR code might be replaced with a simple LOGIN button. 4)Click* the QR code. * When using a tablet or mobile device, just tap it. 5)In the SQRL app, type in your personal password.

Secure Quick Reliable Login ● That's it! You are now logged in. ● The SQRL application securely provides the website with your credentials.

Secure Quick Reliable Login ● Ok, seriously... what did you just do? Let's get technical. – The first time you install the SQRL app, it will create a Master Key*. *256-bit random number. – This Master Key is globally unique and is the root of your identity. SQRL application MasterKey

Secure Quick Reliable Login ● The Master Key is important, so it will never be stored in plain text. – Your local password is combined with the Master Key using SCRYPT-PBKDF to avoid off-line brute force attacks. – In order for the SQRL app to use it, you must provide your personal password. SQRL application MasterKey

Secure Quick Reliable Login ● The Master Key can also be exported into a backup in the form of a printed QR code. ● This physical backup uses even stronger SCRYPT parameters, making brute force attacks virtually infeasible*. * Attackers only get one guess every 60 seconds! SQRL application MasterKey Offline Backup MasterKey

Secure Quick Reliable Login ● Upon visiting a SQRL enabled website, the browser will be offered a QR challenge. example.com Request QR challenge Return QR challenge

Secure Quick Reliable Login ● The browser will pass this challenge to the SQRL app. SQRL App Website Request QR challenge Return QR challenge Please sign this

Secure Quick Reliable Login ● Internally, the SQRL app will combine your Master Key with the website's domain name to create a crypto public key pair that is unique to that website. SQRL application MasterKey WPrKWPuK Ed25519 example.com

Secure Quick Reliable Login ● This website's private key (WPrK) is then used to digitally sign the QR challenge. SQRL application MasterKey WPrK QR challenge WPuK Digital signature Signed QR response

Secure Quick Reliable Login ● The QR response is built using the WPuK and the QR challenge, along with the digital signature for validation. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature

Secure Quick Reliable Login ● WPrK does not need to be stored in the SQRL client, since it can be re-created on every login request. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature

Secure Quick Reliable Login ● The signed QR response is sent back to the website. SQRL App Website Request QR challenge Return QR challenge Please sign this Signed QR response

Secure Quick Reliable Login ● Using the public key it received, the website can verify the signature, which could have only been created using the corresponding private key. Website WPuK QR challenge Signed QR response Digital signature

Secure Quick Reliable Login ● If this is your first visit, the website will store the public key and probably ask for more information to sign you up and create a full account (name, address, , etc). Website WPuK QR challenge Signed QR response Digital signature Database

Secure Quick Reliable Login ● From now on, the WPuK is the identity you have established with the website. And only you, with your Master Key, can authenticate it. Website WPuK QR challenge Signed QR response Digital signature Database

Secure Quick Reliable Login ● What if I lose my Master Key? – No worry. SQRL provides an Identity Lock, which is not covered in this presentation. – In short, the website will store the unique Pubic Key (WPuK) and a couple of other values that effectively lock your identity. Only you will be able to change those keys in case the Master Key is compromised.

Secure Quick Reliable Login ● So, how is this any better than usernames and passwords? – Besides the simplicity to the end user... let's see.

Secure Quick Reliable Login ● No shared secrets. – Each website will receive its own unique public key, which all derive from your Master Key. Companies will be unable to reliably track your identity across the Internet using these keys alone. – Websites will never have your personal password, in any shape or form. Even if their databases are hacked and stolen, bad guys will not have enough information to login and impersonate you.

Secure Quick Reliable Login ● No more password management. – Your credentials will be verified using strong cryptographic signatures. There is no need to invent or manually generate passwords for each website you visit. – As a result, users are definitively discouraged from using the same weak password for every website. On the same line, there is no need to keep track of an endless list of long, random passwords.

Secure Quick Reliable Login ● No third parties involved. – SQRL is open and free, as it should be. It is independent from a centralized authority. The keys to unlock your identity are always with you and, under best practices, may never leave your device or computer. – No need to trust companies with the moral duty to keep your identity safe. Using SQRL, you become your own single point of failure.

Secure Quick Reliable Login ● Inherent protection against phishing attacks. – For in-band authentication, this protection is already baked into the protocol. The website can easily verify that the device asking for a QR challenge is the same device that sends the signed QR response.

Secure Quick Reliable Login ● Identity Lock – Once your ID is established with a website, it will be locked with extra crypto keys and some very clever use of this technology. If the Master Key is compromised, or if the website's database is stolen, in either case, bad guys cannot change your identity and account recovery is guaranteed. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here:

Secure Quick Reliable Login ● Identity Lock – Account recovery does not need an external medium, such as loops, or phone SMS messages. The process is natively supported by the protocol itself. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here:

Secure Quick Reliable Login ● Can I use it now? – There are currently no client nor server implementations ready for production use. – The open source community is giving its first steps into trial implementations. – As an open standard, any website or company will be able to support it.

Secure Quick Reliable Login ● Where can I read more? – SQRL was proposed by Steve Gibson, and a complete detailed explanation can be found at his website: