Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.

Published byAndrea Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional."— Presentation transcript:

1 Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional. ● Official (still informal) specification proposed by Steve Gibson at https://www.grc.com/sqrl/sqrl.htm https://www.grc.com/sqrl/sqrl.htm ● Work in progress. Still maturing.

2 Secure Quick Reliable Login ● Why all this? What's the purpose? – To replace usernames and passwords as the de facto standard for user authentication in websites and on-line services in general. ● Is this the end of all passwords? – No, not really. Hold that thought.

3 Secure Quick Reliable Login ● What's the matter with my passwords? – Nothing! ● Are they not safe? – Not with the way websites use them today. ● How's that? – Websites receive your password and try their “best” to protect it. Time and experience has proven beyond any doubt that their best is not good enough.

4 Secure Quick Reliable Login ● Is it perfect? – Of course not! SQRL does not intend to solve every security and privacy problem on the Internet. It is, however, an alternative which is simple to use, easy to implement and provides superior security over the long standing tradition of storing usernames and passwords on web servers across the Internet.

5 Secure Quick Reliable Login ● Is it compatible? – Yes! It is low friction and provides backwards compatibility. Websites that wish to support SQRL do not need to abandon usernames and passwords. They only need to offer it as an alternative.

6 Secure Quick Reliable Login ● Are you saying with SQRL, my personal password will never leave my local device? – Correct. It will never travel on-line – Websites cannot lose it because they will never have it. – SQRL works by using cryptographic public keys and digital signatures to prove to the website who you are. – Your password is only used locally to unlock these keys.

7 Secure Quick Reliable Login ● So, how does it work? – From the user's perspective, it's dead simple. 1)Have a SQRL client app installed locally. 2)Visit a website that supports SQRL. 3)You will be presented with a QR code*. * QR code might be replaced with a simple LOGIN button. 4)Click* the QR code. * When using a tablet or mobile device, just tap it. 5)In the SQRL app, type in your personal password.

8 Secure Quick Reliable Login ● That's it! You are now logged in. ● The SQRL application securely provides the website with your credentials.

9 Secure Quick Reliable Login ● Ok, seriously... what did you just do? Let's get technical. – The first time you install the SQRL app, it will create a Master Key*. *256-bit random number. – This Master Key is globally unique and is the root of your identity. SQRL application MasterKey

10 Secure Quick Reliable Login ● The Master Key is important, so it will never be stored in plain text. – Your local password is combined with the Master Key using SCRYPT-PBKDF to avoid off-line brute force attacks. – In order for the SQRL app to use it, you must provide your personal password. SQRL application MasterKey

11 Secure Quick Reliable Login ● The Master Key can also be exported into a backup in the form of a printed QR code. ● This physical backup uses even stronger SCRYPT parameters, making brute force attacks virtually infeasible*. * Attackers only get one guess every 60 seconds! SQRL application MasterKey Offline Backup MasterKey

12 Secure Quick Reliable Login ● Upon visiting a SQRL enabled website, the browser will be offered a QR challenge. example.com Request QR challenge Return QR challenge

13 Secure Quick Reliable Login ● The browser will pass this challenge to the SQRL app. SQRL App Website Request QR challenge Return QR challenge Please sign this

14 Secure Quick Reliable Login ● Internally, the SQRL app will combine your Master Key with the website's domain name to create a crypto public key pair that is unique to that website. SQRL application MasterKey WPrKWPuK Ed25519 example.com

15 Secure Quick Reliable Login ● This website's private key (WPrK) is then used to digitally sign the QR challenge. SQRL application MasterKey WPrK QR challenge WPuK Digital signature Signed QR response

16 Secure Quick Reliable Login ● The QR response is built using the WPuK and the QR challenge, along with the digital signature for validation. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature

17 Secure Quick Reliable Login ● WPrK does not need to be stored in the SQRL client, since it can be re-created on every login request. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature

18 Secure Quick Reliable Login ● The signed QR response is sent back to the website. SQRL App Website Request QR challenge Return QR challenge Please sign this Signed QR response

19 Secure Quick Reliable Login ● Using the public key it received, the website can verify the signature, which could have only been created using the corresponding private key. Website WPuK QR challenge Signed QR response Digital signature

20 Secure Quick Reliable Login ● If this is your first visit, the website will store the public key and probably ask for more information to sign you up and create a full account (name, address, email, etc). Website WPuK QR challenge Signed QR response Digital signature Database

21 Secure Quick Reliable Login ● From now on, the WPuK is the identity you have established with the website. And only you, with your Master Key, can authenticate it. Website WPuK QR challenge Signed QR response Digital signature Database

22 Secure Quick Reliable Login ● What if I lose my Master Key? – No worry. SQRL provides an Identity Lock, which is not covered in this presentation. – In short, the website will store the unique Pubic Key (WPuK) and a couple of other values that effectively lock your identity. Only you will be able to change those keys in case the Master Key is compromised.

23 Secure Quick Reliable Login ● So, how is this any better than usernames and passwords? – Besides the simplicity to the end user... let's see.

24 Secure Quick Reliable Login ● No shared secrets. – Each website will receive its own unique public key, which all derive from your Master Key. Companies will be unable to reliably track your identity across the Internet using these keys alone. – Websites will never have your personal password, in any shape or form. Even if their databases are hacked and stolen, bad guys will not have enough information to login and impersonate you.

25 Secure Quick Reliable Login ● No more password management. – Your credentials will be verified using strong cryptographic signatures. There is no need to invent or manually generate passwords for each website you visit. – As a result, users are definitively discouraged from using the same weak password for every website. On the same line, there is no need to keep track of an endless list of long, random passwords.

26 Secure Quick Reliable Login ● No third parties involved. – SQRL is open and free, as it should be. It is independent from a centralized authority. The keys to unlock your identity are always with you and, under best practices, may never leave your device or computer. – No need to trust companies with the moral duty to keep your identity safe. Using SQRL, you become your own single point of failure.

27 Secure Quick Reliable Login ● Inherent protection against phishing attacks. – For in-band authentication, this protection is already baked into the protocol. The website can easily verify that the device asking for a QR challenge is the same device that sends the signed QR response.

28 Secure Quick Reliable Login ● Identity Lock – Once your ID is established with a website, it will be locked with extra crypto keys and some very clever use of this technology. If the Master Key is compromised, or if the website's database is stolen, in either case, bad guys cannot change your identity and account recovery is guaranteed. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here: https://www.grc.com/sqrl/idlock.htmhttps://www.grc.com/sqrl/idlock.htm

29 Secure Quick Reliable Login ● Identity Lock – Account recovery does not need an external medium, such as email loops, or phone SMS messages. The process is natively supported by the protocol itself. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here: https://www.grc.com/sqrl/idlock.htmhttps://www.grc.com/sqrl/idlock.htm

30 Secure Quick Reliable Login ● Can I use it now? – There are currently no client nor server implementations ready for production use. – The open source community is giving its first steps into trial implementations. – As an open standard, any website or company will be able to support it.

31 Secure Quick Reliable Login ● Where can I read more? – SQRL was proposed by Steve Gibson, and a complete detailed explanation can be found at his website: https://www.grc.com/sqrl/sqrl.htm https://www.grc.com/sqrl/sqrl.htm

Download ppt "Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Similar presentations

Ads by Google