Questions about SQRL implementation

I have a number of questions concering what it will take for SQRL to 
become widely accepted by the server side implementers.

1. Does the implementation of an SQRL server module require more or less 
security sensitive storage at the host?

1  Discussion: If websites are going to change over to supporting
    SQRL will their sites become more or less prone to
    hacking revealing sensitive information. If the information
    held in the storage at the host is secured the way SQRL is
    going will it be less likely to be subject to hacking.

2. A number of banking sites currently require a confirmation of the 
current password before they will execute transfers and/or payments.

2  Discussion: On of my banks TSB (UK) when you want to transfer money
    from one account to another of your accounts accepts the transfer
    without further input. There may be a limit to the amount before
    they force a confirmation but I have never reached that limit (yet).
    They insist on a confirmation when you are not the owner of the
    other account.
    Other banks request a confirmation for every transfer.

2  Supplementary question. How will SQRL handle this?


-- 
Alan Cameron
0
Alan
2/21/2014 11:34:04 AM
grc.sqrl 459 articles. 0 followers. Follow

5 Replies
406 Views

Similar Articles

[PageSpeed] 32

On 14-02-21 06:34 AM, Alan Cameron wrote:
> I have a number of questions concering what it will take for SQRL to
> become widely accepted by the server side implementers.
Off the top of my head answers, more detail I am sure will follow from 
others.
>
> 1. Does the implementation of an SQRL server module require more or less
> security sensitive storage at the host?
Less much less, see below.
>
> 1  Discussion: If websites are going to change over to supporting
>      SQRL will their sites become more or less prone to
>      hacking revealing sensitive information. If the information
>      held in the storage at the host is secured the way SQRL is
>      going will it be less likely to be subject to hacking.
>
Less prone, less hacking. There being nothing private that is stored on 
the server only public keys from which no private information can be 
derived. See grc sqrl pages the keys stored by each server are:-
IdentityKey: 	idk
VerifyUnlock: 	vuk
ServerUnlock:	suk
Also for each unique site the above are always different and have a site 
to site relationship that is infeasibility hard to derive, we are 
talking all the worlds computers for possibly the present age of the 
universe.

> 2. A number of banking sites currently require a confirmation of the
> current password before they will execute transfers and/or payments.
>
> 2  Discussion: On of my banks TSB (UK) when you want to transfer money
>      from one account to another of your accounts accepts the transfer
>      without further input. There may be a limit to the amount before
>      they force a confirmation but I have never reached that limit (yet).
>      They insist on a confirmation when you are not the owner of the
>      other account.
>      Other banks request a confirmation for every transfer.
>
> 2  Supplementary question. How will SQRL handle this?
The authentication part the same as in login, its up to the server to 
expire as needed an SQRL URL to prevent delayed submit attacks.
>
>
BTW also here with LloydsTSB, I would hope though even with SQRL they 
will retain the multi-factor requirement on login.

0
ramriot
2/21/2014 3:45:59 PM
Alan Cameron wrote:
> 2. A number of banking sites currently require a confirmation of the
> current password before they will execute transfers and/or payments.
>
> 2  Discussion: On of my banks TSB (UK) when you want to transfer money
>      from one account to another of your accounts accepts the transfer
>      without further input. There may be a limit to the amount before
>      they force a confirmation but I have never reached that limit (yet).
>      They insist on a confirmation when you are not the owner of the
>      other account.
>      Other banks request a confirmation for every transfer.
>
> 2  Supplementary question. How will SQRL handle this?
>
>

The requirements vary by bank. My bank (HSBC) provides a handheld device 
which generates a random number for each session signon. However when you 
try to make a payment to a new payee, you have to enter the last 4 digits of 
the account number on the device, and generate a new code ( presumably using 
these 4 digits in some way as a seed).

Depending on the options offered by SQRL, the banks may want/need to 
reconsider their processing.

AlanD
0
AlanD
2/21/2014 5:33:15 PM
[for the unabridged version, see Alan Cameron's post above]

> I have a number of questions concerning what it will take for
> SQRL to become widely accepted by the server side implementers.
> 
> 1. Does the implementation of an SQRL server module require
> more or less security sensitive storage at the host?

Much MUCH less.  Almost none, in fact.  This is one of SQRL's 
large and under-appreciated benefits. We give the server NOTHING 
sensitive to store.

((Another thought that arose from yesterday's discussion about 
FIDO with Stina... the server-side software is SO COMPLEX that 
only ONE company has actually gotten it to run.  Amazing.))


> 1  Discussion: If websites are going to change over to supporting
>     SQRL will their sites become more or less prone to
>     hacking revealing sensitive information. If the information
>     held in the storage at the host is secured the way SQRL is
>     going will it be less likely to be subject to hacking.

Such sites will be LOWER hacking targets since stolen SQRL 
credentials have ZERO VALUE to hackers.  They cannot be used to 
impersonate that site's users... and they have even less value 
for any other sites.


> 2. A number of banking sites currently require a confirmation
> of the current password before they will execute transfers and/or
> payments.
> 
> 2  Discussion: On of my banks TSB (UK) when you want to transfer money
>     from one account to another of your accounts accepts the transfer
>     without further input. There may be a limit to the amount before
>     they force a confirmation but I have never reached that limit (yet).
>     They insist on a confirmation when you are not the owner of the
>     other account.
>     Other banks request a confirmation for every transfer.
> 
> 2  Supplementary question. How will SQRL handle this?

The current SQRL protocol allows the server-side to optionally 
present a form for the user to fill out PRECISELY for this 
purpose.  So extra security can be easily accommodated beyond 
the base level user ID authentication.

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/21/2014 6:23:28 PM
In article <MPG.2d71397b85b6f7483c42@4.79.142.203>, news007_@_grc.com 
says...
> 
> [for the unabridged version, see Alan Cameron's post above]
> 
SNIP

> > 2. A number of banking sites currently require a confirmation
> > of the current password before they will execute transfers and/or
> > payments.
> > 
> > 2  Discussion: On of my banks TSB (UK) when you want to transfer money
> >     from one account to another of your accounts accepts the transfer
> >     without further input. There may be a limit to the amount before
> >     they force a confirmation but I have never reached that limit (yet).
> >     They insist on a confirmation when you are not the owner of the
> >     other account.
> >     Other banks request a confirmation for every transfer.
> > 
> > 2  Supplementary question. How will SQRL handle this?
> 
> The current SQRL protocol allows the server-side to optionally 
> present a form for the user to fill out PRECISELY for this 
> purpose.  So extra security can be easily accommodated beyond 
> the base level user ID authentication.

Surely this negates the purpose of SQRL.
To be able to identify a positive response from the user they would have 
to request a key from the user which can be matched to the identity key
in some way. The user has no knowledge of the key being transmitted even 
if they could intercept it, it is inevitably going to be a string of 
apparently random digits/characters/hex or whatever. They would have to 
a secondary key exchange which massively complicates the impleentation.

Or is my understanding of the methodology faulty.

KEEP UP THE GOOD WORK, FINISH THIS AND GET BACK TO SPINRITE 6.1/7
AS SOON AS PRACTICAL. PLEASE.


-- 
Alan Cameron
0
Alan
2/21/2014 11:04:39 PM
[for the unabridged version, see Alan Cameron's post above]

> Surely this negates the purpose of SQRL.

> To be able to identify a positive response from the user they
> would have to request a key from the user which can be matched
> to the identity key in some way. The user has no knowledge of
> the key being transmitted even if they could intercept it, it
> is inevitably going to be a string of apparently random digits/
> characters/hex or whatever. They would have to a secondary key
> exchange which massively complicates the implementation.
> 
> Or is my understanding of the methodology faulty.

Everything that is returned by the user to the server is signed 
by the user's identity private key, which the server verifies. 

(And everything the server sent, which the user replied to, is 
part of that signed package.)

Since this doesn't give us privacy, SQRL's form reply facility 
is only enabled when SSL/TLS is in place.

So... this allows the server to hold a verified Q&A session with 
the user.

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/22/2014 12:48:32 AM
Reply:

Similar Artilces:

php-ext-sqrl and php-sqrl
Well, I finally got some time to play with a bit of code! Here's what I'm working on... php-ext-sqrl ------------ source: https://github.com/Novators/php-ext-sqrl PHP Extension that handles ed25519 signature verification and SQRL's (somewhat) unique base64url encoding. Crypto is in c, taken from ed25519-donna. Passes 1024 tests from http://ed25519.cr.yp.to/software.html in about 2.5 seconds on my machine. This would be faster with batch verification, but one-by-one is more representative of actual usage. I'm pretty confident in this part. The base64url en...

SQRL .NET Implementation
I've got a working implementation of SQRL for the .NET platform. All of the code is written in C#. I'm using a C# binding to the libsodium library for my ed25519 implementation. The repo has both a client and server library for handling all the SQRL related stuff, plus a sample web app (ASP.NET MVC) and client app (Windows Desktop) that exercies the libraries. The code is all up on GitHub: https://github.com/dchristensen/sqrl-net/ and the sample server is up at: https://sqrl.apphb.com/ Obviously things are still a little unpolished, but any feedback woul...

sqrl://
I hate the idea of further polluting the namespace of URL schemes which is already full of non-standard crap like itms:// and ms-help://. If we're building this protocol on top of standard TLS traffic to standard web servers, then we're using https://, and should just be call it what it is. The fact that this particular https:// traffic is in furtherance of a more specific use should be identified elsewhere. This also separates us from dependence on the underlying protocol in case we want to have it work later over some other protocol. On 10/3/2013 2:35 AM, Lee Daniel ...

I have a SQRL like functional implementation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all! First; I was really astonished when I read about SQRL from news; I have been working on very much similar QR code log in system for a couple of months. All started when I posted this message to bitmessage.org forum: https://bitmessage.org/forum/index.php?topic=2768.msg6682#msg6682 Since that, the idea has evolved astonishingly to the almost same point which is discussed here. Unfortunately, I did not found this newsgroup until this weekend. Nevertheless, I'm ready to continue development here. I have already functiona...

Python SQRL Client & NodeJS Server Implementation
I'm working on a command line python client for authenticating against an SQRL server. I use linux so I've also registered the sqrl:// scheme with the script and works perfectly. Especially in conjusction with the SQRL-SERVER implementation mentioned below At the moment it: * Generates and stores a master password * Uses the master password to create Pri/Pub key pair for authenticating * Formats the response URL and submits it. I also plan to: * Encrypt the store master password with scrypt * Add functionality to store multiple master keys under different profiles *...

A note to those implementing SQRL's EnScrypt function
I am currently working on the "SQRL's use of Scrypt" page. I've had a few interesting revelations while authoring that page. Some are obvious in retrospect... but then what isn't? For example, one is that a user would be best protected by exporting their various keys for backup under the FASTEST available platform they have available. That would yield more iterations per second and, given a fixed password encryption time... result in more iterations. At the same time, since all SQRL clients should allow their users to set the password encryption tim...

windows ME questions, questions, questions.......
Hi, my next PC will be running Windows ME. The PC will be supplied via my work, so there's no choice here for me (ME?) (I think I would have preferred 98 SE). The harddisk (40GB matrox) will have ME installed, and both the Windows ME set-up files and an image of the initial Harddisk 'on a hidden partition'. Word has it that this partition is not seen by Format nor FDisk. Is this really possible? No Windows CD will be supplied. Seems a new way of MS to encourage working with licensed software only. Anyone familiar with this way of distributing an OS? Will I be able to ...

SQRL vs IT
Are there IT people out there who filter out images from web pages (either all or non-white-listed)? If so, the SQRL QR code may not make it to the user's screen. I think the near-term solution to that is along the lines of "If it hurts don't do it (in this case, access the page at home or outside the office on your phone/tablet)." It will be some time before sites start doing SQRL only--sites that do so early are cutting down their potential audience. If we were talking about sqrl:// as having its own official port the IT problem would be much worse, but...

SQRL and OTG?
Hi All, A rather off the wall, or should I say 'Off The Grid' suggestion. Would there be any value in adding support for Steve's OTG password generator to the SQRL app for sites yet to support SQRL? You could even use the SQRL Master Key, {with an optional annual, monthly salt for overly demanding sites} as the Seed for generating your personal grid, which by necessity can also be backed up to paper. Just an OTG though, give it a chew and see if the spit-wad sticks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/9/13 4:22 PM, ramriot wrote: > A ra...

SQRL Organization
Hello all. I am suggesting rather than having many people work on their on SQRL implementation… We should work together. Do not work on implementing it in it's current form as for all we know, we may completely scratch the whole idea for some other, better idea. The spec is not final yet. We are still poking holes at it and finding solutions. When we do have a final spec, this is what I suggest we do: 1. We decide on team members to work together on a specific language implementation for both client and sever implementations. 2. We start a github page for all of us to wor...

Implementation question
What are my options for using iFolder with Mac and Linux workstations? Brian Today the only access I know is through the web access. -- Timothy Leerhoff Principal Consultant Independent Experts Novell Support Forums Sysop Timothy Leerhoff wrote: > Today the only access I know is through the web access. Which doesn't sync locally, at which point NetStorage is just as good. > at which point NetStorage is just as good NetStorage does leave the files in an accessible mode to a admin level type person. iFolder encrypts the files on ...

Implementation Question
 In VWD there is an App_Data folder that "should" be used for the placement of Databases (or data), however one can also connect directly to a SQL Server and create a database up on the server, and then locally using VWD to "connect" to the server (via the connection string).  I have used the later model; creating my database up on the SQL Server box and from my laptop using VWD create my project (web site) locally, making the server db connection string and then "putting" the project (web site) up on the server in a physical folder and creating a virtual directory using IIS....

is SQRL trademarked?
I tried searching to see if it was or if anyone else has posted about this and didn't see anything. Yesterday I read about a service that is named Sqrl that just launched (getsqrl.com). Even though they are different services, the names/acronyms are the same. Brian L [for the unabridged version, see Brian Landers's post above] > I tried searching to see if it was or if anyone else has > posted about this and didn't see anything. > > Yesterday I read about a service that is named Sqrl that > just launched (getsqrl.com). Even though they are d...

Implementation question
Hi all, We are migrating a large PB client server app to Jaguar and thin client. In our existing app we have several clickable bitmaps that bring up popup windows that allow the user to enter further information. After they click ok then the bitmap changes to indicate information exists. How can we imitate this type of functionality using the HTML datawindow? We have tried several techniques without much luck. Thanks, JB Jerry, I'm not sure how you would do that with an HTML datawindow. What I would try is a HTML page with javascript that changes the bitmap a...

Web resources about - Questions about SQRL implementation - grc.sqrl

Implementation Force - Wikipedia, the free encyclopedia
NATO was accountable for carrying out the Dayton Peace Accords . The Dayton Peace Accords were started on November 22, 1995 by the presidents ...

STUDY: Login With Facebook Implementation Double For European Retailers Vs. U.S.
Retailers in Europe have embraced the use of login with Facebook at a rate more than double that of their counterparts in the U.S., according ...

Will Virgin America President/CEO David Cush lose his job over the Sabre implementation disaster?
com/vx/... According to their website, Virgin initial planned to complete the migration in a single weekend and thinned out their flight schedule ...

Bitcoin 2013 conference - Dave Collins - Alternative Full Bitcoin Node Implementation in Go - YouTube ...
Recorded at the Bitcoin 2013 conference in San Jose, CA. Conference sponsored by Bitcoin Foundation. Red Pill Recording recorded this talk. We ...

Project Manager - Salesforce Implementation
Information Technology strategy insight for senior IT management - resources to understand and leverage information technology.

Best Practices for ERP Implementation
Computerworld Australia is the leading source of technology news, analysis and tools for IT decision makers, managers and professionals.

A fair VCE: its design and implementation
The VCAA manages the system in which VCE students' work is assessed and the key focus is ensuring the process and system is fair.

IOC demands Russia explain implementation of its anti-gay law
Olympic president Jacques Rogge has called on Russia to explain how it will implement its controversial anti-gay propaganda law and detail its ...

Iran seeks nuclear deal implementation, but enrichment issues block progress
Nearly seven weeks after signing a landmark nuclear deal, Iran and six world powers hope to reach an agreement this week on its implementation. ...

Canada-EU Trade Deal: Marois Warns She Could Make Treaty Implementation Difficult
LONDON - Quebec could throw a monkey wrench into any free-trade deal between Canada and the European Union if it's not satisfied with the treaty's ...

Resources last updated: 12/29/2015 10:58:53 AM