SlickLogin & SQRL

I was just wondering how SlickLogin (
http://www.bbc.co.uk/news/technology-26222424 might relate to SQRL. 

Competitor? Complementary?
 
0
ericgorr
2/17/2014 10:35:02 AM
grc.sqrl 459 articles. 0 followers. Follow

7 Replies
464 Views

Similar Articles

[PageSpeed] 1

On 2/17/2014 4:35 AM, Eric Gorr wrote:
> I was just wondering how SlickLogin (
> http://www.bbc.co.uk/news/technology-26222424 might relate to SQRL.
>
> Competitor? Complementary?
>
>
According to (notoriously questionable) slashdot comment at
http://tech.slashdot.org/story/14/02/16/2117200/google-acquires-israeli-security-startup-slicklogin

"I suspect they bought them more for the patents than anything else",

Which makes me wonder whether some troll (Google or other) will come 
along and try to step on SQRL.

-- 
~ferrix
Greg Bell
Collective Software
0
ferrix
2/17/2014 5:00:24 PM
On 2/17/2014 11:00 AM, ferrix wrote:
> On 2/17/2014 4:35 AM, Eric Gorr wrote:
>> I was just wondering how SlickLogin (
>> http://www.bbc.co.uk/news/technology-26222424 might relate to SQRL.
>>
>> Competitor? Complementary?
>>
>>
> According to (notoriously questionable) slashdot comment at
> http://tech.slashdot.org/story/14/02/16/2117200/google-acquires-israeli-security-startup-slicklogin
>
>
> "I suspect they bought them more for the patents than anything else",
>
> Which makes me wonder whether some troll (Google or other) will come
> along and try to step on SQRL.
>
I have NO idea why my topic was set that way.  I blame QuickText
0
ferrix
2/17/2014 5:17:23 PM
On 2/17/2014 4:35 AM, Eric Gorr wrote:
> I was just wondering how SlickLogin (
> http://www.bbc.co.uk/news/technology-26222424 might relate to SQRL.
>
> Competitor? Complementary?
>
>
According to (notoriously questionable) slashdot comment at
http://tech.slashdot.org/story/14/02/16/2117200/google-acquires-israeli-security-startup-slicklogin

"I suspect they bought them more for the patents than anything else",

Which makes me wonder whether some troll (Google or other) will come 
along and try to step on SQRL.

-- 
~ferrix
Greg Bell
Collective Software
0
ferrix
2/17/2014 5:18:34 PM
[for the unabridged version, see Eric Gorr's post above]

> I was just wondering how SlickLogin (
> http://www.bbc.co.uk/news/technology-26222424 might relate to SQRL. 

> Competitor? Complementary?

I'll discuss it on the podcast tomorrow.  I view it as another 
of the authentication "solutions".  There are dozens of them 
squirming around.

Google bought them for some patent rights, and because they were 
cheap and Google is rich and Google can always use three more 
good developers.  It's not as if they have anything shocking or 
wonderful.  Apparently their "solution" forces a two-device 
computer-to-smartphone audio link.  Using audio seems fraught 
with problems to me.

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/17/2014 6:09:14 PM
On 2014-02-17 10:09, Steve Gibson wrote:
[...]
> Google bought them for some patent rights, and because they were
> cheap and Google is rich and Google can always use three more
> good developers.  It's not as if they have anything shocking or
> wonderful.  Apparently their "solution" forces a two-device
> computer-to-smartphone audio link.  Using audio seems fraught
> with problems to me.

I'd be curious as to whether any of the discussions in this group might 
constitute prior art for any of the related patents. *g*

Probably not, given the dates involved.

It does sound *very* similar to SQRL in other ways, though. See this quote:
<q>
Everything is very heavily encrypted, so man in the middle attacks are 
out. You can�t record the audio signal and just play it back later, as 
the audio is uniquely tied to that moment. You can�t just hold your 
phone up to someone else�s audio signal (or grab it from across the room 
with a directional mic) in hopes of getting logged in to their account 
before they do; your phone wouldn�t have their login credentials stored 
on it, and that crucial bit isn�t wrapped into the sound. If anything, 
you�d just log them in to your own account.
Read more at http://www.wnd.com/market-overview/#Eqp2ThDCog8jv8Qr.99
</q>

Regards,
Sam

0
Sam
2/17/2014 9:45:50 PM
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1qNq3Wo9Kqlq04xs1OgvPoRAce5uFvECt
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

Am 17.02.2014 22:45, schrieb Sam Schinke:
> <q>
> Everything is very heavily encrypted, so man in the middle attacks are
> out. You can=E2=80=99t record the audio signal and just play it back la=
ter, as
> the audio is uniquely tied to that moment. You can=E2=80=99t just hold =
your
> phone up to someone else=E2=80=99s audio signal (or grab it from across=
 the room
> with a directional mic) in hopes of getting logged in to their account
> before they do; your phone wouldn=E2=80=99t have their login credential=
s stored
> on it, and that crucial bit isn=E2=80=99t wrapped into the sound. If an=
ything,
> you=E2=80=99d just log them in to your own account.
> Read more at http://www.wnd.com/market-overview/#Eqp2ThDCog8jv8Qr.99
> </q>

that sounds a lot like PR bullshit to me. Simply encrypting something
"heavily" is not a guarantee for anything and claiming to be safe
against MITM attacks is one thing, but without looking at it in detail I
don't necessarily believe it.

Choosing audio as a channel for communication is asking for all kinds of
trouble and is definitely not going to get adopted - at least to my
assessment.

So, I wouldn't worry too much about them.

As to the patents / prior art discussion: As an outsider I'm really
convinced that your current system for patents is completely broken. If
someone seriously decides to go after a bunch of people in a newsgroup
discussing and/or commenting on an proposed authentication scheme using
publicly available crypto primitives and has even a remote chance of
winning such a case, it would be nothing but ridiculous.

Best regards,
Karol Babioch


--1qNq3Wo9Kqlq04xs1OgvPoRAce5uFvECt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJTAqLPAAoJEHSaZc1HnzIVd6IQAKYCA+bB6xIgUV3giTshZRBr
Ft4W8EEFsxK8dmqCzYOOhTy1DNcX9eIPl4SlgiQyU5TZ5xDwxKdyDeF3xuqVm0Au
R6FBj40sh+rEvoQmbeIQXAb3PWKC/2NQOG4zhH/BpPRLJJuzuGakg4SDt0TMZU+F
Z0HEnP7drfM6rpfnlcKJ/oTH/yyLdMmtABP4jDCvMqhRRAC53l727RgblEZJWAss
66r+iM/+pKcsbfrSzbGWbI7TcDKz+n2bFS7WC0Gr0xGn/bXJQL01mu8Z1fbm6ja8
wODEj8n39wUhvaAtXFidF1Q7okveYmI+6kxuYWv6N47GC6EdpwVMnBPpKNghDiVf
Ptung1T03eq7288H+RDkHE/I2lpGtn1uBZuWGF2nk+5K05SI5e7oTmFqL5rN5yeY
v+bS6X/DCDdBsYmUKBcMMoxz6T9fHc41vsA5YCl8+v87hbAwxXZXoVhmA96YYnKt
yuZ9hT54/Z1+ZRqOm4t8d8Q1tjSo3cer8Pv9bQqV0V10BDj15Psq31GrGl7fsxwe
Squojr38BEXxx3sll6z9xzO6mNsRhj//oKyXs4aSDMUp/DPhrf4/C1Hr4G4jQkGN
s2PhKqFnOaKg8H79vTnr2z+jUI33v+I7ypXUU22q25MgWveMzO1A8Bw9ZtDAFUad
c3oGtHDBBxNMZef8tXcn
=Aqct
-----END PGP SIGNATURE-----

--1qNq3Wo9Kqlq04xs1OgvPoRAce5uFvECt--
0
Karol
2/18/2014 12:01:18 AM
On 2014-02-17 16:01, Karol Babioch wrote:
> Am 17.02.2014 22:45, schrieb Sam Schinke:
>> <q>
>> Everything is very heavily encrypted, so man in the middle attacks are
>> out. You can’t record the audio signal and just play it back later, as
>> the audio is uniquely tied to that moment. You can’t just hold your
>> phone up to someone else’s audio signal (or grab it from across the room
>> with a directional mic) in hopes of getting logged in to their account
>> before they do; your phone wouldn’t have their login credentials stored
>> on it, and that crucial bit isn’t wrapped into the sound. If anything,
>> you’d just log them in to your own account.
>> Read more at http://www.wnd.com/market-overview/#Eqp2ThDCog8jv8Qr.99
>> </q>
>
> that sounds a lot like PR bullshit to me. Simply encrypting something
> "heavily" is not a guarantee for anything and claiming to be safe
> against MITM attacks is one thing, but without looking at it in detail I
> don't necessarily believe it.

Right -- they could be doing any old thing. But the description above 
very closely resembles what SQRL does between the browser and phone, 
except using a QR-code, and even hints at some drawbacks that behave in 
the same way that some of SQRL's drawbacks would.

> Choosing audio as a channel for communication is asking for all kinds of
> trouble and is definitely not going to get adopted - at least to my
> assessment.

There are a handful of different projects in the area of sonic data 
transmission. They mostly seem about as novelty (or as user-friendly) as 
QR codes did a few years ago.

https://chirp.io seems fairly polished though, if you forgive them 
handling the bulk of their data transmission over the internet and only 
sharing a GUID via audio.

> So, I wouldn't worry too much about them.

I have enough faith that Google are smart people to expect some kind of 
product to come out of it. Whether it will be in the same sphere as 
SQRL, or something more like Google's other login initiatives (or even 
something used exclusively on Google campuses) remains to be seen.

> As to the patents / prior art discussion: As an outsider I'm really
> convinced that your current system for patents is completely broken.

Not mine, being as I'm Canadian.

I guess the various quasi-global patent treaties, etc do mean that most 
people on the planet are probably dealing with at least vaguely 
similarly broken patent rules.

> If
> someone seriously decides to go after a bunch of people in a newsgroup
> discussing and/or commenting on an proposed authentication scheme using
> publicly available crypto primitives and has even a remote chance of
> winning such a case, it would be nothing but ridiculous.

Oh, I was more thinking in the other direction, with work in this group 
possibly invalidating patents.

Sonic air-gap-hopping has been mentioned a few times in the group as 
possible alternates (or complements) to using QR codes. But looking at 
the dates where SlickLogin is talking about already having patents, they 
appear to predate the SQRL groups by at least a month or two.

That we should even be worrying about SQRL being legit if using a QR 
code but not being legit if using [arbitrary non-novel method of 
crossing the air-gap], when the data transmitted by the various methods 
would be effectively identical really is a solid condemnation of the 
patent system, IMO.

Sure, if someone wants to innovate and invent a new and novel way of 
crossing the airgap, I'd be all for a patent for that -- there is 
probably some substantial engineering there. An additional infinite 
number of patents for all possible ways of combining an existing 
algorithm with a newly invented transmission method seems utterly 
unsustainable.

Regards,
Sam
0
Sam
2/18/2014 1:47:49 AM
Reply:

Similar Artilces:

php-ext-sqrl and php-sqrl
Well, I finally got some time to play with a bit of code! Here's what I'm working on... php-ext-sqrl ------------ source: https://github.com/Novators/php-ext-sqrl PHP Extension that handles ed25519 signature verification and SQRL's (somewhat) unique base64url encoding. Crypto is in c, taken from ed25519-donna. Passes 1024 tests from http://ed25519.cr.yp.to/software.html in about 2.5 seconds on my machine. This would be faster with batch verification, but one-by-one is more representative of actual usage. I'm pretty confident in this part. The base64url en...

sqrl://
I hate the idea of further polluting the namespace of URL schemes which is already full of non-standard crap like itms:// and ms-help://. If we're building this protocol on top of standard TLS traffic to standard web servers, then we're using https://, and should just be call it what it is. The fact that this particular https:// traffic is in furtherance of a more specific use should be identified elsewhere. This also separates us from dependence on the underlying protocol in case we want to have it work later over some other protocol. On 10/3/2013 2:35 AM, Lee Daniel ...

SQRL, Phishing & MITM Attacks
Gang... I think we're at the point where everyone's best efforts, thinking and brainpower has been expended (and more or less exhausted) in looking at the Phishing / MITM problem from every possible angle... and many people here have introduced and explored interesting ideas. We know that for same-device authentication, simple same-IP enforcement yields a high degree of protection with essentially zero overhead. No, it's not perfect, and there are theoretical exceptions, such as someone whose single machine initiates TCP connections from multiple public IP add...

SQRL: Identity Lock
Hi All, Been thinking about implementation and issues concerning the addition of Steve's Identity Lock protocol to SQRL. Where: MK = Master Key ID-Lock = Identity Lock protocol ID-Unlock = Identity Unlock protocol KV = ID-Lock Key Verification PUUK = ID-Lock Public Unlock Key Auth' = Authentication *Implementation Scenario One* Initial Assumptions:- *Stateless Client i.e. It only has MK and ILK securely in storage *Single Loop Auth' i.e. All Auth' and ID-lock in one server request Resulting Implementation:- *Client cannot tell the difference between ...

Python SQRL Client & NodeJS Server Implementation
I'm working on a command line python client for authenticating against an SQRL server. I use linux so I've also registered the sqrl:// scheme with the script and works perfectly. Especially in conjusction with the SQRL-SERVER implementation mentioned below At the moment it: * Generates and stores a master password * Uses the master password to create Pri/Pub key pair for authenticating * Formats the response URL and submits it. I also plan to: * Encrypt the store master password with scrypt * Add functionality to store multiple master keys under different profiles *...

&& In Generated Javascript Becomes &amp;&amp;
I am trying to write client side scripts in c#, asp.net V 1.4. The && operator is generated in the javascript as &amp;amp;, which causes errors.  How can I avoid this? (Code below)  Thanks in advance.   script = "<script language='javascript' type='text/javascript'>\n"; script += "if (Form1." + tbxA.ClientID + ".value == '' && "; script += "Form1." + tbxB.ClientID + ".value == '') {"; script += "Form1." + cbxC.ClientID + ".Checked = false;}"; ...

&, &&, and backtracking.
------=_Part_20601_33098141.1189046184291 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline How do C<&> and C<&&> differ with respect to backtracking? For instance, "foobar" ~~ / <[a..z]>+ & [ ... ] /; Both sides of the C<&> happen in parallel, so I would guess that they both match "foo" then stop. Please correct me if that's wrong. Were we using the procedural conjunction: "foobar" ~~ / <[a..z]>+ && [ ... ] /; I would gues...

&amp; instead of &
I have gridview with the following code on row commandDim row As GridViewRow = gvBusinessLines.Rows(e.CommandArgument)txtBusinessLine.Text = CStr(row.Cells(1).Text) ''''''''''''''''''''''''''''''''''''''''''''''' When I have this text in gridview for example:"test & test2", when clicking on the button of the gridview, textbox is containing test &amp; test2How to avoide this other than re...

Replacement of & , &amp;
I was trying this java script inside a mozilla extension but the browser shows me error this.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'); XML Parsing Error: not well-formed at replace(/&/g,'&amp;') Any thoughts ? Thanks On Fri, 30 May 2008 10:26:19 -0700 (PDT), sb wrote: > I was trying this java script inside a mozilla extension but the > browser shows me error > this.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'); > ...

& where shown as &amp;
hai,     At runtime i will add values from textbox to datagrid using datatables.what my problem was , when i add as he & she in textbox it show as he &amps; she in the grid.how to solve this. Thanks in advance   cool.mugil:    At runtime i will add values from textbox to datagrid using datatables.what my problem was , when i add as he & she in textbox it show as he &amps; she in the grid.how to solve this.  Make sure you are not HTML encoding the input values.  Hai,    How to do stop html enc...

If & =&amp; in xml then { or }= what?
Hi frnds, some problem when using xml & is not compatible in xml file so we replace & with &amp;    like that i want to know what the characters which are not compatible with xml syntax for example when i m using { or } in xml file then its shwoing error msg. if anyone knows the soln then plz reply me. Thanks in advance.Regards,Hasan Mohiuddin Farooqihasan_farooqi@yahoo.co.in Hi Dear,Please find the Table. It contains the all special character list... quot " U+0022 (34) HTML 2.0 HTMLspecial ISOnum quotation mark (= APL quote) amp &am...

& turning to &amp;
I'm doing an operation reformat and trying to use the & in a text box. In the trace it looks ok in the policy, but when it gets to the actual xml value it turns into this: <modify-attr attr-name="EG"> <remove-all-values/> <add-value> <value>&amp;</value> </add-value> </modify-attr> Can I fix this in policy builder or by escaping the character somehow? Or do I need a stylesheet to fix the problem? -- nate_spears ------------------------------------------------------------------------ It isn't a p...

Convert &amp; to &
I have a Gridview that is populated by the 3 different users from selections made in a prior Form.  This gridview summarizes everything.  I then step through this Gridview and write the data to a history file on SQL. The problem I am having is, one column in this Gridview is a name column which contains the "&" symbol.  When I iterate the Gridview and populate the history file the & becomes &amp;.  I can't seem to figure out how to convert this properly.  Both data fields are nvarchar type.  Please help anyone. This is the code to tak...

Kfarbair.com
Name: LeceHoigree Email: 101atmanga-kenseidotcom Product: eBay Companion Summary: Kfarbair.com - &#1489;&#1497;&#1514; &#1502;&#1500;&#1493;&#1503; &#1499;&#1508;&#1512;&#1497; & &#1495;&#1491;&#1512;&#1497;&#1501; &#1502;&#1512;&#1493;&#1493;&#1495;&#1497;&#1501; & &#1499;&#1508;&#1512; &#1489;&#1506;&#1497;&#1512; Comments: <a href=http://www.kfarbair.com><img>http://www.kfarbair.com/_images/_photos/photo_big8.jpg</img></a> ...

Web resources about - SlickLogin & SQRL - grc.sqrl

SlickLogin - Security People Love
Up to 7 different methods are used to verify the phone's proximity to the computer. These include GPS, WiFi, Bluetooth, NFC, QR codes, and our ...

SlickLogin - CrunchBase Profile
Tired of authentication tokens? Sick of typing passwords? SlickLogin creates the simplest login experience for you using your smartphone. Our ...

Google acquires password-killing startup SlickLogin
... panicky, confused state. But Google might be changing all that with a sound-based password only your phone can hear. Google has acquired SlickLogin ...

Google buys SlickLogin, a startup out to kill the password with sound
http://www.slicklogin.com/ Over the weekend, Google acquired SlickLogin , a security startup that enables smartphone owners to log in to their ...

Google acquires SlickLogin, the sound-based security startup
... is delving into its wallet once again, fishing out a little cash and going on a spending spree. This time around, it is Israeli startup SlickLogin ...

Google acquires password sounds startup SlickLogin
... uses high-frequency sounds for Web site identity verification. Read this article by Steven Musil on CNET News. Google has acquired SlickLogin, ...

Founders of security firm SlickLogin join Google
The team at SlickLogin, a company working on technology for online authentication using sounds from a mobile phone, said it has joined Google. ...

Google buys SlickLogin, looks to swap passwords for inaudible sound waves
... is anything to go by, entering a password could soon be as easy as placing your smartphone near your computer. Israeli startup SlickLogin confirmed ...

Google Acquires Sound-Based Log-In Vendor SlickLogin
Google just bought a company that lets users log in to secure accounts with a system that uses sounds with a special app rather than through ...

Google Snatches Up Sound Login Startup, SlickLogin, for Eaiser Security
Franchise Herald Google Snatches Up Sound Login Startup, SlickLogin, for Eaiser Security Franchise Herald Google is making a move when it ...

Resources last updated: 11/27/2015 5:05:12 AM