U2F

Gang...

I have continued my morning coffee time studies of FIDO, this 
time the more detailed operation of U2F (Universal Two Factor). 
I wanted to understand what Stina meant when she indicated that 
the problem of having the HSM needing to store per-site private 
keys had been solved.

The way it's been solved is by encrypting the per-site private 
key with a secret symmetric key... and giving the website BOTH 
its public key and the matching encrypted private key to hold.

So the HSM proves that it is holding a secret SYMMETRIC key 
which, when used to decrypt the encrypted private key provided 
by the server is able to sign a random challenge, also provided 
by the server, which is verified by the second public key, also 
being held by the server.

The website never needs to know the encryption key, and user 
anonymity is provided by random asymmetric keypairs originally 
generated by the HSM during identity association for subsequent 
storage by the website.

In order to anchor the key sets to a single website, preventing 
them from being portable across websites, they mix in the 
canonical web domain so that keys minted for one site cannot be 
used elsewhere.

--//--

As we know, SQRL differs in that it uses deterministic keypair 
generation where the "secret" and domain name are mixed to form 
and reform the keys. SQRL doesn't need the server to store the 
private key since it's able to recreate it on demand... from its 
decrypted secret.

--//--

None of FIDO (UAF or U2F) has any notion of SQRL's Identity Lock 
or in-band identity replacement.  That's all considered to be 
outside the specification.

--//--

U2F, at the expense of having the server store the encrypted 
private key, does allow multiple identities for a single site 
from a single client-side secret.  In other words, the same user 
could "re-key" with the same site without changing their user's 
identity.

---------------------->  OH!!!!!!!!!!!!!!!!!!!!!!

I was trying to completely get my head around what made U2F 
different from SQRL and I was missing it...  I JUST GOT IT!!

U2F CANNOT IDENTIFY THE USER!!!  It can only CONFIRM THE USER!!

Since SQRL doesn't need to first receive a "blob" from the 
server, it is able to ASSERT its user's identity by providing 
its deterministically-derived public key.

But U2F -- which is the big Google/Yubico initiative MUST FIRST 
receive an identity claim from a user... which is then used to 
look up the user's account in order to obtain the encrypted 
private key.  It then sends that to the client for CONFIRMATION 
of the claimed identity.

--//--

Whew!!  Until I just realized that I wasn't seeing that SQRL was 
much different from U2F.

U2F CANNOT be used as a single-factor.  EVER.

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/23/2014 7:20:34 PM
grc.sqrl 459 articles. 0 followers. Follow

4 Replies
1161 Views

Similar Articles

[PageSpeed] 59

On 2014-02-23 19:20:34 +0000, Steve Gibson said:

> [...]

> Whew!!  Until I just realized that I wasn't seeing that SQRL was
> much different from U2F.
> 
> U2F CANNOT be used as a single-factor.  EVER.

Nice analysis.

If FIDO does get significant traction, most of its functionality can be 
added to a SQRL client (UAF is software only, with the attendant HSM 
for U2F). The reverse is more difficult, methinks.

I don't think anyone should do this, but it is a response for any SQRL 
naysayers promoting FIDO.

-jem

0
John
2/24/2014 5:04:08 AM
[for the unabridged version, see John Milburn's post above]

> > [...]

> > Whew!!  Until I just realized that I wasn't seeing that SQRL was
> > much different from U2F.
> > 
> > U2F CANNOT be used as a single-factor.  EVER.

> Nice analysis.
> 
> If FIDO does get significant traction, most of its functionality
> can be added to a SQRL client (UAF is software only, with the
> attendant HSM for U2F). The reverse is more difficult, methinks.
> 
> I don't think anyone should do this, but it is a response for
> any SQRL naysayers promoting FIDO.

Also...

Unfortunately (for UAF) they chose to use the P-256 elliptic 
curve for their public key signing. Its mysterious parameters 
were provided by the NSA without providing and comment or 
provenance. Bruce Schneier has said that he would no longer 
trust it, and Bernstein has called the curve "malleable."

-- 
________________________________________________________________
Steve.               Working on moving the SQRL project forward.
0
Steve
2/24/2014 4:13:12 PM
On 14-02-24 11:13 AM, Steve Gibson wrote:
> Unfortunately (for UAF) they chose to use the P-256 elliptic
> curve for their public key signing. Its mysterious parameters
> were provided by the NSA without providing and comment or
> provenance. Bruce Schneier has said that he would no longer
> trust it, and Bernstein has called the curve "malleable."
>

Reading this and LMAO while simultaneously undergoing a Gibsonian 
Response, all I can say is Bye-bye FIDO.

0
ramriot
2/24/2014 5:12:27 PM
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--9A8WbqFtNxdSbBXSwF8gTsxasA4Vp8M9A
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi again,

this is - more or less - a follow-up to my post made in the FIDO thread
[1], which specifically addresses some points that Steve made in regards
to U2F.

Am 23.02.2014 20:20, schrieb Steve Gibson:
> The way it's been solved is by encrypting the per-site private=20
> key with a secret symmetric key... and giving the website BOTH=20
> its public key and the matching encrypted private key to hold.

Sorry, but this is an oversimplification. During the registration the
U2F devices creates a public/private key pair as well as a key handle.
Originally the key handle would only be used as an index to the
appropriate private key stored in the U2F device itself. Obviously this
requires some (serious) amount of memory, which is rather expansive in
these environments.

Therefore the specification allows other ways in order to achieve the
same thing. One possibility is the possibility to encrypt the private
key with a secret key only known to the U2F device and make this
encrypted blob part of the key handle. Another possibility is to encrypt
the private key on the device and store it somewhere off the chip
itself. This could be (cheap) memory on the U2F device, or even the host
computer. This is known as wrapping and/or binding in the context of TPM
[2] and works just fine.

Personally, I do expect there to be devices which store all of the
private key on the U2F device, although this makes them more pricey.
AFAIK the U2F devices Google is using internally are working this way.

> As we know, SQRL differs in that it uses deterministic keypair
> generation where the "secret" and domain name are mixed to form
> and reform the keys. SQRL doesn't need the server to store the
> private key since it's able to recreate it on demand... from its
> decrypted secret.

This aspect of SQRL is definitely much more attractive than the "mess"
U2F is in - especially in regards to interoperability, because in the
case of SQRL identities can be easily imported and/or exported (which
has its own drawback, of course).

> None of FIDO (UAF or U2F) has any notion of SQRL's Identity Lock
> or in-band identity replacement.  That's all considered to be
> outside the specification.

Right. Another aspect of SQRL being superior. I'm happy that you came up
with a revocation scheme, because - if my memory serves me right -
initially you were quite reluctant to include this feature. Revocation
is definitely something a "modern" authentication scheme needs to
address and I had to restrain myself when a Google employee told me in
all seriousness that you would have to use out-of-band communications to
revoke your association. This doesn't scale for big companies (e.g.
Google) and leaves the attacker an big(ger) window of opportunity.

> I was trying to completely get my head around what made U2F
> different from SQRL and I was missing it...  I JUST GOT IT!!
>
> U2F CANNOT IDENTIFY THE USER!!!  It can only CONFIRM THE USER!!

> U2F CANNOT be used as a single-factor.  EVER.

Well, to be honest, this is nothing new and the specification never made
a secret out of this. Quite to the contrary: The name itself implies
that this is a _second_ factor. Always is, always will be.

For instance the specification describes U2F in the following way:

The U2F protocol allows online services to augment the security of their
existing pass-
word infrastructure by adding a strong second factor to user login. The
user logs in with
a username and password as before. The service can also prompt the user
to present a
second factor device at any time it chooses. The strong second factor
allows the service
to simplify its passwords (e.g. 4=E2=80=93digit PIN) without compromising=
 security.

The glossary contains the following:

Universal 2nd Factor. The FIDO protocol and family of Authenticators to
enable
a cloud service to offer its users the options of using an easy=E2=80=93t=
o=E2=80=93use,
strongly=E2=80=93
secure open standards=E2=80=93based 2nd factor device for authentication.=
 It
relies on
the server to know the (expected) user before triggering the authenticati=
on.

So you always will have to provide your username (and a potentially not
so secure password). Obviously, SQRL is much more convenient to the
user, because he doesn't have to remember anything specific to the site.

Best regards,
Karol Babioch

[1]:
https://www.grc.com/x/news.exe?cmd=3Darticle&group=3Dgrc.sqrl&item=3D5339=
&utag=3D
[2]: https://en.wikipedia.org/wiki/Trusted_Platform_Module


--9A8WbqFtNxdSbBXSwF8gTsxasA4Vp8M9A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJTC35RAAoJEHSaZc1HnzIVqHoQAJJHtJJuEHBPpny4r24EhK1Q
GwiSBLBMVbxYbN/kCaaxaTn7aggy8HlYTZ5PkkgjOGwZIiYgdT+UNtHaLUpVP1ea
vasCS+RVMnFsaczwkpgz5gh6rbM86Dx1A2x8mh4DTNraO/6198/yMrcCT6aQhvRr
nmAn3VJrIUk4929QTaa/8Ed5sRvfIDrjgBv7xn6ToxEHyXdZYqOonRU+RGnF82NT
ZdBZag0K6vqTY2YiW0P9OEEm9/y/bDFQ3bFoorBQkC6GdAvsz8f4yZIaWZvobrEB
CE6BnLSsfW3JDbCqhm8desfq9zXsCGGyXRc47dnNwI/+msGWo1T2ws9Xyn/QBUhG
qTquExoPY6YUoAhQgP9dMKItXYHZoLpQN3A6rMWHKJqYtLbGLm79saJR3wX89Qzh
Zt8WBp12KBkwNbvLda9E1PF4gtXVT5ihY6vamr/oN08PtUqPc95ZBtjqNEGJvwfK
Z+sqXPgBeKP+S7TE6NGyC0H2t703Dlp+9wHQZozcneBPfRz5gjxcUV81Uhi7z/le
Q9bgJShqL1sBPzjvHCCR1+UIAnKSlVWXuQ3TN5Jdo3gkeffRmCoJELYcdLbDc9TV
A5GF7+umELErRpvpIpjLjViVUXYrMAeh8NkRImaWn9K+QWAPsf8+veswsh/L/Lzn
LdqDj+eJPx0ckZgbWTnG
=lT3h
-----END PGP SIGNATURE-----

--9A8WbqFtNxdSbBXSwF8gTsxasA4Vp8M9A--
0
Karol
2/24/2014 5:16:01 PM
Reply:

Similar Artilces:

php-ext-sqrl and php-sqrl
Well, I finally got some time to play with a bit of code! Here's what I'm working on... php-ext-sqrl ------------ source: https://github.com/Novators/php-ext-sqrl PHP Extension that handles ed25519 signature verification and SQRL's (somewhat) unique base64url encoding. Crypto is in c, taken from ed25519-donna. Passes 1024 tests from http://ed25519.cr.yp.to/software.html in about 2.5 seconds on my machine. This would be faster with batch verification, but one-by-one is more representative of actual usage. I'm pretty confident in this part. The base64url en...

sqrl://
I hate the idea of further polluting the namespace of URL schemes which is already full of non-standard crap like itms:// and ms-help://. If we're building this protocol on top of standard TLS traffic to standard web servers, then we're using https://, and should just be call it what it is. The fact that this particular https:// traffic is in furtherance of a more specific use should be identified elsewhere. This also separates us from dependence on the underlying protocol in case we want to have it work later over some other protocol. On 10/3/2013 2:35 AM, Lee Daniel ...

SQRL Forums
Hey all, I have put together a forum for SQRL, thoughts? https://nodeblue.com/sqrl/forums/ I would host off sqrl.pl but I have already upgraded my hosting and purchased a SSL certificate so will make a nice sqrl.pl/forums shortcut for it. I don't want to step on the toes of the newsgroup but I believe there is room for less technical discussion about SQRL. Keep the engine room discussion in the newgroup which works really well but have an easy to join discussion about less technical aspects. I believe having the forums should add some value. Cheers. ----- ...

The SQRL name
When updating some of the registration details for my domain, I thought it would be fun to see if any SQRL domains existed. I was surprised that so many had already been taken, some of them for quite a long time. A quick Google gave several companies and products, including several software products, called SQRL (the one from GRC was first in the results). I do hope Steve is allowed to keep using the name. On 13/10/2013 12:30 PM, dave_k wrote: > When updating some of the registration details for my domain, I thought > it would be fun to see if any SQRL domains existed. I w...

is SQRL trademarked?
I tried searching to see if it was or if anyone else has posted about this and didn't see anything. Yesterday I read about a service that is named Sqrl that just launched (getsqrl.com). Even though they are different services, the names/acronyms are the same. Brian L [for the unabridged version, see Brian Landers's post above] > I tried searching to see if it was or if anyone else has > posted about this and didn't see anything. > > Yesterday I read about a service that is named Sqrl that > just launched (getsqrl.com). Even though they are d...

SQRL as LHC
CERN has the Large Hadron Collider for creating and, more importantly, for detecting particle collisions. SQRL can be the crypto equivalent: the Large Keyspace Collider. If I remove my propeller beanie and put on my tinfoil hat for a second I might ask "assuming compromises in random number generation, crypto libs and hardware remain, what would I expect the NSA to do to fight the 'going dark' problem?" Perhaps drive people like a herd of sheep toward an identifier provider posing as an identity provider whilst shining the bright light of pure math in their...

Uses for SQRL?
Whilst a lot of what is said in the group passes way over my head I have a question as to where SQRL could be used. From what I can see its primary use is a web site login. Could is be used in other ways e.g. ftp as just one example. Are there an thoughts on implementation methods in real world examples. Apologies if this seems a little below the level of stuff in this group. -- Regards RayG RayG wrote: > Whilst a lot of what is said in the group passes way over my head I have a > question as to where SQRL could be used. From what I can see its primary use > i...

SQRL vs IT
Are there IT people out there who filter out images from web pages (either all or non-white-listed)? If so, the SQRL QR code may not make it to the user's screen. I think the near-term solution to that is along the lines of "If it hurts don't do it (in this case, access the page at home or outside the office on your phone/tablet)." It will be some time before sites start doing SQRL only--sites that do so early are cutting down their potential audience. If we were talking about sqrl:// as having its own official port the IT problem would be much worse, but...

SQRL Organization
Hello all. I am suggesting rather than having many people work on their on SQRL implementation… We should work together. Do not work on implementing it in it's current form as for all we know, we may completely scratch the whole idea for some other, better idea. The spec is not final yet. We are still poking holes at it and finding solutions. When we do have a final spec, this is what I suggest we do: 1. We decide on team members to work together on a specific language implementation for both client and sever implementations. 2. We start a github page for all of us to wor...

SQRL + DNSSEC?
I just finished setting up DNSSEC on my DNS zones especially the domain that has the my name servers on and made sure my recursive DNS servers at home support DNSSEC fully. I noticed grc.com isn't doing DNSSEC. How does this sound to have DNSSEC, DNSSEC validation, and SQRL together? This could help prevent DNS spoofing. ...

SQRL and OTG?
Hi All, A rather off the wall, or should I say 'Off The Grid' suggestion. Would there be any value in adding support for Steve's OTG password generator to the SQRL app for sites yet to support SQRL? You could even use the SQRL Master Key, {with an optional annual, monthly salt for overly demanding sites} as the Seed for generating your personal grid, which by necessity can also be backed up to paper. Just an OTG though, give it a chew and see if the spit-wad sticks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/9/13 4:22 PM, ramriot wrote: > A ra...

On printing SQRL
In the thread "The Revenge of KISS" Steve Gibson wrote:- >>> So let's examine this operationally: First of all... Most users should perform their initial SQRL setup and configuration on a desktop machine that has secure and private access to a local printer which is able to print QR codes. I would argue that a temporary super-strong password could be used to protect even the super-master key in flight, but I know there are purists who would object to even that. So best advice is to WAIT and setup SQRL on a printer-enabled desktop machine. >>> ...

SQRL Icons
I threw together some SQRL icons. Use them if you wish. Public domain. Let me know what you think! https://docs.google.com/file/d/0B2juV8R1TlxxNFo5ajg0aWNHUkk/edit?usp=sharing https://docs.google.com/file/d/0B2juV8R1TlxxNnluYW53X2YtMDQ/edit?usp=sharing https://docs.google.com/file/d/0B2juV8R1TlxxRUpmLWlub0l1eXM/edit?usp=sharing https://docs.google.com/file/d/0B2juV8R1TlxxTDg1SWdHbHNUalU/edit?usp=sharing https://docs.google.com/file/d/0B2juV8R1TlxxcThTRkF0RVRjaEE/edit?usp=sharing Don't want to be mean, but those designs are not that great. -- James Coleman Mr. Gecko'...

SQRL pages are up
Steve has posted the pages describing SQRL on his website now: https://www.grc.com/sqrl/sqrl.htm ...

Web resources about - U2F - grc.sqrl

Dropbox adds U2F support for better security
Two-factor authentication is often held up as a best practice for security in the online world, but Dropbox on Wednesday announced a new feature ...

Google Adds FIDO U2F Security Key Compatibility To The Two-Factor Login System In Chrome
Google's two-factor authentication system is a great way to keep your email and other accounts safe, especially if you've always got a smartphone ...

Dropbox adds U2F support for better security
... more secure. Whereas two-step verification most commonly involves the user's phone for the second authentication method, Dropbox's new U2F ...

U2f Articles on Engadget
U2f articles, stories, news and information.

GitHub Improves Two-Factor Security With U2F
GitHub embraces the FIDO standard and aims to get Yubico U2F keys into as many developer hands as it can.

Turning A Teensy Into A Better U2F Key
A few days ago, we saw a project that used a Teensy to build a Universal 2nd Factor (U2F) key . While this project was just an experiment in ...

How the FIDO Alliance's U2F could simplify two-factor authentication
We've had enough malware campaigns and data breaches to confirm the need for better data protection online. The Universal 2nd Factor (U2F) standard ...

Google teams with FIDO’s U2F USB Security Key
The Security Key is not something you probably have in your pocket right this minute. It’s a newer sort of verification system made in partnership ...

GitHub Launches Support For U2F Security Keys
Today at its first user conference, GitHub Universe, GitHub announced that it's launching support for FIDO Universal 2nd Factor (U2F) security ...

GitHub Launches Support For U2F Security Keys
Frederic Lardinois / TechCrunch : GitHub Launches Support For U2F Security Keys — Today at its first user conference, GitHub Universe, GitHub ...

Resources last updated: 11/26/2015 12:00:28 AM