Bare Metal SQRL


jk_physics

New member
Feb 2, 2019
3
0
Hello,

It strikes me that one of the most bothersome spheres of technology with authentication problems is IoT, often on ARM Cortex-M devices running a very low resource LwIP or Simplelink TCP/IP stacks, such as smart lights and cameras.

What would be the major hurdles in implementing SQRL on a bare metal system? As a design engineer, I've seen ECC used, but I'm not (yet) very familiar with all the nuts and bolts of SQRL technologies being used. I just wanted to get a feel for what I'm in for if I decide to make it a hobby project, and if anyone has any advice to get started. Has it been done?

My initial thought on a use case would be a WiFi connected device that wants to have different privilege levels for users communicating to it over the network without storing any password hashes in NVM. And this would be on a device that wasn't designed with a micro that has any extra security features that might solve this problem. The device would be the SQRL server, and an actual server would be the only user with full access, acting as a SQRL client when connecting.
 

PHolder

Well-known member
May 19, 2018
1,171
190
I don't think there are any particular issues on the [embedded] client end that are new work. It boils down to securely storing a password... this is the same problem you'd have with storing a WiFi password or another authenticator for a web service. If you need multiple levels of access, you could simply use SQRL's alternate identity functionality. The crypto for SQRL isn't for the faint of heart... so that may exceed the device's power budget... or require an special crypto add-in chip.
 

Sithmagic

Well-known member
Oct 12, 2019
73
20
often on ARM
The SQRL Server - would be an HTTPS interface to services running on the IOT. This would store public keys in NVM, with associated permissions. Remember that SQRL only replaces the username/password exchange. Once logged in, SQRL has nothing left to do, that is then between the server and client side as to what they get up to and what information is exchanged.
As for ARM specifically, the following do work on Raspberry PI, so something to work from:
The SQRL .Net Client (available at https://github.com/sqrldev/SQRLDotNetClient) - for 64 bit ARM works as a client side. The sqrldev on github also has GO language server side components that will run on ARM (as referenced at https://www.raspberrypi.org/forums/viewtopic.php?t=107978). However, as stated above, the IOT machine resources need to be considered, but it should work. I have a RPi running a wordpress website, with SQRL login enabled.

I believe that @Steve mentioned in one of the videos that a local Gym to him were using SQRL for the customers to login to the machines in the Gym.