Hi people!
Given the frequently less-than-optimal security of many endpoint devices (desktop/laptop here, mobile there), i wonder if one can build dedicated peripheral hardware clients without any network connectivity (which stores the secret and computes the crypto) and maybe with unusual communication protocols between the host and peripheral.
Can we come up with good hardware ideas and discuss the pros and cons of each?
I'll start with a QR reader + display:
How it works:
1. peripheral scans QR code with SQRL URL (sqrl://example.com/sqrl?nut=...) [challenge]
2. peripheral displays domain and prompts user to select identity
3. user unlocks identity and confirms login
4. peripheral displays QR code with SQRL response
4.1 variant 1: direct URL for SQRL login (https://example.com/sqrl?client=…&server=…&ids=…) encoded as URL parameters
⇒ user scans QR code on host device (URL is unmodified)
4.2 variant 2: compressed POST parameters
⇒ SQRL app on host device decompresses the data, then sends POST request
5. host issues HTTP request containing SQRL response (GET or POST), user is authenticated
Inspiration:
* German online banking authentication scheme (ChipTAN+ with FlickerCode)
Pros:
* mostly compatible with SQRL specification
* variant 1: no software client required on host
* offline peripheral
Cons:
* host needs camera
* camera in peripheral is expensive
* image processing (QR decoding) costs time and energy (limited on peripheral)
* variant 1: GET request not entirely compliant to SQRL spec (afaik, please correct me if i'm wrong)
Cheers!
Given the frequently less-than-optimal security of many endpoint devices (desktop/laptop here, mobile there), i wonder if one can build dedicated peripheral hardware clients without any network connectivity (which stores the secret and computes the crypto) and maybe with unusual communication protocols between the host and peripheral.
Can we come up with good hardware ideas and discuss the pros and cons of each?
I'll start with a QR reader + display:
How it works:
1. peripheral scans QR code with SQRL URL (sqrl://example.com/sqrl?nut=...) [challenge]
2. peripheral displays domain and prompts user to select identity
3. user unlocks identity and confirms login
4. peripheral displays QR code with SQRL response
4.1 variant 1: direct URL for SQRL login (https://example.com/sqrl?client=…&server=…&ids=…) encoded as URL parameters
⇒ user scans QR code on host device (URL is unmodified)
4.2 variant 2: compressed POST parameters
⇒ SQRL app on host device decompresses the data, then sends POST request
5. host issues HTTP request containing SQRL response (GET or POST), user is authenticated
Inspiration:
* German online banking authentication scheme (ChipTAN+ with FlickerCode)
Pros:
* mostly compatible with SQRL specification
* variant 1: no software client required on host
* offline peripheral
Cons:
* host needs camera
* camera in peripheral is expensive
* image processing (QR decoding) costs time and energy (limited on peripheral)
* variant 1: GET request not entirely compliant to SQRL spec (afaik, please correct me if i'm wrong)
Cheers!
