From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On
Behalf Of Tom Metro
SQRL
Every authentication system, no matter what, is based on a combination of
something you know, or something you have. Nothing against SQRL, but SQRL is
something you have - it's yet another key
On 2/24/2015 9:35 PM, Tom Metro wrote:
It uses a bit of PKI (using elliptic curve rather than RSA keys) and
typically works in conjunction with a smartphone app. Here's the process:
He's reinvented APOP.
--
Rich P.
___
Discuss mailing list
On Wed, Feb 25, 2015 at 8:45 AM, Richard Pieri richard.pi...@gmail.com
wrote:
He's reinvented APOP.
There's certainly a similarity. Using the same techniques outside of POP
in a phone-and-browser setting is darn good idea.
--
Bill Ricker
bill.n1...@gmail.com
Edward Ned Harvey wrote:
SQRL is something you have - it's yet another key manager...
It's not quite so black-and-white. The master key is encrypted with a
pass phrase, so that's something you know.
I believe the master key isn't directly derived from the pass phrase, so
you still need to have
Bill Ricker bill.n1...@gmail.com writes:
On Wed, Feb 25, 2015 at 8:45 AM, Richard Pieri richard.pi...@gmail.com
wrote:
He's reinvented APOP.
There's certainly a similarity. Using the same techniques outside of POP
in a phone-and-browser setting is darn good idea.
tl;dr
And how does
Derek Atkins wrote:
And how does one know that the authentication server URL is the right
URL and not, say, a MitM/Fishing attack?
It's addressed at length:
https://www.grc.com/sqrl/phishing.htm
In summary, there are several measures to combat several different
attack scenarios:
-one is that
On 2/25/2015 1:18 PM, Tom Metro wrote:
also connect to the wrong end-point (though the attacker could proxy the
connection).
Which is trivially easy to do when providing victims with malicious URLs
via malicious QR codes.
-the domain in the URL is shown to the user for verification before
On 02/19/2015 02:21 PM, Edward Ned Harvey (blu) wrote:
I have spoken with two IT people, whose servers had been compromised and used
to deliver some sort of illegal content, presumably sold from malicious person
1 to malicious person 2 on the black market (silk road or whatever).
Of course