From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On
Behalf Of Tom Metro
SQRL
Every authentication system, no matter what, is based on a combination of
something you know, or something you have. Nothing against SQRL, but SQRL is
something you have - it's yet another key
On 2/24/2015 9:35 PM, Tom Metro wrote:
It uses a bit of PKI (using elliptic curve rather than RSA keys) and
typically works in conjunction with a smartphone app. Here's the process:
He's reinvented APOP.
--
Rich P.
___
Discuss mailing list
On Wed, Feb 25, 2015 at 8:45 AM, Richard Pieri richard.pi...@gmail.com
wrote:
He's reinvented APOP.
There's certainly a similarity. Using the same techniques outside of POP
in a phone-and-browser setting is darn good idea.
--
Bill Ricker
bill.n1...@gmail.com
Edward Ned Harvey wrote:
SQRL is something you have - it's yet another key manager...
It's not quite so black-and-white. The master key is encrypted with a
pass phrase, so that's something you know.
I believe the master key isn't directly derived from the pass phrase, so
you still need to have
Bill Ricker bill.n1...@gmail.com writes:
On Wed, Feb 25, 2015 at 8:45 AM, Richard Pieri richard.pi...@gmail.com
wrote:
He's reinvented APOP.
There's certainly a similarity. Using the same techniques outside of POP
in a phone-and-browser setting is darn good idea.
tl;dr
And how does
Derek Atkins wrote:
And how does one know that the authentication server URL is the right
URL and not, say, a MitM/Fishing attack?
It's addressed at length:
https://www.grc.com/sqrl/phishing.htm
In summary, there are several measures to combat several different
attack scenarios:
-one is that
On 2/25/2015 1:18 PM, Tom Metro wrote:
also connect to the wrong end-point (though the attacker could proxy the
connection).
Which is trivially easy to do when providing victims with malicious URLs
via malicious QR codes.
-the domain in the URL is shown to the user for verification before
In the runaway thread on corporate security practices someone asked
whether there were any good alternatives to passwords. No one mentioned
Steve Gibson's SQRL (Secure Quick Reliable Login) technology:
https://www.grc.com/sqrl/sqrl.htm
It uses a bit of PKI (using elliptic curve rather than RSA
SQRL sounds promising; here's hoping.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss