Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: introduce pairing support to protect against shoulder surfing #98

Merged
merged 77 commits into from
Jun 8, 2021
Merged

Feat: introduce pairing support to protect against shoulder surfing #98

merged 77 commits into from
Jun 8, 2021

Conversation

ivard
Copy link
Member

@ivard ivard commented Jun 10, 2020
edited by sietseringers
Loading

Security feature to enable the frontend and the IRMA app to explicitly bind with each other. When binding is enabled a session will not immedialy start when the QR is scanned. The user first has to confirm in the frontend that the QR was scanned with the right device.

Announcement

In two weeks from now we will release version 0.8.0 of irmago, including a new release of the irma CLI tool, as well as version 0.4.0 of irma-frontend. These versions introduces support for device pairing when starting an IRMA session by scanning a QR. In this way we prevent shoulder surfing attacks where someone in close physical proximity to the user scans a QR that was meant for the user.

When an IRMA app with pairing support is used and pairing is enabled, users are asked to explicitly enter a pairing code after they scanned an IRMA QR. The IRMA app will show a 4 digit pairing code and the user is instructed to enter this pairing code on the device where the QR was shown. When the pairing code is correctly entered on the other device, the user is referred back to the IRMA app where the session continues as usual. When the user's IRMA app has no support for pairing yet, the pairing stage is skipped (for now). Support for pairing is expected to land in the beta channel of the IRMA app in a few weeks.

This feature can be enabled by your frontend library. Our library irma-frontend version 0.4.0 and higher will automatically enable this feature in cases where pairing is recommended (e.g. during issuance). You can change the default setting if you want, although we do not recommend relaxing the strictness of the default setting. In mobile sessions (when you don't have to scan a QR), irma-frontend will never ask for a pairing code. If you implemented your own frontend library to handle your irma session, you can check here how to implement this yourself.

This new irmago version is fully backwards compatible with older versions of irma-frontend and irmajs, so there is no requirement to update your website right away. When using older frontend versions, the IRMA session will simply be performed without a pairing stage. For issuers we do recommend to update your website as well to make the issuance of your attributes safer.

Introducing pairing support forced us to make some changes in the public API of the irmaserver library and in the API of irma-frontend used by plugins. For an overview of what changed in irmago, you can check the CHANGELOG. The outline of the new API can be found here. For an overview of what changed in irma-frontend, see the release notes.

sietseringers
sietseringers requested changes Jul 24, 2020
View reviewed changes
irmaclient/client.go Outdated Show resolved Hide resolved
irmaclient/handlers.go Outdated Show resolved Hide resolved
irmaclient/session.go Outdated Show resolved Hide resolved
irmaclient/session.go Outdated Show resolved Hide resolved
server/api.go Outdated Show resolved Hide resolved
irma/cmd/request.go Outdated Show resolved Hide resolved
irma/cmd/session.go Outdated Show resolved Hide resolved
internal/sessiontest/session_test.go Outdated Show resolved Hide resolved
irmaclient/session.go Outdated Show resolved Hide resolved
server/api.go Outdated Show resolved Hide resolved
sietseringers
sietseringers requested changes Sep 2, 2020
View reviewed changes
internal/sessiontest/main_test.go Outdated Show resolved Hide resolved
messages.go Outdated Show resolved Hide resolved
messages.go Outdated Show resolved Hide resolved
server/irmaserver/api.go Show resolved Hide resolved
server/api.go Outdated Show resolved Hide resolved
internal/sessiontest/session_test.go Outdated Show resolved Hide resolved
internal/sessiontest/session_test.go Outdated Show resolved Hide resolved
irmaclient/session.go Outdated Show resolved Hide resolved
irma/cmd/session.go Outdated Show resolved Hide resolved
irma/cmd/session.go Outdated Show resolved Hide resolved
sietseringers
sietseringers requested changes Sep 6, 2020
View reviewed changes
server/irmaserver/api.go Outdated Show resolved Hide resolved
server/irmaserver/api.go Outdated Show resolved Hide resolved
sietseringers
sietseringers previously approved these changes Oct 8, 2020
View reviewed changes
@ivard ivard changed the title Feat: introduce binding support to protect against shoulder surfing Feat: introduce pairing support to protect against shoulder surfing Nov 5, 2020
ivard
ivard commented Dec 3, 2020
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
@ivard ivard mentioned this pull request Mar 17, 2021
Draft
@sietseringers sietseringers force-pushed the shoulder-surf branch 2 times, most recently from 71a5629 to 73cf34c Compare March 19, 2021 15:05
ivard and others added 25 commits June 8, 2021 12:34
@ivard @sietseringers
Some more code style fixes
57c03d9
@ivard @sietseringers
Fixed WaitStatus spawning multiple nil's on error channel
d884570
@ivard @sietseringers
Remove code duplication in extracting private fields using reflection
f8f6627
@sietseringers
refactor: rename GetSessionStatus server function to SessionStatus
0452d41
@ivard @sietseringers
Updated CHANGELOG
b784f64
@ivard @sietseringers
Fixed handleBinding wrapping a SessionError in a SessionError
c976ada
@ivard @sietseringers
Refactor: rename binding to pairing
f44f557
@ivard @sietseringers
Added missing Validate function for OptionsRequest
74bcf91
@ivard @sietseringers
Introduce PairingRecommended field in Qr
1d6db3d
@ivard @sietseringers
Shorten pairing recommended json tag and omit when false
4adabfc
@ivard @sietseringers
Updated CHANGELOG
4e5639e
@ivard @sietseringers
Remove pointer to bool in Qr struct
b8f5a11
@ivard @sietseringers
Improved CHANGELOG
451c612
@sietseringers
refactor: decrease indentation level in wait_status.go
761a547
@sietseringers
refactor: decrease indentation level in irmaserver.session.onUpdate()
c211db0
@sietseringers
feat: add new status endpoint for frontend
e861fc7
@sietseringers
feat: also add new statusevents endpoint for frontend
e12a297
@sietseringers
refactor: rename OptionsRequest to FrontendOptionsRequest
a8bd786
@sietseringers
feat: StartSession function and endpoint now return frontend-specific…
ebf3ec5 
… data in new FrontendSessionRequest struct
@sietseringers
feat: make chained sessions use the same frontend authorization token
0318100
@sietseringers
refactor: rename ClientRequest to ClientSessionRequest
08ae605
@sietseringers
fix: incorrect early return in SSE event handler
70713d0
@sietseringers
feat: clarify FrontendOptionsRequest Validate error message
c85ea36
@sietseringers
feat: assign protocol version 2.8 to pairing
4f8737c
@sietseringers
feat: always allow pairing when using chained sessions
2b248d7
@sietseringers sietseringers merged commit a72a416 into master Jun 8, 2021
@sietseringers sietseringers deleted the shoulder-surf branch June 8, 2021 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sietseringers sietseringers sietseringers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ivard @sietseringers