This is a top-level/index repository for implementing ESP32-embedded-device-enabled post-quantum authentication in the web application and web services.
This project is a proof-of-concept for an article (link added later). It provides reference implementation of post-quantum algorithms in an existing authentication framework, where instead of using smart-cards as user devices, an ESP32 embedded device is used. Current implementation utilizes Dilithium5 digital signatures to create an authenticated entity.
Note: some repository names are not equal to separate repositories, but only refer to a specific branch in base repository. This is done to enable future pull requests. Just follow the links below to go to the specific changes.
Following list is sorted by the lowest dependency (meaning that first listed project do not require any dependencies to other listed projects; bottom ones are dependent on top ones):
liboqs-php- PHP wrapper for libOQS library that enables PHP developers to work with post-quantum algorithmsMuzosh/liboqs-python- custom Python wrapper for libOQS library that enables Python developers to work with post-quantum algorithmsOQS-openssl-in-PHP- notes on how to use post-quantum version of OpenSSL in PHPPQC-libserial-cpp- an equivalent of libpcsc-cpp that enables Web-eID app to communicate with USB serial devices as wellPQC-libpcsc-cpp- adaptation of existing library to the new abstraction layer in the Web-eID appPQC-phpseclib- Introduces post-quantum support with Dilithium5 as functional reference- requires: either
liboqs-php,OQS-openssl-in-PHP, orboth(via installation on the same system)
- requires: either
PQC-web-eid-authtoken-validation-php- PQ extension of the official Web-eID repository for PHP back-end servers- requires:
PQC-phpseclib(via composer.json - vcs dependency)
- requires:
PQC-twofactor-webeid- an installable application to Nextcloud cloud storage server enabling the usage of PQC Web-eID for authenticating users into the web interface (can serve as an implementation example).- requires
PQC-web-eid-authtoken-validation-php(via composer.json - vcs dependency)
- requires
PQC-nextcloud-docker- development instance of PQC-ed Nextcloud server using Docker.- requires:
PQC-twofactor-webeid(via git submodule)
- requires:
PQC-libelectronic-id- introduces abstraction layer to introduce USB serial devices on top of smart cards and adds interface implementation for InfinitEIDPQ embedded device- requires:
PQC-libserial-cppandPQC-libpcsc-cpp(via git submodules)
- requires:
PQC-web-eid-app- introduces abstraction layer to introduce USB serial devices on top of smart cards- requires:
PQC-libelectronic-id(via git submodules)
- requires:
InfinitEIDPQ- contains full-fledged applet for ESP32 firmware that enables post-quantum authentication on the web using embedded devices, and administration application for device management- requires:
Muzosh/liboqs-python
- requires:
- TODO init device (requires ESP32 device, tested on LilyGO T-Display S3)
- TODO build and install PQ version of Web-eID
- Follow instructions in
PQC-nextcloud-dockerto start the server - Log in as
testuser(password istestuser) and authenticate using the PQC embedded device
First, user attempts to log into a web service (Nextcloud cloud storage in this case):
He is redirected to the two-factor selection page. Since at this moment he has only one two-factor provider active (Web-eID), he is redirected to that page:
By clicking on the button, he invokes the Web-eID authentication protocol:
At this point, he could use regular smart card reader and some supported smart card (e.g. Estonian eID card). But he plugs in our new embedded device to the USB:
(the LCD display is off at this moment as it is not crucial for the authentication)
After device connection and USB interface initialization, user is asked to insert the authentication PIN:
On succesfull PIN authorization, user is authenticated using Dilithium5 private key stored on the embedded device and is logged in:
TODO
TODO
Overall, authenticating with Dilithium5 on ESP32-S3 is quite fast. Usually, the delay introduced by additional clicks and PIN insertion is more noticeable to the user, than the actual cryptographic operation.
You can check more measurements in measurements folder.