My English may be imperfect ;)
I post the request in SEB for Windows, but it concerns all OS.
Context
The security/integrity relies on keys : BEK, CK, ASK.
| Key |
Check SEB integrity |
Check config |
| CK |
no |
yes |
| BEK |
yes |
yes |
| ASK |
yes |
yes |
ASK needs SEB server, not all schools want/can deploy a server.
CK and BEK works with LMS (in my school they use Moodle).
By default Moodle uses CK, and many teachers think it's enought for the security. But in BYOD environement, the CK do not prevent hacked SEB client. Some students discovered that, and use hacked version of SEB.
BEK is far better, but it's not used because it need to obtain and copy/paste news keys for each quizz and each version of SEB. That's too hard for many teachers and they need 3 devices (win, mac, ios).
Many of us do multiple quizzes per week.
Making a portal quizz is a trick, but with its own difficulty to configure.
This request is mainly for BYOD context, not for exams but for frequent quizzes.
The idea
Having a key to check only SEB integrity : the BK (Browser Key)
Of course the LMS has to be modified to use this key : if it checks BK and CK the whole environement is secure.
The BK can be precalculated by the school and given to all teachers. Or better : the LMS on the admin side can already store BK.
Each version of SEB has it's own BK so at least 3 BK need to be precalculated (win, mac, ios).
If wanted each teacher can precalculate its own BK (if he has access to win, mac, ios).
Howto Compute BK
Inputs :
- seed : chosen by the school/teacher, given in config.seb
- host : the host from the start url (config.seb)
Compute precalculated BK :
It can use the same function used for BEK, but with modified args
BK = CalculateBrowserExamKey(host, seed);
Or a new function with another algorithm in the integrity module if you think that's better.
Communication with LMS
Of course like others keys, the BK is hashed with the full URL before :
APIBK = sha256(BK + url)
The Browser Key is provided by the js API :
security.browserKey = APIBK
Limits
Yes this is less secure than the BEK or the ASK. Maybe replay attack become easier. But in BOYD env and for frequent quizzes that's more secure than the only CK used by default, and easier to use than the BEK.
LMS devs have to implement this new key.
Later
I suggest a Common Browser Key, even easier for teachers, in another request : #1426
My English may be imperfect ;)
I post the request in SEB for Windows, but it concerns all OS.
Context
The security/integrity relies on keys : BEK, CK, ASK.
ASK needs SEB server, not all schools want/can deploy a server.
CK and BEK works with LMS (in my school they use Moodle).
By default Moodle uses CK, and many teachers think it's enought for the security. But in BYOD environement, the CK do not prevent hacked SEB client. Some students discovered that, and use hacked version of SEB.
BEK is far better, but it's not used because it need to obtain and copy/paste news keys for each quizz and each version of SEB. That's too hard for many teachers and they need 3 devices (win, mac, ios).
Many of us do multiple quizzes per week.
Making a portal quizz is a trick, but with its own difficulty to configure.
This request is mainly for BYOD context, not for exams but for frequent quizzes.
The idea
Having a key to check only SEB integrity : the BK (Browser Key)
Of course the LMS has to be modified to use this key : if it checks BK and CK the whole environement is secure.
The BK can be precalculated by the school and given to all teachers. Or better : the LMS on the admin side can already store BK.
Each version of SEB has it's own BK so at least 3 BK need to be precalculated (win, mac, ios).
If wanted each teacher can precalculate its own BK (if he has access to win, mac, ios).
Howto Compute BK
Inputs :
Compute precalculated BK :
It can use the same function used for BEK, but with modified args
BK = CalculateBrowserExamKey(host, seed);Or a new function with another algorithm in the integrity module if you think that's better.
Communication with LMS
Of course like others keys, the BK is hashed with the full URL before :
APIBK = sha256(BK + url)The Browser Key is provided by the js API :
security.browserKey = APIBKLimits
Yes this is less secure than the BEK or the ASK. Maybe replay attack become easier. But in BOYD env and for frequent quizzes that's more secure than the only CK used by default, and easier to use than the BEK.
LMS devs have to implement this new key.
Later
I suggest a Common Browser Key, even easier for teachers, in another request : #1426