Question for Steve Gibson regarding SQRL user authentication system / asymetric key pair website login paradigm

Although I’m new to security encryption techniques and do not have worlds of experience or experience under my belt, I’m constantly learning more. I’m also a regular listener of the podcast Security Now with Steve Gibson on the TWIT network.

Last week, the podcast was Steve’s presentation of SQRL (pronounced “squirrel”), which attempts to solve security, privacy and usabilt issues regarding the age old computing paradigm of username / password account security. To a large degree it seems that Steve’s proposal takes from the SSH paradigm used for secure logging into remote servers; namely an asymetrical key pair. Not only does this allow the user to avoid remembering a laundry-list of usernames and passwords that need to be periodically changed for optimal security, but also improves user privacy by allowing some information about the user such as email address to be excluded from the requirements for a user account. Understandably, some sites will still want to determine that users are humans – not bots, however, not providing an email address does improve security of the user to a certian degree. Especially in the wake of recent attacks on companies like Sony and Target, where user emails can be easily stolen from servers.

During his presentation, Steve offered his solution: namely SQRL protocol for secure website login. One suggestion that he made suggested that web-browsers incorporate a new link-type in addition to and links. This new link possibly would launch native software in the same way that links to. However, is it possible that this is NOT a strict requirement for SQRL to be deployed?

Perhaps a browser plugin could actually do the same job. By using a brower plugin, the user could authenticate using their priavate key which could be encrypted using a symetric encryption algorithm to make it more secure. A workflow of this sytem is outlined below:

1. Account creation protocol

-User clicks on a button to create an account on the website and the website provides a unique identifier to the page.
-User then uses their SQRL browser plugin to create an asymetric key pairing (using cryptojs or similar package). This key pair can then by symetrically encrypted using a single password authentication from the browser plugin. That way, the private key can only be accessed with the user password. The key is stored encrypted in the browser plugin with the DNS information for the website.
-The SQRL browser plugin then responds to the website using the unique id and the public key that was just created. -The website stores the public key of the username in its user database.

2. User login protocol from browser on their own system

-When the user wants to login they navigate to the website login page or home page (or select from menu within the browser plugin) -The website supplies a unique idenifier string to the DOM object.
-The SQRL browser plugin then gets the identifier from the page, and signs it with the private key (user password is required).
-The SQRL browser plugin then sends the signed string back to the website via HTTP along with the account unique ID.
-The website verifies the signed string using the public key which is on record for that unique ID.

**This essentially allows users to have only one master password for accessing all websites on the internet.

3. User login protocol from a public computer

-The website provides a QR code with a unique string, unique identifier, and dns -The user scans the string and signs with private keys using the SQRL mobile app
-The website verifies the signing of the unique string using public key and user’s unique ID. -After verification through mobile app, the user can click on the QR code.
-The website grants access to the IP / MAC address where that QR code was supplied to.

Please allow for some leeway regarding my understandign of encryption / authentication strategy. It’s just my interest to offer a potential solution, and also join the discussion about user privacy and security. I’m convinced that many others in addition to myself are concerned with the level of security provided by websites.

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.