Who are they?
These are the technical experts. They need all the math, all the diagrams, all the details. Developers need stable, unambiguous, and complete specifications.
Existing Web Copy
- Open & free, as it should be: The component techniques and technologies employed by this solution are all well known, well tested, well understood, unencumbered by patents, and exist in the public domain. The entire system can be readily assembled from 100% open source algorithms, packages and libraries.
- Did I invent anything? I don't care. Even if some aspects of this system are novel, and might be subject to intellectual property protection, this is too important and much bigger than me. It should be made free for the world to use without encumbrance. With this publication of every detail, I hereby release and disclaim any and all proprietary rights to any new ideas developed and presented herein. This work is thereby added to the public domain.
- The chicken & egg problem: There was a time before the Internet, when people asked: If there are no high-quality websites no one will use the Internet; and if no one is using the Internet no one will bother creating high-quality websites. Somehow it happened anyway. We hope and expect that SQRL login will be like that. Once we have established the required interoperability standards, people WILL create free smartphone SQRL clients—probably many. And as websites begin to offer SQRL login as a side-by-side alternative to the traditional username and password, SQRL popularity will grow. Why would anyone NOT use it when it's free, perfect, and just works? Users will want it because it immediately eliminates the most annoying aspect of the Internet. Website visitors will demand it and websites will soon see that they are losing visitors by not offering the instantaneous SQRL option. Now that we have such a terrific egg, it's difficult to see what's going to keep it from hatching, surviving, and growing.
- It only works with a smartphone? Not any more. See the “Three Ways to Go” section above. It can be used to login to a smartphone's displayed website and with only a desktop or laptop.
- QR Codes? Yes. Or not. A QR code is an elegant, robust, convenient and instantly recognizable icon that now can represent “instant log in authentication.” But the QR code is simply conveying a standard format URL. And we've already seen (above) that the SQRL code can be tapped or clicked-on to invoke the QR code as a link. So anything that can convey an Internet-format URL can be used. QR codes simply have many nice properties, both visually and technically.
- Minimal complexity: Committee-designed solutions too often suffer from the “too many cooks” syndrome. This SQRL solution has been designed to make just one thing, which should be simple, very simple indeed. It's the one thing that most people do most of the time and wish was fast, simple and secure. It is.
- Computational burden: Despite the fact that this is a public key authentication system, you will see on the following pages that a set of algorithms and parameters have been carefully chosen to minimize client and server-side authentication overhead. In particular, the all-important server-side signature verification is very fast and lightweight.
- NSA & NIST-free cryptography: The recommended implementation of this system leverages several unique characteristics of well-known cryptographer Dr. Daniel J. Bernstein's (DJB) carefully designed twisted Edward's curve digital signature algorithm (EdDSA). In his extensive and complete papers (linked herein) Bernstein explains the detailed derivation and properties of his “25519” elliptic curve. Importantly, there are no mysterious constants or “magic numbers” of unknown provenance. Dan has a long and well-known history of fighting for cryptographic freedom. In 1995, while a student at the University of California, Berkeley, Dan brought a lawsuit against the United States (represented by the EFF) challenging the restrictions on the export of cryptography . . . because he wanted to publish a paper and associated source code of this “Snuffle” encryption system. The ruling in the case declared software as protected speech under the First Amendment, and national restrictions on encryption software were overturned. (He won.) Please see the Detailed Crypto Architecture page for full detail and discussion.
All the content here: https://www.grc.com/sqrl/crypto.htm
All the content here: https://www.grc.com/sqrl/idlock.htm
All the content here: https://www.grc.com/sqrl/key-flow.htm
All the content here: https://www.grc.com/sqrl/operation.htm
All the content here: https://www.grc.com/sqrl/phishing.htm
All the content here: https://www.grc.com/sqrl/attacks.htm
All the content here: https://www.grc.com/sqrl/protocol.htm
All the content here: https://www.grc.com/sqrl/semantics.htm
All the content here: https://www.grc.com/sqrl/storage.htm
All the content here: https://www.grc.com/sqrl/scrypt.htm
All the content here: https://www.grc.com/sqrl/client.htm
All the content here: https://www.grc.com/sqrl/server.htm
All the content here: https://www.grc.com/sqrl/resources.htm
Some of the content here: https://www.grc.com/sqrl/implementations.htm
All the content here: https://www.grc.com/sqrl/other.htm