Use-case Free Description

From SQRLauth.net
Jump to: navigation, search

{Page Build In Progress}

Contents

Abstract

This is a deliberately use-case agnostic description of SQRL, such that it can form a guide to production of use-case specific implementations more simply without compromising core advantages.

What is SQRL

The SQRL system (pronounced “squirrel”) revolutionizes many forms of electronic authentication. It eliminates many problems inherent in traditional login techniques. SQRL is an open licence, patent unencumbered, pseudonymous resource authentication protocol.

The user Experience

The user is presented with a QR-Code which encodes an SQRL resource pointer to an authentication server, if the display is interactive it may also offer the pointer as a direct link. With an interactive presentation the user can tap or click directly on the QR-Code pointer for same device SQRL client launch,or launch an SQRL client on a separate device and optically scan it.

The SQRL client displays the domain name contained in the SQRL code for verification, and a Server Friendly Name (SFN). After verifying the domain and SFN, the user permits the SQRL app to proceed. This authenticates their identity to the authentication server with reference to the resource.

After which the authentication server will grant the actions associated to the resource i.e. Site Login, Door Entry, Item Purchase etc.

Key Functional Parts of SQRL

Broadly SQRL consists of four main parts (see below and diagram>>). Depending upon use-case these four parts may be combined in a number of ways into a smaller number of logical devices.

Functional outline with data flows

Resource

This is the (item, transaction, state, interactive session identifier etc.) being authenticated to by a user. A reference to it is specified within an SQRL-Link generated by the Server and presented upon the Display where an action by the user transfers that link from the Display to the Client.

Display

A place (PC browser, Sticker, POS device, Voting sheet) where an SQRL-Link fetched from the Server is displayed such that it can be passed from the Display to the Client.

Client

A SQRL-Client application (PC Program, Smartphone App, Single use device) in the possession of the user that captures the SQRL link and uses it to authenticate the users chosen identity to the Server in a pseudonymous way in relation to the predefined Resource referenced by the SQRL-Link.

Server

A device that can accept network queries from, and make responses to, the Client, the resource and possibly also the Display. Perform all the action needed to securely and uniquely authenticate the Clients presented identity to the requested Resource.

SQRL Internal Structures

The SQRL-Link

A reference to a Resource possibly though not exclusively in the form of a QR-Code with possibly an associated active hypertext link both of which contain the same information (For HTTP use-case see SQRL Over HTTP).

This link is divided into four major often overlapping parts:-

Scheme

This is used to designate an SQRL Client as the application to launch by action upon the SQRL-link

Domain / Path

This part identifies the destination address to where Client queries should be directed.

Realm

This always includes the whole domain, and optionally some of the path where a specific non-path valid character is replaced for the normal path divider.

Nut

This is the unique Resource reference, that leaks no information as to the exact Resource but can be associated to a specific predefined one by the Server. The Nut can be static over time or dynamically generated each time it is displayed.

At its core it makes use of Elliptic Curve Cryptographic (ECC) processes {Ed25519, Curve25519} and a simple keyed-Hashed Message Authentication Code (HMAC-SHA256) to deterministically produce Resource specific key-pairs that are used to offer a zero knowledge proof of secret key possession on a random challenge.