The first time you use SQRL the app will require you to invent a master password, from which a Master Key is cryptographically generated. This Key is a 256-bit (very very large) random number, unique and never shared.
Additionally the first time using SQRL a public Identity Lock Key and a private Identity Unlock Key pair are generated via the SQRL app. The Identity Lock Key is stored alongside the Master Key but the Identity Unlock Key must be safely stored away (such as printing it as a QR code) prior to being deleted from the app. The Identity Unlock Key is used to cancel and replace your Master Key in the event that it is compromised.
When you visit a SQRL enabled website the QR code/link contains the website address and a random cryptographic challenge number.
The SQRL app hashes the website address and your Master Key together to create a website unique identity. This identity will keep your Master Key safe and totally unique for each website you use SQRL with.
The SQRL app digitally signs the random cryptographic challenge using your site-specific private key and sends it back to the website along with your site-specific public key. The website is then able to confirm that the user who produced the signature used the private key corresponding to the public key.
Once the signed random cryptographic challenge is verified by the website it is then able to authenticate your device. The website is able to do this by keeping track of the random cryptographic challenges it sends out.
SQRL Identity Lock uses something called Diffie-Hellman (DH) Key Agreement (KA) or DHKA for short. It basically allows 2 sets of public/private keys in this instance to generate the same private key; it uses the public key of one with the private key of the other and vice versa. Both combinations will output the same private key. Magic (or crazy math)!
We have 1 set of keys already (Identity Unlock Key & Identity Lock Key), this was generated when we created the Master Key. The 2nd set of public/private keys are randomly generated with each new identity association within the SQRL app (Random Lock Key & Server Unlock Key).
The SQRL app will use DHKA to generate a private key using the public Identity Lock Key and the private Random Lock Key. This private key is used to create the public Verify Unlock Key. The private key is discarded at this stage.
The website is sent the 2 public keys, the Server Unlock Key and the Verify Unlock Key during identity association.
The public Verify Unlock Key was made using DHKA with the public Identity Lock Key and the private Random Lock Key. Using the power of DHKA we can generate the private Unlock Request Signing Key for the public Verify Unlock Key by using the alternate public Server Unlock Key (held by the website) and the private Identity Unlock Key (imported from safe location).
From your super secret hiding place guarded by laser wielding ninjas, you will retrieve your Identity Unlock Key and import it into the SQRL app.
The SQRL app will generate a new Master Key. This will be your replacement Key from which all the new site-specific key pairs will be generated.
The website will send the SQRL app the public Server Unlock Key it has stored and another random cryptographic challenge (same idea as previous).
As previously explained, using DHKA with the private Identity Unlock Key (imported from safe location) and the public Server Unlock Key (sent from the website) the private Unlock Request Signing Key is recreated.
The identity change request is then signed using the private Unlock Request Signing Key before being sent back to the website.
As the website has the public Verify Unlock Key which corresponds to the Unlock Request Signing Key it is able to verify the signature and proceed with replacing the users keys.
Can I use this to sign up to a website?Of course! Depending on the website it may ask you for more information like a traditional sign up process or could allow you to stay anonymous.
What if someone steals my phone?Generally you will use a master password to unlock your SQRL app. It is the user's responsibility to secure the app with a strong password. Some apps could potentially offer alternative ways to secure access in the event of a stolen phone.
In the rare and unlikely event the password securing the app is compromised (stolen phone), the Identity Lock protocol will allow revoking of your old identity and allow you to establish a new identity with websites.
What is the benefit over traditional usernames & passwords?
- There are no usernames or passwords to have compromised, lost or stolen.
- No keyboard interaction, great for using public computers that could log your keystrokes.
- You only need your Master Key, no lists of usernames and passwords to keep track of.
- There is NO WAY to link one person across sites based only on the site-specific public key, websites may ask for more infomation that could be tracked.