SQRLSQRL
100x100 SQRL Logo   Secure Quick Reliable Login
A highly secure, comprehensive, easy-to-use replacement
for usernames, passwords, reminders, one-time-code
authenticators . . . and everything else.
divider
SQRL's Identity Lock Protocol
The problem:

The appealing elegance and simplicity of the SQRL system is, more than anything else, the idea that a single globally unique user can be identified by a single globally unique ID (their 256-bit identity master key) while enforcing their privacy by presenting a different unique 256-bit identifier to every website on the Internet. The simple SQRL protocol accomplishes this using only a few cryptographic operations, and in a perfect hacker-free world with perfect users we would be finished, and could declare a job well done.

But the world is not hacker-free, and user's are not always perfect. So for SQRL to have the best chance of achieving wide adoption, it needs to not only be clearly superior to alternatives, but also work to address every criticism and concern. It must be able to offer answers to improbable if inevitable “what if” challenges. And, ultimately, its features must assure both users and websites that it will protect them, as well as possible, against both known and unknown threats.

SQRL's Identity Lock answers the question: “But what if someone,
someday, DOES obtain unencrypted access to a user's identity?”

To facilitate SQRL's possible life-long use by an individual, we felt that the user should be allowed to retire their current SQRL identity if, for any reason, they became concerned that it might no longer be secure and safe to use. Although today's individual websites will likely permit their users to perform a manual process involving traditional usernames, passwords, and eMail . . . what if the SQRL solution were to succeed so well that it eventually replaced other, current forms of authentication? Or what if users wishing the highest degree of security and anonymity established accounts lacking any other form of identity verification? In those cases, “out of band” SQRL identity changes would be impossible and the SQRL system would need to provide its own means for allowing its users to securely retire and replace worrisome or compromised identities. This is that system, here today, and part of the v1.0 SQRL specification.

Even though the only known weakness in the base SQRL system is user password compromise, and even though the system's password management system renders password guessing and hacking entirely infeasible, a user could use a very poor password or have their SQRL smartphone or desktop client hacked. The result would be a potential compromise of their entire Internet-wide SQRL-controlled identity. Because the “but what if that happens?” question can be asked, we have designed an answer.

Although ID Lock is independent of, and runs parallel to, the base SQRL identification protocol, it offers such strong and useful protection that it is a required component of the SQRL specification which every SQRL client and web server should implement.

SQRL's ID Lock provides a frictionless means for securely
authorizing SQRL client-mediated (“in band”) identity changes,
while simultaneously preventing unauthorized identity modification.

The User's Experience

ID Lock operates by creating a second “master key” different from SQRL's regular identity master key. This second “Identity Unlock Key” is created when a user first sets up and begins using SQRL. It never changes, it may never be needed, but it should never be lost. To prevent attackers from having any opportunity to gain access to this key, it is never stored in any SQRL client application, and it is never written to non-volatile storage. After it is created, it must be printed onto paper as a graphic QR code or exported as a short text file and stored securely. Then it is completely removed from the SQRL device or application that created it. It cannot, and must not, remain accessible “online” in any fashion. This typically ends the user's involvement and responsibility for their identity management. The special “Identity Unlock Key” will likely (hopefully) never be needed, but in case it is ever needed it should not be lost.

To protect the user, once a user has established their identity with a website, the only (automated) way for the website to accept a new identity for the user is for a SQRL client to be temporarily re-loaded with the always-offline (super secret) Identity Unlock Key. Since this key is never normally present in any of the user's SQRL clients, it could never have become known to any attacker. Therefore, the presence of that key proves to the site that this really is the authentic user, not someone who may have somehow obtained the user's daily operation master key and password. This allows the user to retire and replace their previous identity with a new one so that anyone who may have obtained their master key and password will be unable to use them.

The Identity Unlock Key is never stored in the SQRL client, nor even electronically “online” in the computer, because no matter what, bad guys must never be allowed to obtain it. It exists outside, on paper only, specifically so that no possible breach of the user's normal daily operating security might possibly result in its disclosure. (Note that to be used, an attacker still needs to obtain the user's identity master key and matching password. So the offline Identity Unlock Key also enjoys all of the protections provided by the rest of the system. We just don't want it to be present in SQRL clients which might be hacked and the key obtained.)

Without the Identity Unlock Key, no one, not even the valid SQRL user, can alter their online identity. This means that if “but what if” actually did ever happen, although bad guys might gain access to a user's account, they could never lock the user out by changing the account's SQRL identity. Then, as soon as malicious access was detected, or preemptively, if a user was concerned that their SQRL identity master key and SQRL password might be compromised, the valid SQRL user could load their offline Identity Unlock key, retire and replace their own identity master key, then login to their most important web sites using SQRL to immediately replace their SQRL identity for every site they visit.

If the worst happened, and a user's decrypted SQRL identity somehow
escaped from their control, the user can securely cancel & replace
their lost identity, rendering the stolen (old) identity useless.

Note that since there could be an emergency situation where a user needs to block their SQRL identity for specific sites, but they might not have immediate access to their “Identity Unlock Key”, SQRL permits a user to disable their current identity at a website without needing Identity Unlock Key. They must then later use their Identity Unlock Key to either re-enable or replace their identity. But they can, in an emergency, disable any existing identity.
The Identity Lock Protocol Operation

In keeping with SQRL's use of Dan Bernstein's highly efficient and carefully designed (NSA-free) Curve25519 elliptic curve cryptosystem, the SQRL ID Lock protocol uses an elliptic curve version of Diffie-Hellman (DH) Key Agreement (KA). Therefore, our use would be known as Elliptic Curve Diffie-Hellman, or ECDH. For additional information see Dan Bernstein's ECDH web page, and his Curve25519 PDF white paper.

What this technology achieves
The Identity Lock protocol is admittedly a bit tricky. It needs to be more complex than SQRL's comparatively straightforward identification protocol because its requirements are much more complex: When operating, it must be able to generate and provide something to every web server so that it's identity can later be proven, but what it generates and provides to each web server cannot in any way identify it to the server, since the SQRL system provides strong anonymity guarantees to prevent web servers from having anything they might compare to identify and track users. And on top of that, since it must also be truly hacker-proof, the system that generates this identity-proving information must not, itself, be able to prove its own identity . . . otherwise a compromised or hacked SQRL client could be used to maliciously prove its identity to “unlock” and alter a user's website identification. So we need to be able to provide anonymous identity proof without being able to prove our identity.

Traditional DHKA
In the traditional use of DHKA, two parties wish to establish a shared secret key which they will then use to encrypt subsequent communications. So the parties first arrange to obtain each other's public keys. This can be done it full public view so long as no man-in-the-middle is able to intercept and subvert that public key exchange. In other words, a passive eavesdropper can be allowed or assumed to passively observe the exchange so long as they cannot alter it (to insert their own public key(s). Then, with each party having their own matching secret key, each is able to compute the same unique shared secret by applying the DHKA process. This shared secret cannot be computed by anyone having only the public keys, and of course, each party has their own secret key which they never disclose.

If we have public key one (PubKey1) and secret key one (SecKey1) and public key two (PubKey2) and secret key two (SecKey2), then:

DHKA( PubKey1, SecKey2 ) = DHKA( PubKey2, SecKey1 )

SQRL's use of DHKA
Some confusion can result from SQRL's unique application of Diffie-Hellman Key Agreement because it differs from the typical, more symmetrical use of DHKA. SQRL applies DHKA in a different, though valid, fashion. It uses three Diffie-Hellman properties that make it suitable for our needs:

Each side of the equation above requires two keys, one public and one secret, from each of the parties. And here's the key: If one is missing, the proper value of that side of the equation cannot be calculated and the equality assertion between the two sides cannot be satisfied. The SQRL ID Lock protocol relies upon that simple property.

Let's give these four keys their official names
One pair of keys is generated only once and never changes: The secret key is kept and stored offline for use only if the user's identity ever needs to be unlocked and changed. Therefore, we call this the “Identity Unlock Key.” Its complimentary public key is retained online in the client and is used to provide identity locking information when the user first introduces themselves to a new website. It's called the “Identity Lock Key.”

IdentityLock := MakePublic( IdentityUnlock )

id-lock-1

The second pair of keys is generated at random every time a user is creating a new SQRL “identity association” with a website. First, a random 256-bit “Random Lock Key” is created. It is used to generate the identity locking information. Then, from it we generate the complimentary “Server Unlock Key” which the web server holds for us.

If we plug these four keys back into the original Diffie-Hellman Key Agreement equation, we get:

DHKA(IdentityLock,RandomLock) = DHKA(ServerUnlock,IdentityUnlock)

As shown in the two equations and schematic diagram below, the system uses three of these four keys to synthesize the fourth Server Unlock Key, and an additional public Verify Unlock Key which are both sent to and retained by the web server:

VerifyUnlock := SignPublic( DHKA( IdentityLock, RandomLock ))
ServerUnlock := MakePublic( RandomLock )

The “SignPublic” function is the “crypto_sign_seed_keypair” function from LibSodium. It is part of the Curve25519 elliptic curve cryptosystem which converts a 256-bit “seed” into a pair of signing keys: a private signing key and a public signature verification key. The VerifyUnlock key is the public signature verification key produced by that function.

After examining this glossary of key definitions and functions, we'll carefully step through the identity lock and unlock processes:

A brief glossary and definition of terms:
Identity Unlock Key:
(IUK)
Randomly generated once, then printed and stored offline. The SQRL client must have access to this secret key for it to synthesize the Unlock Request Signing Key which the client must use to sign any identity change request.
Identity Lock Key:
(ILK)
Generated once, but it can be regenerated if needed, because it is the public side of the Identity Unlock Key. It is retained by all of the user's SQRL clients and combined with randomly generated Random Lock Keys to create a web site's Verify Unlock Key (which verifies the signatures of any identity change requests).
Random Lock Key:
(RLK)
Randomly chosen whenever the user is associating their SQRL identity with a new web server. It is used for two things, then discarded: It is mixed with the permanent Identity Lock Key (above) to produce the Verify Unlock Key, which the web server receives and stores. It is also used to create the Server Unlock Key which is also sent to the web server and stored.
Server Unlock Key:
(SUK)
Generated by the SQRL client then sent to and retained by the web server. When the client later indicates that it wishes to change its identity association, the web server returns this public key to the client. The SQRL client combines it with its reloaded secret Identity Unlock Key to produce the Unlock Request Signing Key which must be used to sign any identity change request.
Verify Unlock Key:
(VUK)
Received and retained by the web server from the client during the initial SQRL identity association, it is the public key used to verify the signature produced by the Unlock Request Signing Key. The web server will use this key, as it does with the SQRL identification protocol, to verify that the SQRL client is in possession of the matching Unlock Request Signing Key (which it could have only synthesized by combining the web server provided Server Unlock Key and its own secret, reloaded, Identity Unlock Key).
Unlock Request Signing
Key
(URSK):
Synthesized by the SQRL client by combining the web server supplied Server Unlock Key with the user's secret reloaded Identity Unlock Key. This produces a secret elliptic curve signing key that must be used to sign any SQRL client's identity change requests. The server's matching Verify Unlock Key is the public key used to verify the signature.

How a SQRL identity is associated and locked:
The SQRL client continuously holds onto the Identity Lock Key after it is created from the Identity Unlock Key. We cannot simply give every web server the public Identity Lock Key, because doing that would mean that we were giving every web server the same public key . . . which would break one of the SQRL system's most important properties: No ability to link user identities between servers.

Instead, we create a unique randomly derived version of our Identity Lock Key that cannot be traced back to our actual Identity Lock Key. We do this by first generating a new Random Lock Key and use the DHKA function to mix it with our Identity Lock Key (see below). This technically produces a 256-bit value that will be our private identity request signing key, but we don't use or retain it at this stage. Instead, we immediately pass it through Dan Bernstein's elliptic curve signing algorithm to produce its matching signature verifying public key. This becomes the Verify Unlock Key that is sent to and retained by the web server for it future use in verifying the signatures of the client's identity change requests.

In order for the client to later be able to re-synthesize the matching private signing key (which we just ignored and discarded), the Random Lock Key is also passed through a standard Curve25519 Diffie-Hellman Key Agreement (DHKA) function to create its matching public key. This becomes the Server Unlock Key which is sent to the web server for storage. When the SQRL client indicates that it wishes to update this user's identity, the web server returns this key which, when combined with the user's super-secret Identity Unlock Key allows the SQRL client to synthesize the private elliptic curve signing key which is required to sign any identity change requests:

id-lock-2

When a user is first associating their SQRL identity with web server account (which we refer to as “identity association”) the SQRL client generates and the server receives and permanently stores the Server Unlock Key and the Verify Unlock Key which, as shown in the schematic above, are created on-the-fly and derived from a random number and the user's permanent Identity Lock Key. Once those keys have been set for a user, they never need to be changed. They are both unique public keys which disclose nothing about the user's identity. They serve to lock the value of the user's SQRL public identity key, which was provided when the identity association was established.

How an identity association is unlocked:
Although this has already been touched upon above, we'll examine it in greater detail here.

In order for an existing SQRL identity association to be re-enabled, updated, replaced or removed, the SQRL client must be able to cryptographically sign its identity change request by regenerating the correct private elliptic curve signing key. In response to the SQRL client's request to change identity association, the web server sends the SQRL client the stored value of the Server Unlock Key. This is the value the SQRL client originally generated and asked the web server to retain for just this eventuality. The Server Unlock Key provides the public half of a standard Diffie-Hellman Key Agreement (DHKA) where the private half is the user's super-secret, normally offline but now reloaded, Identity Unlock Key:

UnlockRequestSigning := SignPrivate( DHKA( ServerUnlock, IdentityUnlock ))

Similar to the VerifyUnlock key above, the “SignPrivate” function is the “crypto_sign_seed_keypair” function from LibSodium. It is part of the Curve25519 elliptic curve cryptosystem which converts a 256-bit “seed” into a pair of signing keys: a private signing key and a public signature verification key. The UnlockRequestSigning key is the private signing key produced by that function.

Since this is the right-hand side of the original equation above, it reproduces the private Unlock Request Signing Key which was briefly created but never used, other than to produce the matching public signature verifying Verify Unlock Key which the server also stored. The SQRL client combines the web server provided Server Unlock Key with the user's reloaded Identity Unlock Key to reproduce the original Unlock Request Signing Key. The client uses this recreated signing key to cryptographically sign its identity change request and sends that specially signed request to the web server.

The web server uses its stored Verify Unlock Key, which is the matching public signature verification key to verify the request's validity and authenticity, and updates the appropriate entries in the user's SQRL account database.

id-lock-3

A few technical notes:

Useful attributes of this protocol

This straightforward protocol has the features of:

If anyone were EVER to obtain access to a user's identity, the user can
securely cancel and replace their lost identity, making the stolen
identity useless and essentially taking back their lost identity.



Secure QR Login (SQRL) Documentation:

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Aug 02, 2015 at 14:17 (746.79 days ago)Viewed 8 times per day