Secure Quick Reliable Login | ||
A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. |
Also, since the SQRL system is based upon an asymmetric authenticated-client model employing one-way signatures, where only the client signs its queries, the server's data is protected by having the client always return and sign everything received from the server and having the server verify that what it received back from the client is identical to what it sent. One consequence of this, as we'll see, is that the server often provides some material to the client before it is required so that it may be retained by the client for possible later use, and meanwhile returned to the server for verification (of no tampering) under the client's signature.
Server → to → Client | SQRL authentication is initiated when a SQRL client receives a SQRL URL that was previously (and usually recently) generated by a SQRL-aware web server. This URL might be received by the client optically as a QR code, or provided to the SQRL client by the operating system. Through this mechanism: The SERVER provides a unique, opaque session-identifying token and the server's “friendly name”: The Server provides the Client with a unique URL containing a cryptographically strong opaque token and a short “friendly name” (such as “Amazon” or “GRC”) by which the user knows the authenticating website. One way or another, the subsequent return of the token must allow the server to determine the IP address (or a hash of the IP address in the case of IPv6 IPs) which originally requested the login page (to which a pending login session would be associated). It should also include a timestamp to detect the URL's age, and randomizing information to guarantee the nut's uniqueness and unpredictability. For further discussion of the composition of the server's “nut” see the Web Server Behavior page. The “friendly name” allows the client to immediately present the name of the authenticating site to the user as a mitigation against server/site spoofing attacks. The user should only proceed if they are authenticating to the site they expect. |
The SQRL client, having received a unique token from the server through the SQRL link URL, initiates its first interaction with the web server. This identifies its user and allows it to obtain the user's stored data and web server features:
Client → to → Server | The CLIENT returns the token & asserts its user's identity: Upon receiving the SQRL link URL—either through a same-device operating system hand off or a cross-device optical QR code scan—The client initiates an HTTPS connection to the indicated IP and port, and issues a POST query of the provided URL. The POST body issues the query command (cmd=query) and provides the user's current IDentity Key (cIDK) and current IDentity Signature (cIDS). Also, if the user's SQRL identity is also carrying one or more previous identities, the most recent previous IDentity Key (pIDK) and previous IDentity Signature (pIDS) will also be included. | |
Server → to → Client | The SERVER returns the user's account information and status:
|
The initial query command might be followed by additional query or non-query commands, as needed. Since each server reply provides a query path for a subsequent query, and a unique nut value to guarantee uniqueness for the client's signing of its query, this supports a chain of client queries and server replies, as needed and driven by the SQRL client.
For example, if a user's SQRL identity is carrying more than one previous identity key (identities may carry up to four previous identity keys) and the server indicates that it does not recognize the user by either their current or their most recent identity keys, the SQRL client should re-issue a query using the current and next most recent identity key to see whether the server may recognize the user by that older previous identity key. And this re-querying should continue until all available previous identities have been tried.
The initial client/server query command interaction(s) can be viewed as the client identifying itself (perhaps more than once) for the purpose of querying the website's SQRL database to obtain its user's relevant status, plus information required for the SQRL client to navigate additional interactions:
Login NEVER occurs without affirmative confirmation from the user. So this first data gathering interaction always results in a display explaining what has been learned, and requires some action by the user.
The top of every action-requiring dialog will display the website's “friendly display name” such as “Amazon”, “Yahoo”, “Google”, etc. If an attacker were to somehow intercept and change the website's simple display name in the web server's reply, this change would be detected with the user's next query, so no damage could be done.
As detailed in the description of SQRL's Secure Storage System, a user's SQRL client retains up to four previous identity keys which it carries at all times. Whenever a SQRL client negotiates its user's identity with a server which still recognizes this user by one of its previous identity keys, the server will be silently updated to recognize the user by their current identity key. Since rekeying an identity will normally be an emergency measure only, and is never expected during the normal course of SQRL's use, this “identity ratchet” automatically and transparently keeps websites synchronized to the their SQRL users' curent identities.
The SQRL system design methodology locates most of the heavy lifting complexity in the SQRL client. This fits the inherent many-to-one relationship with “many” website implementations being used by relatively fewer SQRL clients. We minimize website complexity where possible.
The SQRL client “knows” whether it's performing a same- or cross-device login. It knows whether it is has been loaded with a new master identity key and/or a new identity unlock key and may thus be in the process of retiring the previous identity or unlock key(s), enabling or entirely deleting a disabled identity. From the server it knows whether the server has identified the user by either the current or a previous key (if any), or neither, and it's able to determine whether the current or a previous identity unlock key is required. In other words, it's able to determine whether any key changes are possible (if previous keys are loaded) and whether the server is already using the current key(s) or still aware of a previous key.
The client gathers everything it knows, coupled with the results of the server's reply, which provides everything the server knows, then prompts its user for any additional required information or options to proceed based upon the specific circumstances:
Case: | Unexpected IP address mismatch and the client has not been overridden to prevent alerting its user in this situation. Some SQRL clients, such as GRC's Windows' client, would never expect to see the SQRL server report an IP mismatch between the IP embedded in the SQRL QR code and the client's connection IP. So such a mismatch should, and would, prevent any further authentication. But a mobile device's client would expect to encounter an IP mismatch if it was performing an optical QR code cross-device authentication and connecting with the SQRL server over its cellular connection. For this reason, SQRL servers simply report the IP match or mismatch and individual clients determine whether it should be a showstopper based upon the details of the authentication. The client will explain the specific situation with its user. The user will be advised to carefully reexamine their web browser's URL and to possibly restart their login by manually reentering the site's domain name in the web browser they're logging in to. |
Case: | The user is unknown to the server. (Neither the user's provided identity key, nor any of the up-to-four previous identity keys, if present, are known to the web server.) As GRC's SQRL demo demonstrates, the server will reply that the user is unknown to the user and will offer to create a new account. If the user already has an account they would decline the creation of a new account and instead login without SQRL then associate their existing account with SQRL. The lesson here is that SQRL is simply the identity authenticating agency. All account creation, association, and whatever other housekeeping should be performed on the server side. |
Case: | The user was identified by their previous ID key (pIDK). The user is migrating between identities, and this site still has one of the old (previous) identities. Since the SQRL client carries up to four previous identity unlock keys (pIUK) it is able to successively “query” the server with the user's current identity and one of its previous identities, in turn, until the proper pervious identity matches the one the server has. At that point, since both the correct previous and the new current identity will be available, the server will automatically and silently update the user's identity records. |
Case: | The user was identified by their current ID key (IDK) This is the most common operating circumstance. The website's provided “Server Friendly Name” (SFN) will be shown to the user for verification when the user authenticates themselves to their SQRL client. Then the web page will be updated to display their logged-in status. |
Case: | The user wishes to disable their SQRL authentication rights for a site. A user who fears that their SQRL identity may have become compromised, can unilaterally rescind their own SQRL authentication rights as long as they are known to the site. The dialog that acknowledges that the user has been identified will contain an “Other Actions” button to take the user to a dialog allowing them to unilaterally rescind their SQRL identity's own authentication rights. |
Case: | The user is identified, but their SQRL authentication is currently disabled. In this instance the SQRL client notifies its user that SQRL authentication for this website was previously disabled. Since SQRL clients are permitted to carry the user's identity unlock key (IUK) in RAM while exercising extreme precautions and continually reprompting the user about whether they are finished with it so that it can be removed from memory, if the IUK is current available in RAM the client will simply verify that the user does wish to reenable their SQRL access to this website. If the user's decrypted IUK is not currently being held in RAM, the client will prompt them to supply their identity's RescueCode (in order to decrypt their IUK for use) if they wish to reenable SQRL authentication for this website and proceed. |
Case: | The user has rekeyed their identity and wishes to update websites with knowledge of their new keying. SQRL website server identity key updating is autonomous and transparent to the user. It occurs automatically as a result of one or more the client's initial 'query' commands. Therefore, users merely need to encounter the site and cause the local password authentication dialog to be presented in order to have the site updates with their current identity keying. |
Case: | A user wishes to permanently delete all SQRL identity association from a site. A user may permanently remove their SQRL identity association from a site when their identity unlock key (IUK) is loaded into the client and accepted by the site. If their IUK is not currently loaded the user will be prompted for their identity's RescueCode. |
Initiating a chain of client queries:
A SQRL identity assertion and authentication interchange requires one or more client queries. It is typically initiated when the SQRL client presents its user with the web domain requesting the user's identity and challenges its user to prove their identity to the client through a passphrase, passhint, biometric, or other verification. The details of the client and server interaction is detailed below.
Sending back what the server sent to the client:
All client queries to the web server echo back to the server, under the client's signature(s), either the original SQRL link URL, or the previous reply data that was most recently received by the client. This allows the web server to verify that the client “saw” the same data that the server sent, thus detecting any possible in-flight round-trip tampering.
The value of the client's “server=” name=value pair, contains this data, exactly as received from the server.
The “client=” value:
The query's “client=” parameter contains a base64url encoded list of name=value pairs, one per line, with each line terminated by a CRLF character pair. The client assembles a list of the following name=value pairs to return data to the web server, to specify one or more command actions it is requesting from the server, and to provide any cryptographic keying material required to authorize the requested actions and/or authenticate its user's identity:
query | All SQRL transactions must begin with one or more 'query' queries. 'Query' queries allow the SQRL client to determine whether and how its user is known to the SQRL server, whether SQRL's use is currently enabled for the site, and whether the user's query IP matches the IP which was associated with the original SQRL URL.(See the TIF flag bits below for more detail.) SQRL queries can only provide, at most, identity assertions for the user's current and one previous identity. If more than one previous identity key is known to the client (GRC's reference client retains up to four and this should be a minimum) then successive query queries are used iteratively, most recent previous identity to oldest, to determine which, if any, of the identity keys carried by the client are known to the server. | |
ident | An ident query will usually follow one or more query queries. Whereas the query queries allow the client to obtain information from the server, the ident query requests the web server to accept the user's identity assertion as it is provided by this signed query. When a SQRL client is being used to authenticate to a website there is usually no user-interface action from the client after a successful ident transaction. The client's dialogs will close and the website will update to show that the user has been authenticated. | |
disable | A disable query instructs the web server to immediately disable the SQRL system's authentication privilege for this domain. This might be requested if the user had reason to believe that their current SQRL identity key had been compromised. It is primarily intended to be used as a short-term emergency stop-gap measure to protect important accounts until a new identity key can be created and set into the server. The disable and enable operations are not symmetrical: An identified user may request to have their authentication disabled, but subsequently re-enabling authentication requires the identity's privileged unlock (RescueCode) credentials, which no attacker could obtain from the client because identity unlock credentials are never stored in the client. | |
enable | An enable query is the reverse of the ‘disable’ query. It re-enables SQRL system identity authentication for the user's account. Unlike ‘disable’, however, ‘enable’ requires the additional authorization provided by the account's current unlock request signature (urs). The server will always return the user's stored server unlock key (suk) whenever it is replying to a disabled account (TIF bit 0x08) so that the client will be able to generate the unlock request signature (urs) to authorize this privileged operation. | |
remove | This remove query instructs the web server to immediately remove all trace of this SQRL identity from the server. For example, this process would allow an account to be disassociated from one SQRL identity and subsequently reassociated with another. This differs from the user's identity being rekeyed, since “remove” allows a change to an unassociated identity. As with the enable command above, it must be authorized by the inclusion of the user's SQRL identity's unlock request signature (urs). In order to induce the server to provide the suk, the client must first disable the account in a separate operation, then use the provided suk to generate the urs signature. Since the associated account might not have an alternative (non-SQRL) method of subsequently authenticating a user (e.g. no other login means) the web server should leave the current account logged-in so that a replacement SQRL identity can be associated, and it should also advise the user of the need to immediately add a new SQRL identity if they wish to retain access to their account. |
noiptest |
By default, SQRL servers fail any incoming SQRL query whose IP does not match the IP encoded into the query's nut. This detects and prevents one of the easiest to exploit attacks on SQRL. However, some cross-device uses of SQRL, where the SQRL client is expected to have a different IP than the nut, such as with a mobile client using cellular bandwidth, will need to override and disable this default server same-IP verification. The presence of this 'noiptest' option instructs the server to ignore any IP mismatch and to proceed to process the client's query even if the IPs do not match. If the 'noiptest' option is not present and the IPs do not match, the server will reply with a TIF value of exactly 0x40 to indicate that the command failed. The 0x04 "IPs matched" bit will also be off, as is appropriate, but no other TIF bits have meaning in this case. If the 'noiptest' option is present, the server will be instructed to proceed with the client's query, and the 0x04 "IPs matched" TIF bit will reflect whether the IPs did or did not match. | |
sqrlonly | When present, this option requests the web server to set a flag on this user's account to disable any alternative non-SQRL authentication capability, such as weaker traditional username and password authentication. Server support for this feature is optional but strongly encouraged. A server which supports this option must retain a memory of the most recent presence (or non-presence) of this option as presented during the most recent successful non-“query” command query. Users who have become confident of their use of SQRL may ask their client to include this optional request. The web server should only assume this intention if the option is present in any successful non-query transaction. Its absence from any successful non-query transaction should immediately reset the flag and the prohibition in the web server. The web server may, at its option, notice when any change has occurred and explicitly ask the user to affirm their changed intention. Additionally, since the 'sqrlonly' and 'hardlock' protections only make sense when a SQRL identity is present, SQRL clients should never send options these with the 'remove' [identity] command. SQRL servers should also ignore any residual effects of those options after a user's account has had SQRL removed. | |
hardlock | When present, this option requests the web server to set a flag on this user's account to disable any alternative “out of band” change to this user's SQRL identity, such as traditional and weak “what as your favorite pet's name” non-SQRL identity authentication. Server support for this feature is optional but strongly encouraged. A server which supports this option must retain a memory of the most recent presence (or non-presence) of this option as presented during the most recent successful non-“query” command query. Users who have become confident of their use of SQRL may ask their client to include this optional request. The web server should only assume this intention if the option is present in any successful non-query transaction. Its absence from any successful non-query transaction should immediately reset the flag and the prohibition in the web server. The web server may, at its option, notice when any change has occurred and explicitly ask the user to affirm their changed intention. Additionally, since the 'sqrlonly' and 'hardlock' protections only make sense when a SQRL identity is present, SQRL clients should never send options these with the 'remove' [identity] command. SQRL servers should also ignore any residual effects of those options after a user's account has had SQRL removed. | |
cps | “cps” is the abbreviation for Client Provided Session. The presence of this flag informs the server that the client has established a secure and private means of returning a server-supplied logged-in session URL to the web browser after successful authentication. When the 'cps' option is provided by the client to a successful “ident” query, and the server supports cps-mode login, the server will return a 'url=' parameter which the SQRL client then forwards to the web browser. When the server returns the 'url=' parameter to the client, thus confirming its support for 'cps', it must also completely abandon the pending login of the browser session associated with the SQRL query. The use and enforcement of this 'cps' process is strongly encouraged for all SQRL servers because it robustly thwarts website spoofing, man-in-the-middle attacks, and abuse of SQRL authentication by returning the authenticated URL directly to the user's browser via the SQRL client. In the non-cps case, where this flag is NOT present or (even if present) the server does not support cps-mode login, the web server will instead arrange to refresh the web browser's page or redirect the web browser to an authenticated (typically, logged-on) page. As noted above, when the client indicates that cps-mode is available, the server is strongly encouraged to abandon the pending web session and instead provide the authenticated page URL in a “url={url}” response parameter for the “ident” command query. | |
suk | “suk” is the abbreviation for Server Unlock Key. The presence of this flag instructs the SQRL server to return the stored server unlock key (SUK) associated with whichever identity matches the identity supplied by the SQRL client. The SQRL specification requires the SQRL server to automatically return the account's matching SUK whenever it is able to anticipate that the client is likely to require it, such as when the server contains a previous identity key, or when the account is disabled. However, there are instances where the client may know that it is going to need the stored SUK from the server, such as when it wishes to remove a non-disabled account. The client could first disable the account to induce the server to return the SUK, but it's simpler for the client to request the SUK from the server whenever it wants it. It's also conceivable that future extensions of this specification will incorporate other instances where the server's stored SUK is required for RescueCode based authentication. |
All client queries sent to the web server are signed using private keys matching one or more of the public keys included in the “client=” name=value list. The data to be signed are the two base64url encoded values of the “client=” and “server=” parameters with the “server=” value concatenated to the end of the “client=” value. Each of the signatures below, generated as a binary token, must also be base64url encoded before being appended to their respective “name=” parameter.
A remote web server provides data to a SQRL client through two different channels: Initially encoded in the SQRL URL which provides the required “nut=” and “sfn=”, and an optional “x=” domain extension specifier.
The second channel for web server data is in the HTTP response bodies of SQRL client queries. Any of the parameters shown may be used, as required, in the server's replies to client queries.
Parameters are named with a simple name=value syntax. When appearing in a URL query tale, the name=value pairs must be URL-safe and ampersand-separated following standard HTTP GET query syntax. When returned by a web server in response to a client's query, the name=value pairs occupy the body of the reply, appearing one per line with each pair (including the last one) terminated by a CRLF character pair. To enhance the clarity of the descriptions below, the equals signs have been set off with spaces, but spaces are never used in the SQRL protocol:
0x01 | (Current) ID match: When set, this bit indicates that the web server has found an identity association for the user based upon the default (current) identity credentials supplied by the client: the IDentity Key (idk) and the IDentity Signature (ids). | |
0x02 | Previous ID match: When set, this bit indicates that the web server has found an identity association for the user based upon the previous identity credentials supplied by the client in the previous IDentity Key (pidk) and the previous IDentity Signature (pids). Note: When neither of the ID match bits are set, none of the identity credentials supplied by the client are known to the web server. | |
0x04 | IPs matched: When set, this bit indicates that the IP address of the entity which requested the initial logon web page containing the SQRL link URL (and probably encoded into the SQRL link URL's “nut”) is the same IP address from which the SQRL client's query was received for this reply. Note that the server must retain the IP embedded in, or associated with, the original SQRL URL, not any subsequent query, and compare the current query IP against that original IP. | |
0x08 | SQRL disabled: When set, this bit indicates that SQRL authentication for this identity has previously been disabled. While this bit is set, the “ident” command and any attempt at authentication will fail. This bit can only be reset, and the identity re-enabled for authentication, by the client issuing an “enable” command signed by the unlock request signature (urs) for the identity known to the server. Since this signature requires the presence of the identity's RescueCode, only SQRL's strongest identity authentication is permitted to re-enable a disabled identity. | |
0x10 | Function(s) not supported: This bit indicates that the client requested one or more SQRL functions (through command verbs) that the server does not currently support. The client will likely need to advise its user that whatever they were trying to do is not possible at the target website. The SQRL server will fail this query, thus also setting the “40h” Command Failed bit. | |
0x20 | Transient error: The server replies with this bit set to indicate that the client's signature(s) are correct, but something about the client's query prevented the command from completing. This is the server's way of instructing the client to retry and reissue the immediately previous command using the fresh ‘nut=’ crypto material and ‘qry=’ url the server will have also just returned in its reply. Although we don't want to overly restrict the specification of this error, the trouble is almost certainly static, expired, or previously used nut= or qry= data. Thus, reissuing the previous command under the newly supplied server parameters would be expected to succeed. The “0x40” “Command failed” bit (shown next) will also be set since the client's command will not have been processed. | |
0x40 | Command failed: When set, this bit indicates that the web server has encountered a problem fully processing the client's query. In any such case, no change will be made to the user's account status. All SQRL server-side actions are atomic. This means that either everything succeeds or nothing is changed. This is important since clients can request multiple updates and changes at once. If this bit is set without the 80h bit set (see below) the trouble was not with the client's provided data, protocol, etc. but with some other aspect of completing the client's request. With the exception of the following “Client failure” status bit, the SQRL semantics do not attempt to enumerate every conceivable web server failure reason. The web server is free to use its “ask” feature to explain the problem to the client's user. If this bit is set with both of the ID match bits (0x01 & 0x02) reset, the trouble may be that none of the identities provided to the server are known to it. So the SQRL client should first retry the command, successively offering every previous identity that it might have before giving up. Furthermore, to prevent probing of a user's account status, other than the ID match bits, none of the other TIF bits other than the 0x80 Client failure bit should be considered valid when the 0x40 Command failed bit is returned. | |
0x80 | Client failure: This bit is set by the server when some aspect of the client's submitted query ‑ other than expired but otherwise valid transaction state information ‑ was incorrect and prevented the server from understanding and/or completing the requested action. This could be the result of a communications error, a mistake in the client's SQRL protocol, a signature that doesn't verify, or required signatures for the requested actions which are not present. And more specifically, this is NOT an error that the server knows would likely be fixed by having the client silently reissue it previous command using updated entropy . . . although that might still be the first recourse for the client. Since any such client failure will also result in a failure of the command, the 40h bit will also be set. | |
0x100 | Bad ID Association: This bit is set by the server when a SQRL identity which may be associated with the query nut does not match the SQRL ID used to submit the query. If the server is maintaining session state, such as a logged on session, it may generate SQRL query nuts associated with that logged-on session's SQRL identity. If it then receives a SQRL query using that nut, but issued with a different SQRL identity, it should fail the command (setting both the 0x40 and 0x80 bits) and also return this 0x100 error bit so that the client may inform its user that the wrong SQRL identity was used with a nut that was already associated with a different identity. |
• server= | the base64url encoding of the server's initial SQRL URL or its subsequent response. |
• client= | the base64url encoding of a name=value list consisting of the following required and optional parameters: |
Required: | |
• ver= | the highest SQRL protocol version supported by the client. |
• cmd= | one command token specifying this query's command. |
Optional: | |
• opt= | a tilde-separated list of command-modifier options. |
• btn= | a single decimal digit indicating the user's reply to a server's "ask" parameter. |
• idk= | the (required) ECC public key corresponding to the user's current identity. |
• pidk= | the (optional) ECC public key corresponding to (one of) the user's previous identity(s). |
• ins= | the (conditional) indexed secret produced upon request of the server. |
• pins= | the (conditional) previous indexed secret produced upon request of the server. |
• suk= | the server unlock key corresponding to the user's current identity. |
• vuk= | the verify unlock key corresponding to the user's current identity. |
• ids= | the current identity signature of all preceding non-signature data. |
• pids= | the previous identity signature of all preceding non-signature data. |
• urs= | the signature used to validate a RescueCode authentication. |
• ver= | must appear first to establish the format of all that follows. |
• nut= | a nonce to guarantee the uniqueness of every server reply. |
• tif= | the status condition code results of the client's query. |
• qry= | the URL /path to be used for the client's next query, if any. |
• url= | the URL /path to be used only upon successful (CPS) authentication. |
• can= | the URL /path used to redirect the browser upon user cancellation. |
• sin= | sent by the server to request the client's matching indexed secrets. |
• suk= | returned whenever the client may have a need to generate an Unlock Request Signature (URS) for highest-privilege operations. |
• ask= | optionally returned in ‘query’ replies when the server wishes to prompt the user. |
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Aug 21, 2018 at 18:30 (2,241.44 days ago) | Viewed 1 times per day |