Part 2: On the other end of the spectrum is SQRL ... the Secure, Quick, Reliable Login system. The problem it solves is one that bedevils us all the time: how can we prove we're who we say we are - to the police, to a bank, to Google, or to every *&%$ website that wants us to setup an account.
Technology caused this problem (plus an abundance of people) and technology can solve it - even in the face of a small percentage of people that want to steal your stuff, your money, your property, your 'identity' or even your vote. The answer is called a Public Key Infrastructure (PKI) and understanding how PKI works is key to trusting it.
I talked about how this can be done with a secret number assigned to each person which *never* disclosed to *anyone*. This concept is so important l'll repeat how it works here using the example of Alice wanting to get some money from her Bank. (slides 41-43) There's no math here, the actual math can get quite complicated.
How PKI works:
- Assume Alice has a secret number only she knows and the Bank has the corresponding public number.
- The two numbers, both "secret" and "public," are related so that which one encrypts, the other can decrypt. (and vice versa)
- Neither number can be derived from the other; i.e., knowing one does not tell you anything about the other.
- The Bank has an account for a Alice, but has to confirm Alice is who she says she is before they give her the money
- The Bank gives Alice a random string of characters
- Alice encrypts the random string of characters with her secret number
- Alice then gives the encrypted string back to the Bank
- The Bank looks up Alice’s public number in their account records
- The Bank decrypts the string with Alice’s public number
- If the decrypted string matches the original random string of characters, Alice's identity is confirmed.
- Why? Because only Alice holds the right secret key that matches the public key.
- The secret number itself is never revealed, it’s only used to encrypt the random string of characters
- There are *no* shared secrets to prove Alice’s identity and nothing to hide in transmission
- No one listening in on the conversation between Alice and the Bank can learn anything that can compromise the process
This process is the basis for HTTPS - the system we use everyday to secure Internet communications. The SQRL system extends this technology to usernames and passwords, eliminating the need for *either* usernames or passwords! There are, of course, a bunch of "what if's" and special cases to account for, but it really is that simple.
In this presentation there is a simplified explanation of the SQRL system, slides 46-56. For all possible details from how to get started to how the crypto really works, check out the very active SQRL user forums here: https://sqrl.grc.com/