Friday, October 11, 2019

Devices & SQRL

Part 1:  I had a great title for this week's presentation, "Devices for Dummies" but little to go on.  So this became a high-level overview of the devices that are taking over our lives from the useful to the sorta ridiculous.  (Who really needs to be texted from their toaster?)

Part 2:  On the other end of the spectrum is SQRL ... the Secure, Quick, Reliable Login system.  The problem it solves is one that bedevils us all the time: how can we prove we're who we say we are - to the police, to a bank, to Google, or to every *&%$ website that wants us to setup an account.

Technology caused this problem (plus an abundance of people) and technology can solve it - even in the face of a small percentage of people that want to steal your stuff, your money, your property, your 'identity' or even your vote.  The answer is called a Public Key Infrastructure (PKI) and understanding how PKI works is key to trusting it.

I talked about how this can be done with a secret number assigned to each person which *never* disclosed to *anyone*.  This concept is so important l'll repeat how it works here using the example of Alice wanting to get some money from her Bank.  (slides 41-43)  There's no math here, the actual math can get quite complicated.

How PKI works:
  • Setup:
    • Assume Alice has a secret number only she knows and the Bank has the corresponding public number.  
    • The two numbers, both "secret" and "public," are related so that which one encrypts, the other can decrypt.  (and vice versa)
    • Neither number can be derived from the other; i.e., knowing one does not tell you anything about the other.
  • The Bank has an account for a Alice, but has to confirm Alice is who she says she is before they give her the money
  • The Bank gives Alice a random string of characters
  • Alice encrypts the random string of characters with her secret number
  • Alice then gives the encrypted string back to the Bank
  • The Bank looks up Alice’s public number in their account records
  • The Bank decrypts the string with Alice’s public number
  • If the decrypted string matches the original random string of characters, Alice's identity is confirmed.
  • Why?  Because only Alice holds the right secret key that matches the public key.
Why this is really cool:
  • The secret number itself is never revealed, it’s only used to encrypt the random string of characters
  • There are *no* shared secrets to prove Alice’s identity and nothing to hide in transmission
  • No one listening in on the conversation between Alice and the Bank can learn anything that can compromise the process
This process is the basis for HTTPS - the system we use everyday to secure Internet communications.  The SQRL system extends this technology to usernames and passwords, eliminating the need for *either* usernames or passwords!  There are, of course, a bunch of "what if's" and special cases to account for, but it really is that simple.

In this presentation there is a simplified explanation of the SQRL system, slides 46-56.  For all possible details from how to get started to how the crypto really works, check out the very active SQRL user forums here:  https://sqrl.grc.com/