Jump to content



Photo

Let's test out SQRL on Android. Site Passwords are now obsolite


  • Please log in to reply
7 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2014 - 02:31

So did everyone like my catchy link bait thread title?  Personally I think if this catches on passwords really will be obsolete.

 

So about 6 months ago or maybe more, Steve Gibson started a quest to create a new form of authentication. Something that does away with user names and passwords.

 

He chose QR Codes, but get the notion out of your head that all you will be doing is taking pictures of QR codes with your phone. Its not that at all. In fact just tapping a QR code with your finger does the Trick!

 

You can read all about it in my previous thread.

 

http://www.neowin.ne...-and-passwords/

 

I'm creating a new thread because now we have something we can test.

SQRL

https://play.google....roid.sqrl&hl=en

 

14479621107_1d67be0973_z.jpg

 

 

Steve Gibson mentioned this on Security now. He's been in communication with this person and this person has made an android client based off Steve Gibsons spec. Gibson is working on the Windows client.

 

Steve: Okay. So there was a tweet this morning that I got a kick out of because this is the beginning. Someone named "bothyhead," B-O-T-H-Y-H-E-A-D, and he's just @bothyhead, at 4:38 a.m. this morning via Plume for Android, tweeted: @SGgrc I've just been playing with Ralf's SQRL client and his test site. I so hope this takes off. It's amazing. The world owes you one." So what this says is, obviously, SQRL is running. And it is the case that there are going to be endless squirrel jokes, I'm sure.

FR. ROBERT: Either SQRL is running, or this individual needs a little bit of help, it's one or the other.

Steve: I mentioned Ralf a couple weeks ago when I was talking about the AES-GCM cipher protocol and how it was actually in my interactions with Ralf, who is a German student who is doing his master's thesis on SQRL, and also implementing an Android client and a test server. He was concerned about the intellectual property rights of OCB, which is the cipher suite I was going to use, the authenticated encrypted cipher suite. And he raised some good points. I changed the spec and wrote, spent a week writing in Portable C an implementation of AES-GCM so that all SQRL implementations would be able to have one that was free, public domain, and completely unrestricted, since I wasn't able to find one otherwise on the Internet.

He's got his client up and running. A whole bunch of people over in the GRC newsgroup, the SQRL newsgroup, have it up and running and have been sending him feedback, like with what version of Android and what platform and what tablet and so forth. So it's beginning to happen. So it's all I've been working on. I'm working on the reference Windows client and working as hard as I can to get to the protocol portion because I just want to ratify the protocol, which is at this point still pro forma until I have a chance to nail it down. But it is the case that the SQRL system works, and it's working. So just a nice little bit of good news.

 

 

Installed this on my android device and it worked just as I hopped. I really hope this gets widely adopted.

 

So anyone who uses Android go play with it and report back. At the moment all you can do is log into his test server and create an account. But that should be enough to give you a sense on how that works. More information on how this works can be found from my previous thread I posted above. Now imagine logging into Neowin with SQRL.




#2 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 18 July 2014 - 18:25

So has anyone had a chance to test this out. .. besides me?



#3 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 6
  • Joined: 25-March 04
  • Location: England, UK

Posted 18 July 2014 - 18:36

I'm too busy, I still haven't found the time to even read properly how it works. I'll get around to it eventually.



#4 Enron

Enron

    Windows for Workgroups

  • Tech Issues Solved: 1
  • Joined: 30-May 11
  • OS: Windows 8.1 U1
  • Phone: Nokia Lumia 900

Posted 18 July 2014 - 18:39

I heard this method was cracked rather quickly by the Russians.



#5 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 18 July 2014 - 18:40

I heard this method was cracked rather quickly by the Russians.

 

Source?



#6 -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 18 July 2014 - 18:43

Steve Gibson

And that's where I stopped reading.

#7 Circaflex

Circaflex

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 18-August 02
  • Location: California
  • OS: 8 x64, 7 x64, Mountain Lion, Ubuntu
  • Phone: shamu

Posted 18 July 2014 - 18:47

Well first of all, Gibson did not create this. He did not invent SQRL, he gave it a name. The protocol has been around for years and is protected by several patents (http://www.michael.b...not-really-new/). Gibson keeps telling everyone that "his idea" is free to use for everyone. The problem is that is is NOT his idea, and that the individuals and organizations holding the patents will sue everyone who is using the protocol without paying royalties. Budman even pointed this out in your original thread



#8 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 18 July 2014 - 18:53

Well first of all, Gibson did not create this. He did not invent SQRL, he gave it a name. The protocol has been around for years and is protected by several patents (http://www.michael.b...not-really-new/). Gibson keeps telling everyone that "his idea" is free to use for everyone. The problem is that is is NOT his idea, and that the individuals and organizations holding the patents will sue everyone who is using the protocol without paying royalties. Budman even pointed this out in your original thread

 

Steve: They've got pilot projects and things. And in fact they did play with QR code login briefly. A couple years ago, for like about a month, there was something where you could - that you could - they would present you with a QR code. You could snap it, and the login sort of jumped over to your phone. It took it away from the website over to your phone. And it's funny, too, because there have been - I've been flooded with people saying, oh, Gibson, this has been done before. And then they'll send me a link to something which has a QR code, but that's the only thing it bears in common. So I also have...

Leo: This is unique, as far as I can tell. There's nothing like this, yeah.

Steve: I do have a page of all of that other stuff that people are finding, just so it has a place to live, so I can say, yeah, we've seen all of that, and none of it is the same. There's even been some people saying, like showing me patents. And if you look at the diagram on the patent, it's got 26 different things all pointing at each other. And it's like, okay, look at my picture, and look at their picture. There's just no comparison.