词条 | SQRL |
释义 |
| name = SQRL | title = Secure, Quick, Reliable Login | logo = SQRL_icon_vector_outline.svg | logo caption = Official SQRL Logo | logo size = 128px | author = Steve Gibson | developer = | released = | discontinued = | latest release version = | latest release date = | latest preview version = | latest preview date = | status = Active | programming language = | operating system = Cross-platform | platform = | size = | language = Afrikaans, Arabic, Armenian, Belarusian, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, English, English, Canada, English, United Kingdom, Esperanto, Estonian, Finnish, French, French, Canada, French, Quebec, German, Greek, Hebrew, Hindi, Hungarian, Icelandic, Indonesian, Irish, Italian, Japanese, Korean, Latvian, Lithuanian, Malayalam, Norwegian Bokmal, Norwegian Nynorsk, Persian, Polish, Portuguese, Portuguese, Brazilian, Romanian, Russian, Serbian (Cyrillic), Slovak, Slovenian, Spanish, Swahili, Kenya, Swahili, Tanzania, Swedish, Tagalog, Thai, Turkish, Ukrainian, Vietnamese, Welsh[1] | language count = 56 | genre = secure website login and authentication | license = Public domain[2] | alexa = | website = https://www.grc.com/sqrl/sqrl.htm | standard = | AsOf = }} SQRL (pronounced "squirrel")[3] or Secure, Quick, Reliable Login (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software solution typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party. MotivationThe protocol is an answer to a problem of identity fragmentation. It improves on protocols such as OAuth and OpenID by not requiring a third party to broker the transaction, and by not giving a server any secrets to protect, such as username and password. Additionally, it provides a standard that can be freely used to simplify the login processes available to password manager applications. More importantly the standard is open so no one company can benefit from owning the technology. According to Gibson's website,[4] such a robust technology should be in the public domain so the security and cryptography can be verified, and not deliberately restricted for commercial or other reasons. Example use caseFor the protocol to be used on a website, two components are necessary: an implementation, that is part of the Web service to which the implementation authenticates, which displays a QR code or specially crafted URL according to the specifications of the protocol, and a browser plugin or a mobile application, which can read this code in order to provide secure authentication. The SQRL client uses "one-way" functions and the user's single master password to decrypt a secret master key, from which it generates in combination with the site name (comprising the domain name and optionally an additional sub-site identifier: "example.com", "example.edu/chessclub") a (sub-)site-specific public/private key pair. It signs the transaction tokens with the private key and gives the public key to the site, so it can verify the encrypted data. There are no "shared secrets" which a compromise of the site could expose to allow attacks on accounts at other sites. The only thing a successful attacker could get, the public key, would be limited to verifying signatures that are only used at the same site. Even though the user unlocks the master key with a single password, it never leaves the SQRL client; the individual sites do not receive any information from the SQRL process that could be used at any other site. Phishing protectionsSQRL has some design-inherent and intentional phishing defenses,[5] but it is mainly intended to be for authentication, not anti-phishing, despite having some anti-phishing properties.[6] HistoryThe acronym SQRL was coined by Steve Gibson and the protocol drafted, discussed and analyzed in-depth, by himself and a community of Internet security enthusiasts on the news.grc.com newsgroups and during his weekly podcast, Security Now!, on October 2, 2013. Within two days of the airing of this podcast, both the W3C and Google expressed interest in working on the standard.[7] A thesis on SQRL analyzed and found that "it appears to be an interesting approach, both in terms of the envisioned user experience as well as the underlying cryptography. SQRL is mostly combining well established cryptography in a novel way."[8] A number of proof-of-concept implementations have been made for various platforms, including for the server (PHP,[9] Drupal,[10] C# .NET[11]) and for the client (Android,[12][13][14] C# .NET,[15] Java,[16] Python[17]). There are also various server-end test and debugging sites available.[18][19][20][21] Legal aspectsSteve Gibson states that SQRL is "open and free as it should be", and that the solution is "unencumbered by patents".[3] While SQRL brought a lot of attention to QR code based authentication mechanisms, the suggested protocol is said to have been patented earlier and is not generally available for royalty free use.[22] But Gibson says "What those guys are doing as described in that patent[23] is completely different from the way SQRL operates, so there would be no conflict between SQRL and their patent. Superficially, anything that uses a 2D code for authentication seems "similar"... and superficially all such solutions are. But the details matter, and the way SQRL operates is entirely different in the details."[24] See also{{div col|colwidth=30em}}
References1. ^{{cite web|title=SQRL Translations |url=https://crowdin.com/project/sqrl|website=crowdin.com |accessdate=16 July 2015}} 2. ^[https://www.grc.com/sqrl/sqrl.htm Secure Quick Reliable Login] on www.grc.com/sqrl "Open & free, as it should be: The component techniques and technologies employed by this solution are all well known, well tested, well understood, unencumbered by patents, and exist in the public domain. [...] With this publication of every detail, I hereby release and disclaim any and all proprietary rights to any new ideas developed and presented herein. This work is thereby added to the public domain." 3. ^1 {{cite web|url=https://www.grc.com/sqrl/sqrl.htm |title=SQRL / Gibson Research |work=grc.com |date= |accessdate=2014-05-12}} 4. ^{{Cite web|url=https://www.grc.com/sqrl/sqrl.htm|title=GRC's SQRL Secure Quick Reliable Login|website=www.grc.com|access-date=2016-06-02}} 5. ^{{cite web| url =http://vimeo.com/112444120| title =Revolutionizing Website Login and Authentication with SQRL| last1 =Gibson| first1 =Steve| date =| year =2014| editor =DigiCert Security Summit| publisher =Vimeo| issn =| accessdate =| quote = }} 6. ^{{cite web|url=https://www.grc.com/sqrl/phishing.htm |title=Details about phishing defenses and limitations |work=grc.com |date=2013-12-06 |accessdate=2013-12-06}} 7. ^{{cite web|url=https://www.grc.com/sn/sn-425.txt|title=Security Now! #425 SQRL Q&A #176 (Transcript)|date=2013-10-09 |accessdate=2013-10-16}} 8. ^{{cite web|url=https://www.sec.in.tum.de/finished-work/publication/318|archive-url=https://web.archive.org/web/20150402182457/https://www.sec.in.tum.de/finished-work/publication/318|dead-url=yes|archive-date=2015-04-02|title=Security Analysis and Implementation of the SQRL Authentication Scheme|accessdate=2015-03-18}} 9. ^https://github.com/trianglman/sqrl 10. ^https://www.drupal.org/project/sqrl 11. ^https://github.com/jestin/SqrlNet 12. ^https://github.com/geir54/android-sqrl 13. ^{{cite web |url=https://www.paulstechtalk.com/2014/12/sqrl-implementations-on-android-and-it-works/ |title=Archived copy |accessdate=2015-03-17 |deadurl=yes |archiveurl=https://web.archive.org/web/20150402132412/https://www.paulstechtalk.com/2014/12/sqrl-implementations-on-android-and-it-works/ |archivedate=2015-04-02 |df= }} 14. ^https://play.google.com/store/apps/details?id=net.vrallev.android.sqrl 15. ^https://github.com/jestin/SqrlNet 16. ^https://github.com/TheBigS/SQRL{{dead link|date=April 2018 |bot=InternetArchiveBot |fix-attempted=yes }} 17. ^https://github.com/bushxnyc/sqrl 18. ^https://www.grc.com/sqrl/demo.htm 19. ^https://www.grc.com/sqrl/diag.htm 20. ^https://sqrl-test.paragon-es.de {{webarchive|url=https://web.archive.org/web/20150402131033/https://sqrl-test.paragon-es.de/ |date=2015-04-02 }} 21. ^http://sw.squaltech.com:8080 {{webarchive|url=https://web.archive.org/web/20150316131413/http://sw.squaltech.com:8080/ |date=2015-03-16 }} 22. ^{{cite web|url=http://www.michael.beiter.org/2013/10/04/steve-gibsons-sqrl-is-not-really-new/ |title=SQRL is not really new |publisher=Mike Beiter |date=October 4, 2013 |accessdate=2014-05-12}} 23. ^[https://www.google.com/patents/US20100070759 Method and system for authenticating a user by means of a mobile device US 20100070759 A1] 24. ^{{cite web|title=Secure Quick Reliable Login|url=https://www.grc.com/sqrl/other.htm|website=grc.com|accessdate=22 September 2015}} External links
6 : Access control software|Password authentication|Authentication methods|Barcodes|Upcoming software|Public-domain software with source code |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。