SQRL (short for "Secure Quick Reliable Login," pronounced "squirrel") is a user authentication system which uses asymmetric cryptography to authenticate users, thus eliminating the need for usernames and passwords. This system was designed by security researcher Steve Gibson, and is being developed for public release. It has already been released into the public domain.
When SQRL is configured and in use by a client and server, the process goes as follows.
- The website creates a unique session for the client connecting to it.
- The website generates a long string of random characters (known as a nonce) and provides it to the client
- The client takes this string and encrypts it using its private key, then returns it to the server
- The server decrypts the nonce using the client's public key, and verifies its validity.
- The server grants the client the rights attached to the now-known user
Since the client should be the only one with the private key, and only the private key can encrypt text so that the client's public key can decrypt it, this process proves that the client's private key was used. However, it is never disclosed to the server. Nonetheless, the server can be reasonably assured who a client is. Further, the server never needs to collect private information. There is no need to secure a username and password, since there is none needed.
This entire process relies solely on the private key, meaning that it is very important for this to be secure. SQRL uses "25519" elliptic curve cryptography to provide the user with what is believed to be at least the equivalent of a 2140 key strength