Daily Archives: 2013-10-04

Steve Gibson’s SQRL is not really new

With a loud buzz, Steve Gibson has eventually announced a “comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators … and everything else.

Even his initial hints were quite over the top.

But what is this new SQRL really about? Basically, a website can display a QR code, which a user can scan with their mobile phone. The QR code contains a callback-URL, and a nonce. The user has some private information in his cell phone, and uses that to “sign” (in the broadest term) the nonce. Then the nonce is sent to the callback URL, and the website can be sure that the user was in possession of a (potentially shared) secret.

This is a classic out of band authentication scheme. However, although Gibson celebrates this idea (and himself) as if this was the best invention since sliced bread, it really is not.

When I was still working at Tubingen University, a fellow researcher group worked on a similar solution as what Gibson proposed. Their implementation has been in production for quite a while at http://www.ekaay.com.

The “eKaay” implementation requires pre-registration, but it could fully emulate Gibson’s SQRL by using dynamic provisioning, which is a well-established approach in identity management.

As a side note, I find it quite astonishing that the GUI in Gibson’s demo / prototype looks exactly like the eKaay login screen…

But this is not where the prior art ends: Gibson announces that the component techniques and technologies employed by this solution are all well known, well tested, well understood, unencumbered by patents, and exist in the public domain. This is, however, not true! There are several patents protecting this technology, one of them granted to Pedro Celis De La Hoz and Juan Jesus Leon Cobos.

Note that there is a lot more IP and related patents in this area!

Hence, although Gibson generously donates his re-invention of the wheel to the public domain, his “SQRL” scheme is covered by existing patents, and is neither free to use, nor generally available. It should not be used without potentially expecting legal trouble.

I recommend to do extensive prior art research before making such announcements that can get people who believe these announcements into serious trouble.