Alternate ID name?


Status
Not open for further replies.

shanedk

Well-known member
May 20, 2018
408
107
Steve ended up delimiting it with an ASCII 0. So now it's:
Code:
domain + ext + 0x00 + AltID
 

Steve

Administrator
Staff member
May 6, 2018
1,011
304
www.grc.com
The newsgroups DO definitely have details of the minimal-but-sufficient redesign of the Alt-ID handling. Rather than rehash it here, please head over there. I'm REALLY going to try to keep the forums for user and user-to-developer content with the newsgroups for developer R&D stuff. (Though I do often break my own rule!)
 

Rippledj

Active member
Jun 12, 2019
38
0
Hello, I'm just catching up with the SQRL spec and wanted to ask about the newsgroup thread posted above (http://www.GRC.com/groups/sqrl:22227). But here is my understanding of why this is not really a problem.

QUOTE FROM POST:​
Thus the same key is generated for example.co with alt-id m as for
example.com without alt-id.
However, because there is a per-site private key, the resulting HMAC hash for example.com (no ALT_ID) will be different than the HMAC for example.com (with ALT_ID = 'm') because the per-site key will also be keyed into the hash of the URI or URI + ALT_ID. Also, SQRL will know the URI before the ALT_ID is appended to the URI so it will not issue a POST request to the wrong URI.

Can someone please let me know if I understand this properly? I am just getting into the spec and so just want to check that my understanding of this issue is correct.
 

Vela Nanashi

Well-known member
May 19, 2018
706
121
The alt id is combined with the domain name to form the site specific key through the hmac (after being combined) so before the fix was applied (separating alt id and domain with 0x00) example.co with alt id m and example.com with no alt id did produce the same key. But to repeat that is fixed now.
 

Rippledj

Active member
Jun 12, 2019
38
0
The alt id is combined with the domain name to form the site specific key through the hmac (after being combined) so before the fix was applied (separating alt id and domain with 0x00) example.co with alt id m and example.com with no alt id did produce the same key. But to repeat that is fixed now.
OK. Got it. Since the master key was being used, to generate the per-site key then it would have caused a collision. Adding the separator (NULL byte) will result in a unique key. Thanks!
 
Status
Not open for further replies.