Abstract
OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF (Internet Engineering Task Force) as a more secure alternative to the traditional “password-over-TLS” mechanism prevalent in current practice. OPAQUE defends against a variety of vulnerabilities of password-over-TLS by dispensing with reliance on PKI and TLS security, and ensuring that the password is never visible to servers or anyone other than the client machine where the password is entered. In order to facilitate the use of OPAQUE in practice, integration of OPAQUE with TLS is needed. The main proposal for standardizing such integration uses the Exported Authenticators (TLS-EA) mechanism of TLS 1.3 that supports post-handshake authentication and allows for a smooth composition with OPAQUE. We refer to this composition as TLS-OPAQUE and present a detailed security analysis for it in the Universal Composability (UC) framework.
Our treatment is general and includes the formalization of components that are needed in the analysis of TLS-OPAQUE but are of wider applicability as they are used in many protocols in practice. Specifically, we provide formalizations in the UC model of the notions of post-handshake authentication and channel binding. The latter, in particular, has been hard to implement securely in practice, resulting in multiple protocol failures, including major attacks against prior versions of TLS. Ours is the first treatment of these notions in a computational model with composability guarantees.
We complement the theoretical work with a detailed discussion of practical considerations for the use and deployment of TLS-OPAQUE in real-world settings and applications.
J. Hesse–This work was supported by the Swiss National Science Foundation (SNSF) under the AMBIZIONE grant “Cryptographic Protocols for Human Authentication and the IoT”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Except if said otherwise, we use ‘TLS’ to refer to TLS 1.3.
- 2.
In the particular case of TLS-EA, it is signature-based authentication.
- 3.
Proving our results in the case of an unauthenticated handshake, shows that although TLS handshake is commonly authenticated by the server, TLS-EA’s security does not depend on this authentication. On the other hand, when certificate-based server authentication is present during the handshake that precedes a run of TLS-OPAQUE, one gets the benefits of both certificate-based and password-based authentications.
- 4.
From [26]: “The application MAY use the existing TLS connection to transport the authenticator.” The use of MAY makes this protected transport optional.
- 5.
TLS Handshake includes authentication, implemented by messages \(\textsf{auth}_S\) and \(\textsf{auth}_C\) in Fig. 3. However, as mentioned in footnote 3, we treat it as unauthenticated key exchange/secure channel establishment, because this allows us to show that the security of TLS-EA and TLS-OPAQUE is independent of the security of the initial authentication performed within the TLS 1.3 Handshake.
- 6.
We assume C to learn this information as otherwise, when sending messages over plain connections, we would have no mean of informing S which channel the authentication is intended for. This can be avoided by instead sending messages over the secure channel.
- 7.
As a real-world example of an attack that is excluded by \(\mathcal {F}_{\textsf{pwPHA}} \), imagine an adversary preparing a list of hashed password guesses and, upon compromise, searching this list for a match. See [14] for a “non-strong” aPAKE functionality allowing for such attacks.
References
Facebook stored hundreds of millions of passwords in plain text (2019). https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users
Google stored some passwords in plain text for fourteen years (2019). https://www.theverge.com/2019/5/21/18634842/google-passwords-plain-text-g-suite-fourteen-years
Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 28–41. Springer, Heidelberg (2005). https://doi.org/10.1007/11542322_6
Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy, pp. 483–502. IEEE Computer Society (2017)
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy, pp. 98–113. IEEE Computer Society (2014)
Bhargavan, K., Delignat-Lavaud, A., Pironti, A.: Verified contributive channel bindings for compound authentication. In: NDSS (2015)
Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS (2016)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: IEEE Computer Security Foundations Workshop CSFW-14, pp. 82–96. IEEE Computer Society (2001)
Bourdrez, D., Krawczyk, H., Lewi, K., Wood, C.: The OPAQUE Asymmetric PAKE Protocol, draft-irtf-cfrg-opaque, July 2022. https://tools.ietf.org/id/draft-irtf-cfrg-opaque
Brzuska, C., Jacobsen, H.: A modular security analysis of EAP and IEEE 802.11. In: Cryptology ePrint Archive, Paper 2017/253 (PKC 2017) (2017)
Canetti, R., Universally composable security: a new paradigm for cryptographic protocols. In: IEEE Symposium on Foundations of Computer Science - FOCS 2001, pp. 136–145. IEEE (2001)
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22
Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-rtt, resumption and delayed authentication. In: IEEE Symposium on Security and Privacy, pp. 470–485. IEEE Computer Society (2016)
Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_9
Hesse, J., Jarecki, S., Krawczyk, H.: Password-authenticated tls via opaque and post-handshake authentication. Cryptology ePrint Archive, Report 2023/220 (2023). https://ia.cr/2023/220
Hodges, J., Jones, J.C., Jones, M.B., Kumar, A., Lundberg, E.: Web authentication: an API for accessing public key credentials level 2, August 2021. https://www.w3.org/TR/webauthn-2/
Hoyland, J.: An analysis of TLS 1.3 and its use in composite protocols. Ph.D. thesis, RHUL, Egham, UK (2018)
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Krawczyk, H.: The OPAQUE Asymmetric PAKE Protocol, draft-krawczyk-cfrg-opaque-06, June 2020. https://www.ietf.org/archive/id/draft-krawczyk-cfrg-opaque-06.txt
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Krawczyk, H.: Unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3). In: ACM CCS 2016 (2016)
Ray, M., Dispensa, S.: Authentication gap in tls renegotiation (2009)
Rescorla, E.: The transport layer security (TLS) protocol version 1.3, rfc 8446, August 2018. http://www.rfc-editor.org/rfc/rfc8446.txt
Rex, M.: Mitm attack on delayed TLS-client auth through renegotiation, November 2009
Salowey, J., Rescorla, E.: TLS renegotiation vulnerability (2009)
Sullivan, N.: Exported Authenticators in TLS, RFC 9261, July 2022. https://datatracker.ietf.org/doc/html/rfc9261
Sullivan, N., Krawczyk, H., Friel, O., Barnes, R.: OPAQUE with TLS 1.3, draft-sullivan-tls-opaque-01, February 2021. https://datatracker.ietf.org/doc/html/draft-sullivan-tls-opaque
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Hesse, J., Jarecki, S., Krawczyk, H., Wood, C. (2023). Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-30589-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30588-7
Online ISBN: 978-3-031-30589-4
eBook Packages: Computer ScienceComputer Science (R0)