Skip to main content
SpringerLink
Log in

Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication

  • Conference paper
  • First Online:
Book cover Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14008))

  • 1467 Accesses

Abstract

OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF (Internet Engineering Task Force) as a more secure alternative to the traditional “password-over-TLS” mechanism prevalent in current practice. OPAQUE defends against a variety of vulnerabilities of password-over-TLS by dispensing with reliance on PKI and TLS security, and ensuring that the password is never visible to servers or anyone other than the client machine where the password is entered. In order to facilitate the use of OPAQUE in practice, integration of OPAQUE with TLS is needed. The main proposal for standardizing such integration uses the Exported Authenticators (TLS-EA) mechanism of TLS 1.3 that supports post-handshake authentication and allows for a smooth composition with OPAQUE. We refer to this composition as TLS-OPAQUE and present a detailed security analysis for it in the Universal Composability (UC) framework.

Our treatment is general and includes the formalization of components that are needed in the analysis of TLS-OPAQUE but are of wider applicability as they are used in many protocols in practice. Specifically, we provide formalizations in the UC model of the notions of post-handshake authentication and channel binding. The latter, in particular, has been hard to implement securely in practice, resulting in multiple protocol failures, including major attacks against prior versions of TLS. Ours is the first treatment of these notions in a computational model with composability guarantees.

We complement the theoretical work with a detailed discussion of practical considerations for the use and deployment of TLS-OPAQUE in real-world settings and applications.

J. Hesse–This work was supported by the Swiss National Science Foundation (SNSF) under the AMBIZIONE grant “Cryptographic Protocols for Human Authentication and the IoT”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Except if said otherwise, we use ‘TLS’ to refer to TLS 1.3.

  2. 2.

    In the particular case of TLS-EA, it is signature-based authentication.

  3. 3.

    Proving our results in the case of an unauthenticated handshake, shows that although TLS handshake is commonly authenticated by the server, TLS-EA’s security does not depend on this authentication. On the other hand, when certificate-based server authentication is present during the handshake that precedes a run of TLS-OPAQUE, one gets the benefits of both certificate-based and password-based authentications.

  4. 4.

    From [26]: “The application MAY use the existing TLS connection to transport the authenticator.” The use of MAY makes this protected transport optional.

  5. 5.

    TLS Handshake includes authentication, implemented by messages \(\textsf{auth}_S\) and \(\textsf{auth}_C\) in Fig. 3. However, as mentioned in footnote 3, we treat it as unauthenticated key exchange/secure channel establishment, because this allows us to show that the security of TLS-EA and TLS-OPAQUE is independent of the security of the initial authentication performed within the TLS 1.3 Handshake.

  6. 6.

    We assume C to learn this information as otherwise, when sending messages over plain connections, we would have no mean of informing S which channel the authentication is intended for. This can be avoided by instead sending messages over the secure channel.

  7. 7.

    As a real-world example of an attack that is excluded by \(\mathcal {F}_{\textsf{pwPHA}} \), imagine an adversary preparing a list of hashed password guesses and, upon compromise, searching this list for a match. See [14] for a “non-strong” aPAKE functionality allowing for such attacks.

References

  1. Facebook stored hundreds of millions of passwords in plain text (2019). https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

  2. Google stored some passwords in plain text for fourteen years (2019). https://www.theverge.com/2019/5/21/18634842/google-passwords-plain-text-g-suite-fourteen-years

  3. Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 28–41. Springer, Heidelberg (2005). https://doi.org/10.1007/11542322_6

    Chapter  Google Scholar 

  4. Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy, pp. 483–502. IEEE Computer Society (2017)

    Google Scholar 

  5. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy, pp. 98–113. IEEE Computer Society (2014)

    Google Scholar 

  6. Bhargavan, K., Delignat-Lavaud, A., Pironti, A.: Verified contributive channel bindings for compound authentication. In: NDSS (2015)

    Google Scholar 

  7. Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS (2016)

    Google Scholar 

  8. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: IEEE Computer Security Foundations Workshop CSFW-14, pp. 82–96. IEEE Computer Society (2001)

    Google Scholar 

  9. Bourdrez, D., Krawczyk, H., Lewi, K., Wood, C.: The OPAQUE Asymmetric PAKE Protocol, draft-irtf-cfrg-opaque, July 2022. https://tools.ietf.org/id/draft-irtf-cfrg-opaque

  10. Brzuska, C., Jacobsen, H.: A modular security analysis of EAP and IEEE 802.11. In: Cryptology ePrint Archive, Paper 2017/253 (PKC 2017) (2017)

    Google Scholar 

  11. Canetti, R., Universally composable security: a new paradigm for cryptographic protocols. In: IEEE Symposium on Foundations of Computer Science - FOCS 2001, pp. 136–145. IEEE (2001)

    Google Scholar 

  12. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22

    Chapter  Google Scholar 

  13. Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-rtt, resumption and delayed authentication. In: IEEE Symposium on Security and Privacy, pp. 470–485. IEEE Computer Society (2016)

    Google Scholar 

  14. Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_9

    Chapter  Google Scholar 

  15. Hesse, J., Jarecki, S., Krawczyk, H.: Password-authenticated tls via opaque and post-handshake authentication. Cryptology ePrint Archive, Report 2023/220 (2023). https://ia.cr/2023/220

  16. Hodges, J., Jones, J.C., Jones, M.B., Kumar, A., Lundberg, E.: Web authentication: an API for accessing public key credentials level 2, August 2021. https://www.w3.org/TR/webauthn-2/

  17. Hoyland, J.: An analysis of TLS 1.3 and its use in composite protocols. Ph.D. thesis, RHUL, Egham, UK (2018)

    Google Scholar 

  18. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15

    Chapter  Google Scholar 

  19. Krawczyk, H.: The OPAQUE Asymmetric PAKE Protocol, draft-krawczyk-cfrg-opaque-06, June 2020. https://www.ietf.org/archive/id/draft-krawczyk-cfrg-opaque-06.txt

  20. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  21. Krawczyk, H.: Unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3). In: ACM CCS 2016 (2016)

    Google Scholar 

  22. Ray, M., Dispensa, S.: Authentication gap in tls renegotiation (2009)

    Google Scholar 

  23. Rescorla, E.: The transport layer security (TLS) protocol version 1.3, rfc 8446, August 2018. http://www.rfc-editor.org/rfc/rfc8446.txt

  24. Rex, M.: Mitm attack on delayed TLS-client auth through renegotiation, November 2009

    Google Scholar 

  25. Salowey, J., Rescorla, E.: TLS renegotiation vulnerability (2009)

    Google Scholar 

  26. Sullivan, N.: Exported Authenticators in TLS, RFC 9261, July 2022. https://datatracker.ietf.org/doc/html/rfc9261

  27. Sullivan, N., Krawczyk, H., Friel, O., Barnes, R.: OPAQUE with TLS 1.3, draft-sullivan-tls-opaque-01, February 2021. https://datatracker.ietf.org/doc/html/draft-sullivan-tls-opaque

Download references

Author information

Authors and Affiliations

  1. IBM Research Europe – Zurich, Rüschlikon, Switzerland

    Julia Hesse

  2. UC Irvine, Irvine, USA

    Stanislaw Jarecki

  3. Algorand Foundation, Boston, USA

    Hugo Krawczyk

  4. Cloudflare, San Francisco, USA

    Christopher Wood

Authors
  1. Julia Hesse
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stanislaw Jarecki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hugo Krawczyk
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christopher Wood
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julia Hesse .

Editor information

Editors and Affiliations

  1. Bar-Ilan University, Ramat Gan, Israel

    Carmit Hazay

  2. Simula UiB, Bergen, Norway

    Martijn Stam

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hesse, J., Jarecki, S., Krawczyk, H., Wood, C. (2023). Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30589-4_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30588-7

  • Online ISBN: 978-3-031-30589-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation