Paper 2023/220

Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication

Julia Hesse, IBM Research Europe - Zurich
Stanislaw Jarecki, UC Irvine
Hugo Krawczyk, Algorand Foundation
Christopher Wood, Cloudflare
Abstract

OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF (Internet Engineering Task Force) as a more secure alternative to the traditional ``password-over-TLS'' mechanism prevalent in current practice. OPAQUE defends against a variety of vulnerabilities of password-over-TLS by dispensing with reliance on PKI and TLS security, and ensuring that the password is never visible to servers or anyone other than the client machine where the password is entered. In order to facilitate the use of OPAQUE in practice, integration of OPAQUE with TLS is needed. The main proposal for standardizing such integration uses the Exported Authenticators (TLS-EA) mechanism of TLS 1.3 that supports post-handshake authentication and allows for a smooth composition with OPAQUE. We refer to this composition as TLS-OPAQUE and present a detailed security analysis for it in the Universal Composability (UC) framework. Our treatment is general and includes the formalization of components that are needed in the analysis of TLS-OPAQUE but are of wider applicability as they are used in many protocols in practice. Specifically, we provide formalizations in the UC model of the notions of post-handshake authentication and channel binding. The latter, in particular, has been hard to implement securely in practice, resulting in multiple protocol failures, including major attacks against prior versions of TLS. Ours is the first treatment of these notions in a computational model with composability guarantees. We complement the theoretical work with a detailed discussion of practical considerations for the use and deployment of TLS-OPAQUE in real-world settings and applications.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in EUROCRYPT 2023
Keywords
Transport Layer SecurityPasswordsAuthenticationPassword-Authenticated Key ExchangeOPAQUE
Contact author(s)
juliahesse2 @ gmail com
stanislawjarecki @ gmail com
hugokraw @ gmail com
caw @ heapingbits net
History
2023-02-20: approved
2023-02-17: received
See all versions
Short URL
https://ia.cr/2023/220
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/220,
      author = {Julia Hesse and Stanislaw Jarecki and Hugo Krawczyk and Christopher Wood},
      title = {Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2023/220},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/220}},
      url = {https://eprint.iacr.org/2023/220}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.