Paper 2023/220

Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication

Julia Hesse, IBM Research Europe - Zurich
Stanislaw Jarecki, UC Irvine
Hugo Krawczyk, Algorand Foundation
Christopher Wood, Cloudflare

OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF (Internet Engineering Task Force) as a more secure alternative to the traditional ``password-over-TLS'' mechanism prevalent in current practice. OPAQUE defends against a variety of vulnerabilities of password-over-TLS by dispensing with reliance on PKI and TLS security, and ensuring that the password is never visible to servers or anyone other than the client machine where the password is entered. In order to facilitate the use of OPAQUE in practice, integration of OPAQUE with TLS is needed. The main proposal for standardizing such integration uses the Exported Authenticators (TLS-EA) mechanism of TLS 1.3 that supports post-handshake authentication and allows for a smooth composition with OPAQUE. We refer to this composition as TLS-OPAQUE and present a detailed security analysis for it in the Universal Composability (UC) framework. Our treatment is general and includes the formalization of components that are needed in the analysis of TLS-OPAQUE but are of wider applicability as they are used in many protocols in practice. Specifically, we provide formalizations in the UC model of the notions of post-handshake authentication and channel binding. The latter, in particular, has been hard to implement securely in practice, resulting in multiple protocol failures, including major attacks against prior versions of TLS. Ours is the first treatment of these notions in a computational model with composability guarantees. We complement the theoretical work with a detailed discussion of practical considerations for the use and deployment of TLS-OPAQUE in real-world settings and applications.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in EUROCRYPT 2023
Transport Layer SecurityPasswordsAuthenticationPassword-Authenticated Key ExchangeOPAQUE
Contact author(s)
juliahesse2 @ gmail com
stanislawjarecki @ gmail com
hugokraw @ gmail com
caw @ heapingbits net
2023-02-20: approved
2023-02-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Julia Hesse and Stanislaw Jarecki and Hugo Krawczyk and Christopher Wood},
      title = {Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2023/220},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.