Paper 2024/756
(Strong) aPAKE Revisited: Capturing Multi-User Security and Salting
Abstract
Asymmetric Password-Authenticated Key Exchange (aPAKE) protocols, particularly Strong aPAKE (saPAKE) have enjoyed significant attention, both from academia and industry, with the well-known OPAQUE protocol currently undergoing standardization. In (s)aPAKE, a client and a server collaboratively establish a high-entropy key, relying on a previously exchanged password for authentication. A main feature is its resilience against offline and precomputation (for saPAKE) attacks. OPAQUE, as well as most other aPAKE protocols, have been designed and analyzed in a single-user setting, i.e., modelling that only a single user interacts with the server. By the composition framework of UC, security for the actual multi-user setting is then conjectured. As any real-world (s)aPAKE instantiation will need to cater multiple users, this introduces a dangerous gap in which developers are tasked to extend the single-user protocol securely and in a UC-compliant manner. In this work, we extend the (s)aPAKE definition to directly model the multi-user setting, and explicitly capture the impact that a server compromise has across user accounts. We show that the currently standardized multi-user version of OPAQUE might not provide the expected security, as it is insecure against offline attacks as soon as the file for one user in the system is compromised. This is due to using shared state among different users, which violates the UC composition framework. However, we show that another change introduced in the standardization draft which also involves a shared state does not compromise security. When extending the aPAKE security in the multi-client setting, we notice that the widely used security definition captures significantly weaker security guarantees than what is offered by many protocols. Essentially, the aPAKE definition assumes that the server stores unsalted password-hashes, whereas several protocols explicitly use a salt to protect against precomputation attacks. We therefore propose a definitional framework that captures different salting approaches -- thus showing that the security gap between aPAKE and saPAKE can be smaller than expected.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. 9th IEEE European Symposium on Security and Privacy, Euro S&P 2024
- Keywords
- strong aPAKEpassword authenticationsaltingUniversal Composability
- Contact author(s)
-
dennis dayanikli @ hpi de
anja lehmann @ hpi de - History
- 2024-05-20: approved
- 2024-05-17: received
- See all versions
- Short URL
- https://ia.cr/2024/756
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/756, author = {Dennis Dayanikli and Anja Lehmann}, title = {(Strong) {aPAKE} Revisited: Capturing Multi-User Security and Salting}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/756}, year = {2024}, url = {https://eprint.iacr.org/2024/756} }