Paper 2024/756

(Strong) aPAKE Revisited: Capturing Multi-User Security and Salting

Dennis Dayanikli, Hasso-Plattner-Institute, University of Potsdam
Anja Lehmann, Hasso-Plattner-Institute, University of Potsdam
Abstract

Asymmetric Password-Authenticated Key Exchange (aPAKE) protocols, particularly Strong aPAKE (saPAKE) have enjoyed significant attention, both from academia and industry, with the well-known OPAQUE protocol currently undergoing standardization. In (s)aPAKE, a client and a server collaboratively establish a high-entropy key, relying on a previously exchanged password for authentication. A main feature is its resilience against offline and precomputation (for saPAKE) attacks. OPAQUE, as well as most other aPAKE protocols, have been designed and analyzed in a single-user setting, i.e., modelling that only a single user interacts with the server. By the composition framework of UC, security for the actual multi-user setting is then conjectured. As any real-world (s)aPAKE instantiation will need to cater multiple users, this introduces a dangerous gap in which developers are tasked to extend the single-user protocol securely and in a UC-compliant manner. In this work, we extend the (s)aPAKE definition to directly model the multi-user setting, and explicitly capture the impact that a server compromise has across user accounts. We show that the currently standardized multi-user version of OPAQUE might not provide the expected security, as it is insecure against offline attacks as soon as the file for one user in the system is compromised. This is due to using shared state among different users, which violates the UC composition framework. However, we show that another change introduced in the standardization draft which also involves a shared state does not compromise security. When extending the aPAKE security in the multi-client setting, we notice that the widely used security definition captures significantly weaker security guarantees than what is offered by many protocols. Essentially, the aPAKE definition assumes that the server stores unsalted password-hashes, whereas several protocols explicitly use a salt to protect against precomputation attacks. We therefore propose a definitional framework that captures different salting approaches -- thus showing that the security gap between aPAKE and saPAKE can be smaller than expected.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. 9th IEEE European Symposium on Security and Privacy, Euro S&P 2024
Keywords
strong aPAKEpassword authenticationsaltingUniversal Composability
Contact author(s)
dennis dayanikli @ hpi de
anja lehmann @ hpi de
History
2024-05-20: approved
2024-05-17: received
See all versions
Short URL
https://ia.cr/2024/756
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/756,
      author = {Dennis Dayanikli and Anja Lehmann},
      title = {(Strong) {aPAKE} Revisited: Capturing Multi-User Security and Salting},
      howpublished = {Cryptology ePrint Archive, Paper 2024/756},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/756}},
      url = {https://eprint.iacr.org/2024/756}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.