International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication

Authors:
Julia Hesse , IBM Research Europe - Zurich
Stanislaw Jarecki , UC Irvine
Hugo Krawczyk , Algorand Foundation
Christopher Wood , Cloudflare
Download:
DOI: 10.1007/978-3-031-30589-4_4 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2023
Abstract: OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF (Internet Engineering Task Force) as a more secure alternative to the traditional ``password-over-TLS" mechanism prevalent in current practice. OPAQUE defends against a variety of vulnerabilities of password-over-TLS by dispensing with reliance on PKI and TLS security, and ensuring that the password is never visible to servers or anyone other than the client machine where the password is entered. In order to facilitate the use of OPAQUE in practice, integration of OPAQUE with TLS is needed. The main proposal for standardizing such integration uses the Exported Authenticators (TLS-EA) mechanism of TLS 1.3 that supports post-handshake authentication and allows for a smooth composition with OPAQUE. We refer to this composition as TLS-OPAQUE and present a detailed security analysis for it in the Universal Composability (UC) framework. Our treatment is more general and it includes the formalization of components that are needed in the analysis of TLS-EA but are of wider applicability as they are used in many protocols in practice. Specifically, we provide formalizations in the UC model of the notions of post-handshake authentication and channel binding. The latter, in particular, has been hard to implement securely in practice, resulting in multiple protocol failures, including major attacks against prior versions of TLS. Ours is the first treatment of these notions in a computational model with composability guarantees. We complement the theoretical work with a detailed discussion of practical considerations for the use and deployment of TLS-OPAQUE in real-world settings and applications.
BibTeX
@inproceedings{eurocrypt-2023-32937,
  title={Password-Authenticated TLS via OPAQUE and Post-Handshake Authentication},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-031-30589-4_4},
  author={Julia Hesse and Stanislaw Jarecki and Hugo Krawczyk and Christopher Wood},
  year=2023
}