-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPAQUE is an sdPAKE #448
OPAQUE is an sdPAKE #448
Conversation
Replaced "asymmetric PAKE" with augmented PAKE since "asymmetric PAKE" is incorrect terminology. Added info on doubly augmented PAKEs (dPAKE) and stated OPAQUE is a strong dPAKE (sdPAKE).
@Sc00bz Thanks for the PR! I think the terminology change from "asymmetric" -> "augmented" is something I am supportive of (though don't have too strong of a preference either way) However, rather than defining OPAQUE as a strong doubly-augmented PAKE, I would prefer to still define OPAQUE as being a strong augmented PAKE, and then within the document we can also add a paragraph about the fact that it is doubly-augmented. The reasons being that:
|
850b5bd
to
1fa23d7
Compare
Modified the PR to address my previous comments. Please see the text of the new subsection:
and let me know if this suffices. As mentioned above, I think we are aiming to avoid defining OPAQUE as a doubly augmented PAKE, even though it does satisfy those properties, because there isn't a proof for it at the moment (nor a formal UC-style definition of doubly-augmented), and the original OPAQUE paper only proves it with respect to a strong augmented PAKE. However, the property itself is still worth mentioning. Thanks @Sc00bz and appreciate your patience on getting this right. |
1fa23d7
to
d915914
Compare
@Sc00bz ^ can you check the revisions that I made and let us know if this is acceptable? We'd like to merge this PR in and publish the next draft once this is unblocked. Thank you! |
draft-irtf-cfrg-opaque.md
Outdated
and supplying an arbitrary password as input to `CreateCredentialRequest` in the login | ||
phase. This provides an advantage over the regular authentication flow for login |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest we add that we give all the details on how to do it, adding that the OPRF finish/output and stretching can be skipped in favor of directly using the randomized henceforth. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I added a little bit more to the description to clarify how this would be done. Let me know what you think!
d915914
to
f1a658b
Compare
f1a658b
to
fa88863
Compare
Looks good to me :) thank you @Sc00bz and @kevinlewi ! 👍 |
The following might need to be reworded or use a different source. Since JKX18 defined an saPAKE vs sdPAKE. The difference being that the client can also store data that can be used to authenticate to the server but not used to authenticate to the client. Lines 325-326:
Note I moved "secure against pre-computation attacks" to here since that's part of being an sdPAKE. Lines 312-313:
Also the "Security Analysis" section needs updating since the source proved the security of OPAQUE in an saPAKE model instead of an sdPAKE model. The difference in the proof is minor and would likely be obvious for anyone that knows how to write a proof. It's basically something along the lines of "the private client identity key and public server identity key are unrelated to the password thus you can't use it to make offline password guesses. Without knowing the private server identity key means you can't authenticate as the server (which should already part of the saPAKE model proof)." Also since it's an sdPAKE the client data can't be used for offline password guesses (even if the private keys are related to the password) because of the OPRF. Although I hear that people don't like "story proofs". So I'm not sure how to prove this correctly. Lines 2061-2063: