search

stef / libopaque

c implementation of the OPAQUE protocol with bindings for python, php, ruby, lua, zig, java, erlang, golang, js and SASL.
GNU Lesser General Public License v3.0
69 stars 10 forks source link

The password should never be disclosed to the server #37

Closed odiferousmint closed 8 months ago

odiferousmint commented 8 months ago

Hello.

According to https://github.com/stef/libopaque/blob/master/src/utils/man/opaque.md:

Initializing OPAQUE (registration) can be done either online or offline. The online variant has the benefit that the server never learns anything about the users password, with the drawback that this requires 3 messages to be exchanged by the client and the server.

The offline initialization is much easier, however either the user learns the servers secret, or the server learns the users password. The latter might be useful if some organisation wants to enforce some password quality rules and check those upon registration. The drawback is that either way, some sensitive information leaks to the other party.

This is not supposed to be true.

https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-opaque

OPAQUE provides forward secrecy with respect to password leakage while also hiding the password from the server, even during password registration.

clients never disclose their passwords to the server, even during registration

Some applications may require learning the client's password for enforcing password rules. Doing so invalidates this important security property of OPAQUE and is NOT RECOMMENDED. Applications should move such checks to the client.

[...]

stef commented 8 months ago

well, depends. yes, if you only implement the cfrg spec. which only specifies the online registration, then you are right. however the original opaque paper instead only described the offline registration, which is not specified by the cfrg, but is implemented by libopaque.

stef commented 8 months ago

please close this issue, if this answers your question.

stef commented 8 months ago

see also: https://github.com/cfrg/draft-irtf-cfrg-opaque/issues/434

odiferousmint commented 8 months ago

well, depends. yes, if you only implement the cfrg spec. which only specifies the online registration, then you are right. however the original opaque paper instead only described the offline registration, which is not specified by the cfrg, but is implemented by libopaque.

Hmm, I will have to go through them as on the website I provided I see offline registration with online authenticated key exchange only, and https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-opaque#name-offline-registration-2 seems to be using the same and/or similar function names, hence my assumptions.

You may close this issue though.

odiferousmint commented 8 months ago

see also: cfrg/draft-irtf-cfrg-opaque#434

Thank you! I will take a look tomorrow as I have to go to sleep. Thank you! I will close this. :)