Opaque
Benefits
Never accidentally log passwords
Security against pre-computation attacks upon server compromise
Foundation for encrypted backups and end-to-end encryption apps
Through OTF’s Red Team Lab (opens in a new tab), 7ASecurity conducted a penetration test and whitebox security review (opens in a new tab)
System Simulation
Test the protocol and see how it works
Type in some credentials and see how the magic works.
Details
OPAQUE provides robust security measures that effectively neutralize various types of attacks. Unlike traditional methods, it eliminates the need to send passwords to the server, thereby thwarting sniffing and replay attacks. Moreover, the protocol prevents pre-computation attacks by attackers.
Through the use of an Oblivious Pseudo-Random Function (OPRF), OPAQUE safeguards the password and basically some form of "salt", making it impervious to direct password leaks. This protocol has also undergone rigorous testing and offers mathematical proofs of security within a robust model.
Another advantage is its ability to offload the memory-hard key-stretching function to the client side. This not only enhances security but also minimizes the server's vulnerability to computational denial-of-service (DoS) attacks.
Furthermore, OPAQUE can function securely over an unencrypted communication channel, removing the necessity for additional layers like TLS. It even includes a countermeasure against user enumeration attacks: the server can return a decoy record, making it impossible for an attacker to determine whether a particular user exists or not.
There have been extensive security analysis and audits:
Downsides
- The protocol requires JavaScript to run on the client - Registration and login require one extra request roundtrip to complete each flow - No resistance against quantum computing attacks
Who is using it?
Opaque
- Serenity (opens in a new tab) as authentication mechanism for the account
OPAQUE protocol
- WhatsApp (opens in a new tab) for their end-to-end encrypted backups
- Messenger (opens in a new tab) for their encrypted message storage Labyrinth
Comparison to Password Hashing
Opaque comes with a few benefits and tradeoffs compared to password hashing
Benefits
- The server never learns the password and therefor never can log it (accidentally)
- Foundation for end-to-end encryption
Tradeoffs
- Requires JavaScript to run in the browser
- One extra roundtrip for registration and login
Comparison to Passkeys
Opaque comes with a few benefits and tradeoffs compared to Passkeys
Benefits
- No need for users to rely on an external authority for key storage. Usually Apple, Google or Microsoft.
- No device/browser/OS lock-in. On Linux for example there is no Passkey support.
- No support for a stable `export_key` on the client. This makes Passkeys unsuitable for encrypted backups or as a foundation for end-to-end encryption apps. Might be possible in the future with the PRF Extension (opens in a new tab).
Tradeoffs
- You still need to remember and store a password. Passwordless authentication is preferable.
- Passkeys have even stronger security guarantees against server compromise since only a public key is stored.
Note: You can also deploy Passkeys and have Opaque as a fallback for users without Passkeys. Best of both worlds.
Relevant building blocks and inspirations
- 2018: The OPAQUE (opens in a new tab) paper was published. - 2018-2028 A group of IETF members worked on the OPAQUE protocol RFC (opens in a new tab). - 2020: Work on opaque-ke (opens in a new tab) started.
- 2020: Work on opaque-wasm (opens in a new tab) started. It allowed us to give explore the protocol in a beta and inspired us to build a full library. We made a comparison table between the two libraries here.