Usage of OPAQUE with TLS 1.3
draft-sullivan-tls-opaque-00
|
| Document |
Type |
|
Active Internet-Draft (individual)
|
|
Last updated |
|
2019-03-11
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
html
bibtex
|
| Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
| IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group N. Sullivan
Internet-Draft Cloudflare
Intended status: Standards Track H. Krawczyk
Expires: September 12, 2019 IBM Research
O. Friel
R. Barnes
Cisco
March 11, 2019
Usage of OPAQUE with TLS 1.3
draft-sullivan-tls-opaque-00
Abstract
This document describes two mechanisms for enabling the use of the
OPAQUE password-authenticated key exchange in TLS 1.3.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Sullivan, et al. Expires September 12, 2019 [Page 1]
Internet-Draft TLS 1.3 OPAQUE March 2019
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. OPAQUE . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Password Registration . . . . . . . . . . . . . . . . . . . . 4
4.1. Implementing EnvU . . . . . . . . . . . . . . . . . . . . 5
5. TLS extensions . . . . . . . . . . . . . . . . . . . . . . . 6
6. Use of extensions in TLS handshake flows . . . . . . . . . . 8
6.1. OPAQUE-3DH, OPAQUE-HMQV . . . . . . . . . . . . . . . . . 8
6.2. OPAQUE-Sign . . . . . . . . . . . . . . . . . . . . . . . 10
7. Integration into Exported Authenticators . . . . . . . . . . 11
8. Summary of properties . . . . . . . . . . . . . . . . . . . . 11
9. Example OPRF . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. OPRF_1 . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.2. OPRF_2 . . . . . . . . . . . . . . . . . . . . . . . . . 13
10. Privacy considerations . . . . . . . . . . . . . . . . . . . 13
11. Security Considerations . . . . . . . . . . . . . . . . . . . 14
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
13.1. Normative References . . . . . . . . . . . . . . . . . . 14
13.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
Note that this draft has not received significant security review and
should not be the basis for production systems.
OPAQUE [opaque-paper] is a mutual authentication method that enables
the establishment of an authenticated cryptographic key between a
client and server based on a user's memorized password, without ever
exposing the password to servers or other entities other than the
client machine and without relying on PKI. OPAQUE leverages a
primitive called a Strong Asymmetrical Password Authenticated Key
Exchange (Strong aPAKE) to provide desirable properties including
resistance to pre-computation attacks in the event of a server
compromise.
In some cases, it is desirable to combine password-based
authentication with traditional PKI-based authentication as a
defense-in-depth measure. For example, in the case of IoT devices,
it may be useful to validate that both parties were issued a
Show full document text