Internet security is getting a bit of a boost, in part thanks to cryptographic research started by Stanislaw Jarecki more than five years ago.
Back in 2018, Jarecki, an associate professor of computer science in UC Irvine’s Donald Bren School of Information and Computer Sciences (ICS), published a paper with ICS Ph.D. student Jiayu Xu in collaboration with Hugo Krawczyk of IBM Research. Their work, presented at the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2018), proposed a new Password Authenticated Key Agreement (PAKE) protocol called OPAQUE.
“There is this huge disconnect between the way we are using passwords on the internet and what cryptographers were suggesting and designing up to now,” says Jarecki, “because the cryptographic models were never exactly matching what is needed in practice.” The models were secure, but companies weren’t using them because they didn’t conform to the real-world deployment of the client-server setting. “Basically, this was the first paper that showed how to bridge this gap.”
As cryptographer Matthew Green wrote in a blog that year, “Let’s talk about PAKE,” the OPAQUE protocol showed a lot of potential. “So in summary, we have this neat technology that could make the process of using passwords much easier, and could allow us to do it in a much more efficient way — with larger hashing parameters, and more work done by the client? Why isn’t this everywhere? Maybe in the next few years it will be.”
The Road to Internet Adoption
Green wasn’t the only person to notice OPAQUE’s potential. In 2019, the Internet Engineering Task Force (IETF) Crypto Forum Research Group (CFRG) ran a PAKE competition for symmetric (person-to-person) and asymmetric (client-to-server) settings. The winner for the asymmetric (aPAKE) category was OPAQUE.
“This was a big win,” says Jarecki. “The IETF engineers started recognizing that it’s no longer the case that the cryptographic PAKE protocols can’t be deployed. They can be deployed, so IETF CFRG created this task force for standardizing the cryptographic password-authentication protocols to pick the good ones.”
This has been an ongoing effort, with countless interactions between Jarecki and IETF-CFRG reviewers to specify detailed proofs, identify implementation variants and address different security concerns. Currently, IETF is exploring how to integrate OPAQUE with the transport layer security (TLS) protocol.
“It’s important to understand that this is just about the road to internet-wide adoption; the actual adoption hasn’t yet happened,” stresses Jarecki. “We are making the tools and working with engineers who want to get this protocol adopted, but that’s a different thing from actual adoption of these methods by internet giants, i.e. actual integration of these new authentication methods with TLS as implemented in internet browsers and servers.”
WhatsApp Adopts OPAQUE
Another person who noticed OPAQUE’s potential early on was Kevin Lewi, a research scientist at Meta who came across the Eurocrypt 2018 proceedings as well as Green’s blog post. At the time, WhatsApp was building a backup feature for encrypted chat logs, and OPAQUE seemed the perfect choice for secure user authentication.
“The main selling point of OPAQUE for us is that it allows a client to authenticate to a server using a password, in a way for the password to never actually be exposed to the server,” says Lewi. “This is in contrast to previous works and other methods which do leak the password to the server. This extra amount of privacy ended up being very important to the security of our system as a whole.”
The OPAQUE-authenticated backup storage now services 2 billion WhatsApp users, and Jarecki is thrilled to see the protocol already having such a widespread impact.
“Their system is very impressive [and its] scale is mind-boggling!” he says. “It’s live now: take your WhatsApp on your phone, go to settings, turn on ‘secure backup,’ and you are triggering encryption of all your backup data via keys which are retrievable only from the OPAQUE-authenticated ‘key locker.’”
Furthermore, Meta has shared the open source code for their WhatsApp approach. “We decided to open-source our implementation of OPAQUE to the public,” says Lewi, “in hopes that other companies and people who might want to use OPAQUE in the future could do so easily.”
Jarecki views this as a significant accomplishment. “You can write a standard, but no company implements it,” he says. “But in our case, Meta implemented it!” Meta is also sharing it, exemplifying the protocol’s power as it continues its journey toward internet-wide adoption.
— Shani Murray