How does OPAQUE relates to DE-PAKE and Sphinx?

[mitar]

I am trying to understand this project. So for some time it included OPAQUE implementation but it was then removed. But DE-PAKE seems to be a predecessor to OPAQUE? Isn't OPAQUE (as defined in latest RFC) already supporting an easy extension for being a password manager? It includes "export key" which can be used to store additional encrypted data for clients: https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html#name-export-key-usage

So is Sphinx then a parallel alternative development of similar ideas?

[stef]

the relation between opaque and sphinx is that both are using an oprf underneath, actually sphinx is just an oprf, while opaque is an AKE which is a whole lot of stuff more that is not needed for sphinx. and also opaque itself cannot be used as a replacement for sphinx, as the naive usage of opaque for password storage would elminate the offline-bruteforce resistance, that is one of the great security guarantees that is setting it apart from almost all other password managers.

[stef]

the opaque implementation that was previously part of libsphinx is now in its own library with a whole lot of bindings and other stuff here: https://github.com/stef/libopaque/

[stef]

there was actually an experimental variant of sphinx which used opaque, or rather the other way around, it was opaque, but if not needed it didn't do the ake, and thus was merely sphinx. but it was suffering from what i alluded above, the lack of offline-bruteforce resistance, and thus was decommissioned. however with the advent of a threshold-oprf as implemented in https://github.com/stef/liboprf/ we will be able to implement a sphinx variant that can resurrect the opaque around it, and indeed that is the plan for v2 of sphinx, in the near future.

[stef]

more about oprfs in layman terms: https://ctrlc.hu/~stef/blog/posts/oprf.html

[mitar]

Oh, you should link to this and https://ctrlc.hu/~stef/blog/posts/sphinx.html from README. Also I just now found PDFs in the doc directory.

[stef]

not to mention with threshold-oprf we will also be able to do a threshold-opaque! super exciting stuff!

[stef]

furthermore the next version of sphinx will replace libsphinx with liboprf entirely.

[mitar]

Thanks for fast and elaborate replies! I will read more about this, at the moment it all goes way over my head. But my understanding with OPAQUE was that it allows offline backups (like what is used at WhatsApp) and that those backups are protected against offline attacks? It seems not. :-(

[stef]

But my understanding with OPAQUE was that it allows offline backups (like what is used at WhatsApp) and that those backups are protected against offline attacks? It seems not. :-(

i don't quite understand this question. and i think it is a misunderstanding. opaque does not protect against offline dictionary attacks, it merely makes it more difficult. whereas sphinx does. but the two things are used for very different uses. with sphinx, if a sphinx server "database" leaks, an attacker cannot run a search for passwords offline. since there is nothing that can confirm to the attacker if a guess is correct. with opaque, there is ample data available that allows an attacker to use leaked opaque server database to guess passwords while being offline.

[mitar]

with sphinx, if a sphinx server "database" leaks, an attacker cannot run a search for passwords offline.

So then I could simply store my password "database" in GitHub's public git repository. :-)

[stef]

so the best thing you can do is have whatever server you wanna run, have that use opaque. and use a completely separate sphinx server to handle your passwords that you use against your opaque-using server.

[mitar]

Hm, but it would have to be two different passwords. Otherwise one could do attack against opaque server to recover the password and then use it to get to your other passwords.

[stef]

may i ask how did you find this repo?

[mitar]

I was searching for Go OPAQUE implementations and it was listed here:

https://github.com/cretz/gopaque

[stef]

So then I could simply store my password "database" in GitHub's public git repository. :-)

well you could, but it would make it easier for an attacker. see this whitepaper that tries to cover what an attacker can do given what information: https://github.com/stef/pwdsphinx/blob/master/whitepaper.org#bruteforce-attacks-against-our-sphinx-implementation

Hm, but it would have to be two different passwords. Otherwise one could do attack against opaque server to recover the password and then use it to get to your other passwords.

yes, but the whole point of sphinx is, that you have an input password (traditionally called master password with other password managers), and you have a very different output password, the latter you would use with your opaque server.

[stef]

the thing is, with hosting your sphinx "seeds" on github, would allow an attacker (if they have this info) to test for your master password using a target site (for which you have an account in sphinx) which does not do any ratelimiting or otherwise restricts password guessing attempts. e.g the attacker knows that you have an account at a wordpress site (assuming wordpress does not limit attemps in any way) then they can mount their attack against that site, while it would be much more difficult to mount this attack against lets say gmail. whereas if the attacker would not have access to your sphinx seeds at all, then the attacker would have to go through two hoops: 1/ making a guess at your master password and query the sphinx and then 2/ using the output of sphinx querying the target wordpress site. and the sphinx implementation in pwdsphinx for example provides strong ratelimiting, so by not publishing the sphinx seeds, the whole setup becomes much more secure...

[mitar]

OK. But this assumes there are no custom passwords stored in Sphinx, no? Because to my understanding, if they are, then you do not have to do 2/, but you can just try to see if decrypted password is ASCII-like (assuming that most passwords are ASCII and not binary). If you do not have correct master password, then it is highly unlikely that all decrypted bytes would be ASCII.

[stef]

exactly. but in most cases you do not need custom passwords anyway. for example for authenticating to something running opaque. anyway pwdsphinx does support predefined short passwords but with the caveat that this reduces security, so they are advised against.

i find it very very puzzling, why people think they need to know their passwords that they use towards various services. there is very few passwords that don't fit this pattern, like pin/puk codes perhaps.

[mitar]

Thanks for all the replies.