Oblivious DoH, OPAQUE passwords, Encrypted Client Hello: Cloudflare's protocol proposals to protect privacy

2020-12-08 18:45

These include an updated secure DNS service that hides the identity of the client, a password protocol that means a password is never transmitted to the server, and an encrypted "Client hello" that does not leak server names.

Peek, poke, now PAKE. Third up is OPAQUE password, the name being, it seems, some sort of pun on Oblivious Pseudo-Random Function combined with Password Authenticated Key Exchange.

A weakness, as Cloudflare software engineer Tatiana Bradley described, is that, even though authentication ideally happens over an encrypted connection, this "Requires users to send plaintext passwords to servers during login, because servers must see these passwords to match against registered passwords on file."

The OPAQUE solution [PDF] avoids that transfer of the client's password by having the server and client jointly calculate a salted hash to compare using an intermediary second salt.

Bradley is the author of a proof-of-concept implementation for OPAQUE on the web to "Show the feasibility of... completely removing plaintext passwords from the wire, even encrypted."

News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/08/cloudflare_privacy_protocols/

#cloudflare #encrypted #privacy

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Protocol		12	0	4	13	0	17