Opaque Sphinx
Secure password-based authentication with Opaque/Sphinx
Opaque Sphinx is a project that aims to secure password-based authentication by deploying the state-of-the-art SPHINX and OPAQUE cryptographic protocols to eliminate almost all common attack vectors - such as weak guessable passwords, password reuse, phishing, password databases, offline dictionary attacks, database leaks - plaguing current solutions. These protocols provide the strongest available cryptographic properties with cryptographic proofs. The project intend to port its already existing free software SPHINX implementation - besides already existing support for Linux and Windows - to Android so it can also be used on smartphones.
- The project's own website: https://github.com/stef/libsphinx
Why does this actually matter to end users?
For many people, one of the things that is most difficult when using the internet is remembering all the passwords. As a result, they will act unwise. Some use very simple passwords that extremely are easy to guess. Or reuse the same password all the time, so that a single leak of one of the services they use on the internet will expose all the others. This makes it very easy for those that want to abuse the accounts of these people to do so. Hackers have started collecting all passwords that have ever been publicly exposed in a hack. There is an alarming success rate if you start trying these out one at a time - with a simple bot net you can hammer the servers at a rate of many thousands of attempts per second. But instead of blaming the victims for reckless or uninformed behaviour, we can see if we can solve the challenge in another way.
Make a 180 degree turn, and take the position of a service that needs to authenticate a user. You get an account name and a password, and compare this to what you have on record. If it is correct, you let the user enter. If not, you reject. But what if you could make it so that you as a service provider never get to see the actual passwords of any of your users, but instead can register and negotiate in a more clever way than with a bare password? With the right technical design (which in technical terms is called a "Password Authenticated Key Exchange"), you don't need to bother the user with all kinds of additional requirements for this. You can just handle everything in the software at both ends. This novel solution is based on advanced modern cryptographic research, and really deserves to be deployed everywhere, but isn't - yet.
If you as a service provider can verify your users have access to the right password without you actually getting to ever see it, you do not run the risk of ever exposing their data. Even if the user uses the same password everywhere, neither you or anyone else can ever find out. Implementations already exist for desktop operating systems like Linux and Windows, but the Opaque Sphinx project will make it possible to effectively use this technology on Android phones too.
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.