Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify AuthServerRespond signature by removing redundant client_public_key parameter #473

Open
rezkam opened this issue Jan 4, 2025 · 0 comments
Open

Simplify AuthServerRespond signature by removing redundant client_public_key parameter #473

rezkam opened this issue Jan 4, 2025 · 0 comments

Comments

@rezkam
Copy link

rezkam commented Jan 4, 2025
edited
Loading

The current AuthServerRespond function in the OPAQUE specification receives client_public_key as a separate parameter, even though this same value is already available in the cleartext_credentials parameter. This creates unnecessary redundancy in the API.

Current implementation:

def AuthServerRespond(cleartext_credentials, server_private_key,
                     client_public_key, ke1, credential_response):
    # client_public_key used only in:
    dh3 = DiffieHellman(server_private_keyshare, client_public_key)

Proposed change:

def AuthServerRespond(cleartext_credentials, server_private_key,
                     ke1, credential_response):
    # Use the client_public_key from cleartext_credentials:
    dh3 = DiffieHellman(server_private_keyshare, 
                        cleartext_credentials.client_public_key)

This affects the GenerateKE2 function as well:

Current:

def GenerateKE2(...):
    cleartext_credentials = CreateCleartextCredentials(
        server_public_key,
        record.client_public_key,
        server_identity, 
        client_identity
    )
    auth_response = AuthServerRespond(
        cleartext_credentials, 
        server_private_key,
        record.client_public_key,  # redundant parameter
        ke1,
        credential_response
    )

Proposed:

def GenerateKE2(...):
    cleartext_credentials = CreateCleartextCredentials(
        server_public_key,
        record.client_public_key,
        server_identity, 
        client_identity
    )
    auth_response = AuthServerRespond(
        cleartext_credentials, 
        server_private_key,
        ke1,
        credential_response
    )

Benefits:

  1. Cleaner API: Reduces parameter count in AuthServerRespond
  2. Removes Redundancy: Eliminates passing the same value twice
  3. Better Maintainability: Reduces the chance of errors where the two values might accidentally differ
  4. Simpler Implementation: Makes implementation cleaner across different languages
  5. No Security Impact: Maintains all security properties of the protocol

This change is purely structural and doesn't affect the protocol's security properties. The same client_public_key value is used, just accessed from cleartext_credentials instead of as a separate parameter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rezkam