About Opaque
Opaque is a JavaScript package to allow secure password-based, client-server authentication without the server ever obtaining knowledge of the password.
Audit Description
Through OTF’s Red Team Lab, 7ASecurity conducted a penetration test and whitebox security review of Opaque. A whitebox review is a form of application testing that provides the tester with complete knowledge of the application being tested, including access to source code and design documents. 7ASecurity had access to reference client and server implementations, documentation, and source code.
This is the first penetration test for this project.
Scope
- Whitebox tests against Javascript implementation of the OPAQUE protocol
- OPAQUE Code-Fuzzing & Differential Fuzzing of the Crypto Implementation
- Whitebox tests against OPAQUE supply chain implementation
- Opaque Lightweight threat model documentation
- Privacy tests against OPAQUE servers and clients
Summary of Findings
The Opaque library defended itself well against a broad range of attack vectors. 7ASecurity did not uncover any directly exploitable vulnerabilities—an unusual result for a first security audit. Most of the weaknesses discovered had to do with the Opaque examples and not the library itself. The fundamental architecture of the core library is robust, making it a reliable choice for developers. 7ASecurity does have five suggested fixes and enhancements for the OPAQUE team to consider, though.
Pentest Report
OTF Blog Post
Code:
JavaScript Implementation of the OPAQUE protocol
- Main repository
- Packages:
- React Native versions of the package:
- Documentation