netidee
Netidee Blog Bild
Opaque is now production-grade software
Why now and what's to come (17.02.2024)
Förderjahr 2022 / Projekt Call #17 / ProjektID: 6374 / Projekt: Opaque

 

Security Audit

After getting the the opaque and react-native-opaque version to a stable release a security audit was conducted by 7ASecurity. It included extensive testing, a code review and fuzz testing of the libraries. No issues could be identified in the libraries. Only in the examples a handful of issues were found. We fixed them and re-tested from 7ASecurity.

Another result of the audit was the recommendation to improve the release process. We followed this advice and introduced publishing via the Github CI. This also allowed us to now generate provenance statements with each release.

You can read up on the full report here: https://7asecurity.com/reports/pentest-report-opaque.pdf

Extensive documentation

The documentation is ready and contains all the content we planned to produce. We are especially proud of the interactive animation in the system simulation and protocol visualisation.

Why has it not yet been release as 1.0.0?

The draft for the OPAQUE-protocol RFC has passed the review by the Crypto Forum Research Group (CFRG). It now has been handed over to the IETF editors and once it passed this step it will be released published as an RFC. Probably publish it by then.

What's next?

We want to promote Opaque and the OPAQUE-protocol so many many more software engineering teams can benefit from it's existence. This will be done through various talks at conferences and meet-ups in the coming year e.g. React Summit on 14th June in Amsterdam.

Since we are using Opaque ourself in our end-to-end encrypted workspaces application Serenity we intend to maintain Opaque for a long time. While we don't expect any big changes in the core library, it certainly will be necessary to keep the examples and ReactNative dependencies up-to-date.

Conclusion

Working on this project was a pleasure for the whole team and we are grateful to formest Netidee having faith in our plans. It's rare to get dedicated funding an Open Source project of this kind and it allowed us to establish a quality level that is rare in software development and focus on details in the documentation we deeply care about.

In addition we want to thank the Open Technology Foundation for sponsoring the security audit and 7ASecurity for their incredible work on the audit itself.

 

 

Tags:

JavaScript TypeScript Open Source React Native Authentication

Nikolaus Graf

Profile picture for user nikgraf
CAPTCHA
Diese Frage dient der Überprüfung, ob Sie ein menschlicher Besucher sind und um automatisierten SPAM zu verhindern.

    Weitere Blogbeiträge

    Netidee Blog Bild

    The final steps

    Exciting times ahead! Dive in to catch the latest updates on our security audit, the immersive Opaque flow experience, and the promising journey of the Opaque Protocol towards becoming an RFC.
    Netidee Blog Bild

    Introducing the Stable Release of Opaque

    Presenting Opaque's stable release! Available on npm, offering Node, Web-bundler, and React Native support. Now we're waiting for more user feedback, a security audit, and the finalization of the "The OPAQUE Asymmetric PAKE Protocol" specification be...
    Netidee Blog Bild

    Getting ready for a Beta release

    We talk about our progress towards a Beta of the Opaque package. It enables client-server authentication without ever sending the password to the server. We focus on the topics that required special attention. Namely testing, error handling, types an...
    Netidee Blog Bild

    Kicking off the Opaque Project

    This post highlights the ground work in academia and standardization of the protocol the team is implementing. Next the goals are presented and explained how it is also beneficial for teams who want to enable end-to-end encryption in their applicatio...
    Datenschutzinformation
    Impressum | Datenschutz
    Der datenschutzrechtliche Verantwortliche (Internet Privatstiftung Austria - Internet Foundation Austria, Österreich) würde gerne mit folgenden Diensten Ihre personenbezogenen Daten verarbeiten. Zur Personalisierung können Technologien wie Cookies, LocalStorage usw. verwendet werden. Dies ist für die Nutzung der Website nicht notwendig, ermöglicht aber eine noch engere Interaktion mit Ihnen. Falls gewünscht, können Sie Ihre Einwilligung jederzeit via unserer Datenschutzerklärung anpassen oder widerrufen.
    Sonstige Inhalte (1 Dienst)
    Einbindung zusätzlicher Informationen
    YouTube
    Google Ireland Limited, Irland
    Alle Detailszu YouTube
    Alle Detailszu YouTube