The APERIO platform routinely processes industrial data from some of the world’s leading industrial companies, so securing our customer’s data has always been a primary ingredient of our architecture. As part of our ongoing efforts to proactively secure customer data, we have recently introduced a new layer of advanced security for password-based authentication. We are pleased to announce our transition to OPAQUE authentication – regarded as the most secure password authentication protocol available today, and adopted by the world’s most security savvy organizations such as CloudFlare.
Aperio has already reached industry-standard security compliance levels through our ongoing SOC2 certification program, but we have not stopped there. We consider certifications to be useful but not sufficient. For example, threats associated with compromised TLS inspection are not covered by any current compliance framework, so we have gone beyond certification checklists.
What is OPAQUE?
In the cryptographic community, OPAQUE is known as an authentication protocol that “should be deployed everywhere but is deployed almost nowhere”. It has earned this reputation through its ability to solve some major risks associated with the transmission of credentials over a network. In a traditional authentication process, a user typically sends their password directly to the server and in some circumstances, this approach can become vulnerable to various attacks, including eavesdropping, replay attacks, offline password cracking and others.
OPAQUE offers a secure addition to traditional authentication by utilizing a password-authenticated key exchange (PAKE) protocol. This protocol ensures that the user’s password is never sent in plain text to the server. Instead, it employs a series of cryptographic operations, including zero-knowledge proofs, to validate the password’s correctness without revealing its value. This provides a very strong additional layer of protection against these kinds of attacks.
Why have APERIO have implemented OPAQUE authentication?
We work with some of the world’s largest industrial companies, so it is essential for us to safeguard all the data that passes through our systems. Our default stance is that this data could potentially hold valuable intellectual property or proprietary processes and that a data breach could potentially lead to significant financial losses or a loss of competitive advantage.
While our own internal systems are hardened and secured using the latest industry best practices, we felt that traditional authentication methods would not enable us to fully account for all the potential vulnerabilities that can occur on the side of the end-users who access our systems. Essentially it is our way of taking the ‘zero trust’ approach that we employ within our own networks and extending it out to all the end users who access APERIO.
Combatting TLS inspection shortcomings
For example, many of our customers use industry-standard SSL/TLS inspection to secure traffic coming into their networks. This is essentially a hardware or software component that is positioned between the client and server to decrypt and analyse traffic to ensure compliance with corporate policies and detect malicious activity. However, the security of SSL/TLS inspection relies heavily on correct configuration and historically these tools has not been invulnerable to being compromised. Some examples of past vulnerabilities include Logjam Attack, FREAK Attack, DROWN Attack, POODLE Attack, Heartbleed Bug and others. While SSL/TLS inspection remains an essential part of any infosec strategy, OPAQUE ensures that any vulnerability along the network path, including the TLS inspection stack, network proxies and server databases will not result in wholesale failure of access control security. Even if an attacker gains deep access to the any of the network path components, they cannot extract users’ passwords or initiate a clandestine operation against the users’ data.
Our aim in implementing OPAQUE authentication method was to go above regulatory requirements and future-proof the security of our own networks and our client’s data. We are committed to reassessing and adapting our security practices on an ongoing basis to ensure that we maintain the highest levels of data privacy and protection against many advanced threats.