The OPAQUE Augmented Password-Authenticated Key Exchange Protocol
RFC 9807, “The OPAQUE Augmented Password-Authenticated Key Exchange Protocol”, is an Informational document published in July 2025 by D. Bourdrez, H. Krawczyk, K. Lewi, C. A. Wood. The canonical text is published by the RFC Editor.
Abstract
This document describes the OPAQUE protocol, an Augmented (or Asymmetric) Password-Authenticated Key Exchange (aPAKE) protocol that supports mutual authentication in a client-server setting without reliance on PKI and with security against pre-computation attacks upon server compromise. In addition, the protocol provides forward secrecy and the ability to hide the password from the server, even during password registration. This document specifies the core OPAQUE protocol and one instantiation based on 3DH. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 9807 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9806 Updates to SIP-Based Media Recording to Correct Metadata Media Type
- RFC 9808 Content Delivery Network Interconnection Capacity Capability Advertisement Extensions
- RFC 9805 Deprecation of the IPv6 Router Alert Option for New Protocols
- RFC 9809 X.509 Certificate Extended Key Usage for Configuration, Updates, and Safety-Critical Communication
- RFC 9804 Simple Public Key Infrastructure S-Expressions
- RFC 9810 Internet X.509 Public Key Infrastructure -- Certificate Management Protocol
- RFC 9803 Extensible Provisioning Protocol Mapping for DNS Time-to-Live Values
- RFC 9811 Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Management Protocol