Changelog

Zero-knowledge encryption for the Ciphera platform

Ciphera ID migrated to OPAQUE-based authentication and vault key derivation, ensuring the server never sees a user password.


What shipped

  • OPAQUE authentication (asymmetric PAKE) replaces the previous password flow. The plaintext password never reaches the server — only the OPAQUE record is stored.
  • Vault Master Key (VMK) is now derived from the OPAQUE export_key via HKDF and wrapped with AES-KW before being stored server-side.
  • Client-side PBKDF2 blind index (1,000,000 iterations) is used as the email lookup key, removing any plaintext email from server-side query logs.
  • SRP-6a fully retired; all existing sessions migrated.

Why it matters

Under the new scheme, a full compromise of the Ciphera ID database yields no usable credentials: no password, no key material, no plaintext email. Zero-knowledge by construction.

Powered by Tessera

The cryptographic layer is implemented by the open-source Tessera library (Rust core, Go server SDK, browser TypeScript SDK), released under Apache-2.0.