<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=312243819-05022007>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#0000ff><FONT size=2>A MITM
can easily change any is_valid value<SPAN class=312243819-05022007>
</SPAN></FONT></FONT></FONT></SPAN><SPAN class=312243819-05022007><FONT
size=2>since those responses are </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT
size=2>unprotected.</FONT></SPAN></DIV></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>There is a MITM attack on the association step, but it is
much harder, as it</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>requires DH computation and state keeping for later
authentication steps.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>There are also DH variants that are more resilient to MITM
attacks (SRP </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>anyone? ;), and such </FONT></SPAN><SPAN
class=312243819-05022007><FONT face=Arial color=#0000ff size=2>can be added as
mechanisms to the protocol.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>In reality </FONT></SPAN><SPAN
class=312243819-05022007><FONT face=Arial color=#0000ff size=2>Direct
Verification is useless. Very few RPs use secure channels. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>The message floats unprotected through the network of
tubes.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>Direct verification gives an attacker an incredibly
simple way to downgrade </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007></SPAN><SPAN
class=312243819-05022007><FONT face=Arial color=#0000ff size=2>the protocol
without either the OP nor </FONT></SPAN><SPAN class=312243819-05022007><FONT
face=Arial color=#0000ff size=2>the RP being </FONT></SPAN><FONT
face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=312243819-05022007>any
</SPAN></FONT></FONT></FONT><FONT face=Arial><FONT size=2><FONT
color=#0000ff><SPAN class=312243819-05022007>wiser</SPAN><SPAN
class=312243819-05022007><FONT>. </FONT></SPAN></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=312243819-05022007></SPAN></FONT></FONT></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=312243819-05022007>What attacker wouldn't love
that?</SPAN></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN><SPAN class=312243819-05022007><FONT
face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2>Hans</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312243819-05022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><FONT
face=Arial color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><FONT
face=Arial color=#0000ff size=2></FONT><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> thayes0993@aol.com
[mailto:thayes0993@aol.com] <BR><B>Sent:</B> Monday, February 05, 2007 11:30
AM<BR><B>To:</B> Granqvist, Hans; sappenin@gmail.com; general@openid.net;
security@openid.net<BR><B>Subject:</B> Re: [OpenID] OpenId Association Timeout
Recommendations<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Hans,<BR><BR>Using the direct verification is not a "less secure
mode". Association handles provide a way to reduce the cost of
verification by eliminating one set of messages from the flow. However,
the association is established using the same basic message exchange as the
verification itself, and so is neither more or less
secure.<BR><BR>Terry<BR></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><FONT
face=Arial color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT> <BR>-----Original Message-----<BR>From:
hgranqvist@verisign.com<BR>To: sappenin@gmail.com; general@openid.net;
security@openid.net<BR>Sent: Mon, 5 Feb 2007 11:13 AM<BR>Subject: Re: [OpenID]
OpenId Association Timeout Recommendations<BR><BR>
<DIV class=AOLPlainTextBody
id=AOLMsgPart_0_a703e1a0-8f61-469d-a3ff-e8aef1fc6285><PRE><TT>> I'm wondering if anyone has an opinion on a "recommended"
> association timeout for OpenId OP/RP implementations?
David,
There is a slight problem with shared secrets in the OpenID
authentication protocol.
Generally you want to make the lifespan of shared secrets as short
as possible to reduce risk.
However, according to the OpenID protocol, when the RP uses an expired
association handle, the OP should proceed as if no association handle
was provided, which will then lead to the obvious security risks(*)
related with direct verification:
<<A href="http://openid.net/specs/openid-authentication-2_0-11.html#check_auth" target=_blank>http://openid.net/specs/openid-authentication-2_0-11.html#check_auth</A>>
That's the Catch-22: You will want the shared secret to live for
a short time, but you don't want to risk reducing the authentication
flow into a less secure mode.
One way to implement a more secure OP is to refuse some
security reductions of the protocol:
* require valid associations, and
* respond with negative assertion (should the assertion be
invalid)
AFAIK, the language of the spec, with MAYs and SHOULDs, lets you do
this and still remain compliant.
-Hans
(*) meaning the fact that the OP responds whether the signature
was okay with an unsigned yes/no
>
> I think it takes something like 2^80 operations to brute
> force SHA1 (the least secure OpenId HMAC Association type).
> Supposedly, in 2005 SHA1 was "sort of" broken by a Chinese
> researcher (see here:
> <A href="http://www.schneier.com/blog/archives/2005/02/sha1_broken.html" target=_blank>http://www.schneier.com/blog/archives/2005/02/sha1_broken.html</A>
) but according to Bruce Schneier, HMAC is not affected by this >
development (only digital signatures are).
>
> All that to say, it seems like it would still take a long
> time to brute force an SHA1 association (SHA256 even longer),
> so I'm wondering what people's thoughts are where OpenId
> implementation should set this number by default.
>
> For example, one of the most popular Java OpenId 2.0
> implementations currently uses a 30 minute expiration. What
> about 3 days? 7 days? Longer?
>
> I guess I'm trying to figure out where the "balance between
> security and convenience" decision should be made.
>
> Thanks for your input!
>
> David
>
> _______________________________________________
> general mailing list
> <A href="mailto:general%40openid.net">general@openid.net</A>
> <A href="http://openid.net/mailman/listinfo/general" target=_blank>http://openid.net/mailman/listinfo/general</A>
>
_______________________________________________
general mailing list
<A href="mailto:general%40openid.net">general@openid.net</A>
<A href="http://openid.net/mailman/listinfo/general" target=_blank>http://openid.net/mailman/listinfo/general</A>
</TT></PRE></DIV><!-- end of AOLMsgPart_0_a703e1a0-8f61-469d-a3ff-e8aef1fc6285 -->
<DIV class=AOLPromoFooter>
<HR style="MARGIN-TOP: 10px">
<A
href="http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol"
target=_blank><B>Check out the new AOL</B></A>. Most comprehensive set of free
safety and security tools, free access to millions of high-quality videos from
across the web, free AOL Mail and more.<BR></DIV></BLOCKQUOTE></BODY></HTML>