Using the direct verification is not a "less secure mode". Association handles provide a way to reduce the cost of verification by eliminating one set of messages from the flow. However, the association is established using the same basic message exchange as the verification itself, and so is neither more or less secure.<br>
To: email@example.com; firstname.lastname@example.org; email@example.com<br>
Sent: Mon, 5 Feb 2007 11:13 AM<br>
Subject: Re: [OpenID] OpenId Association Timeout Recommendations<br>
<div id="AOLMsgPart_0_a703e1a0-8f61-469d-a3ff-e8aef1fc6285" class="AOLPlainTextBody">
<pre><tt>> I'm wondering if anyone has an opinion on a "recommended"
> association timeout for OpenId OP/RP implementations?
There is a slight problem with shared secrets in the OpenID
Generally you want to make the lifespan of shared secrets as short
as possible to reduce risk.
However, according to the OpenID protocol, when the RP uses an expired
association handle, the OP should proceed as if no association handle
was provided, which will then lead to the obvious security risks(*)
related with direct verification:
<<a href="http://openid.net/specs/openid-authentication-2_0-11.html#check_auth" target="_blank">http://openid.net/specs/openid-authentication-2_0-11.html#check_auth</a>>
That's the Catch-22: You will want the shared secret to live for
a short time, but you don't want to risk reducing the authentication
flow into a less secure mode.
One way to implement a more secure OP is to refuse some
security reductions of the protocol:
* require valid associations, and
* respond with negative assertion (should the assertion be
AFAIK, the language of the spec, with MAYs and SHOULDs, lets you do
this and still remain compliant.
(*) meaning the fact that the OP responds whether the signature
was okay with an unsigned yes/no
> I think it takes something like 2^80 operations to brute
> force SHA1 (the least secure OpenId HMAC Association type).
> Supposedly, in 2005 SHA1 was "sort of" broken by a Chinese
> researcher (see here:
> <a href="http://www.schneier.com/blog/archives/2005/02/sha1_broken.html" target="_blank">http://www.schneier.com/blog/archives/2005/02/sha1_broken.html</a>
) but according to Bruce Schneier, HMAC is not affected by this >
development (only digital signatures are).
> All that to say, it seems like it would still take a long
> time to brute force an SHA1 association (SHA256 even longer),
> so I'm wondering what people's thoughts are where OpenId
> implementation should set this number by default.
> For example, one of the most popular Java OpenId 2.0
> implementations currently uses a 30 minute expiration. What
> about 3 days? 7 days? Longer?
> I guess I'm trying to figure out where the "balance between
> security and convenience" decision should be made.
> Thanks for your input!
> general mailing list
> <a href="mailto:general%40openid.net">firstname.lastname@example.org</a>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a>
general mailing list
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a>
<!-- end of AOLMsgPart_0_a703e1a0-8f61-469d-a3ff-e8aef1fc6285 -->
<hr style="margin-top:10px;" />
<a href="http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol" target="_blank"><b>Check out the new AOL</b></a>. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.<br />