Proposal for improved security of association establishment in OpenID 2.0

Josh Hoyt josh at janrain.com
Fri May 18 18:08:41 UTC 2007


Guoping,

I'm not an expert, but I do understand the attack that you're
describing. I'm hesitant to make the change without input from Paul
Crowley, who designed the key exchange mechanism in the first place. I
hope that he will comment.

It should be noted that a man-in-the-middle can still be a problem if
they intercept (proxy) every message, and not just the
association-related messages. This raises the bar for being a
man-in-the-middle, but it does not eliminate the problem.

Josh

On 5/17/07, Guoping Liu <gliu at pingidentity.com> wrote:
> Issue: Vulnerability to man-in-the-middle attacks
>
> The association algorithm with DH-SHA1 and DH-SHA256 defined in the
> draft 11 is vulnerable to man-in-the-middle attacks if server
> authentication with HTTPS is not used. Here is how:
>
> A RP sends an associate request an OP with following parameters:
>
>         openid.dh_modulus = base64(btwoc(p))
>         openid.dh_gen = base64(btwoc(g))
>         openid.dh_consumer_public = base64(btwoc(g ^ xa mod p))
>
> A middle man M intercepts the request. M then generates xc, creates a
> new request to the OP with following parameters:
>
>         openid.dh_modulus = base64(btwoc(p))
>         openid.dh_gen = base64(btwoc(g))
>         openid.dh_consumer_public = base64(btwoc(g ^ xc mod p))
>
> The OP receives the request from M and sends following response to M
>
>         dh_server_public = base64(btwoc(g ^ xb mod p))
>         enc_mac_key = base64(H(btwoc(g ^ (xc * xb) mod p)) XOR MAC_key)
>
> M decrypts the MAC_key as follows:
>
>         MAC_key = H(btwoc(g ^ (xc * xb) mod p)) XOR enc_mac_key
>
> M then sends a response to the RP with following parameters:
>
>         dh_server_public = base64(btwoc(g ^ xc mod p))
>         enc_mac_key = base64(H(btwoc(g ^ (xc * xa) mod p)) XOR MAC_key)
>
> Now, the RP, middle man M and OP all have the same MAC_key.
>
>
> Proposed Solution:
>
> Do not send enc_mac_key in response. Both OP and RP generate a MAC key
> as follows
>
>         H(btwoc(g ^ (xa * xb) mod p))
>
> We are NOT sending the MAC key over and are not vulnerable to man in the
> middle attacks.
>
> Guoping Liu
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>



More information about the specs mailing list