[security] [OpenID] OpenId Association Timeout Recommendations
Hans Granqvist
hgranqvist at verisign.com
Wed Feb 7 19:01:05 UTC 2007
David Fuelling wrote:
> Can you elaborate on this attack a bit more? What would the MITM gain by
> sending a fake "valid" response, when the OP actually sent "invalid" (or
> vice versa)?
When the OP sends "valid" and Mallory changes that to "invalid" the
attack is denial of service. This is a fairly useless attack
since Alice probably notices it fairly quickly.
The main attack is when the OP sends "invalid" and Mallory changes
that to "valid". The RP would then believe Alice has authenticated
to OP, and thus let Mallory successfully impersonate Alice on the RP's
system. (There is no feedback step to the OP, so the OP never sees
this attack.)
> Also, why is the assoc step harder to MITM? Isn't there a DH computation on
> both the direct verification step and the association step?
The heavy lifting is only at DH key exchange in the assoc step. Once
the key has been shared, the time complexity of the signing and
verification is fast (typically HMAC time).
Hans
More information about the security
mailing list