[security] MITM attacks on OpenID direct verification and association

thayes0993 at AOL.COM thayes0993 at AOL.COM
Wed Feb 14 01:35:24 UTC 2007 

  I need to say one last word about the security of OpenID against MITM attacks. Recent emails have suggested that using associations somehow improves the resistance of OpenID to these attacks relative to using direct verification. This really isn't true.
 
 Please read the section on this topic in the current OpenID 2.0 draft. <http://openid.net/specs/openid-authentication-2_0-11.html#rfc.section.15.1.2>
 
 This section correctly describes the reliance on the DNS or the transport security:
 
 "If DNS resolution or the transport layer is compromised signatures on messages are not adequate, since the attacker can impersonate the OP and issue its own associations, or its own decisions in Stateless Mode. If an attacker can tamper with the discovery process they can specify any OP, and so does not have to impersonate the OP."
  In short, associations are useful for reducing the cost of verifying assertions by allowing the verification to be performed by the RP. However they do not add to the resistance to MITM attacks.
 
 Terry
 
 (here's my MITM code, for those that are into this sort of thing!)
 1) Capture the associate request, save base64_encode(H(base64_decode(dh_consumer_public))), and dh_gen
 2) Modify the associate response, replace dh_server_public with the dh_gen and enc_mac_key with the value computed from dh_consumer_public from step 1
 3) Left as an exercise to the reader!
 
 -----Original Message-----
 From: hgranqvist at verisign.com
 To: sappenin at gmail.com
 Cc: security at openid.net
 Sent: Wed, 7 Feb 2007 11:01 AM
 Subject: Re: [security] [OpenID] OpenId Association Timeout Recommendations
 
  David Fuelling wrote:
> Can you elaborate on this attack a bit more?  What would the MITM gain by
> sending a fake "valid" response, when the OP actually sent "invalid" (or
> vice versa)?  

When the OP sends "valid" and Mallory changes that to "invalid" the
attack is denial of service.  This is a fairly useless attack
since Alice probably notices it fairly quickly.

The main attack is when the OP sends "invalid" and Mallory changes
that to "valid".  The RP would then believe Alice has authenticated
to OP, and thus let Mallory successfully impersonate Alice on the RP's 
system.  (There is no feedback step to the OP, so the OP never sees
this attack.)

> Also, why is the assoc step harder to MITM?  Isn't there a DH computation on
> both the direct verification step and the association step?

The heavy lifting is only at DH key exchange in the assoc step. Once
the key has been shared, the time complexity of the signing and 
verification is fast (typically HMAC time).

Hans
_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
   
________________________________________________________________________
Check out the new AOL.  Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070213/d266199d/attachment-0001.htm>

More information about the security mailing list