[security] Diffie-Hellman parameter validation
James A. Donald
jamesd at echeque.com
Tue Mar 27 21:39:37 UTC 2007
Johnny Bufu wrote:
> Jason Fritcher pointed out in a thread on the openid4java list that
> there may be a security issue with the way the DH session is
> established:
>
>> I've been thinking about how the RP can supply DH parameters to the
>> OP, and was wondering if any discussion has occurred about whether to
>> include language in the spec about how OPs should do validation of the
>> DH params that get sent to them. A few quick checks of the modulus
>> like primality checking and possibly enforcing the use of safe primes.
>> It might also be good to check the supplied generator to make sure it
>> is valid for the supplied modulus. I'm no where close to being being a
>> crypto guru, but I wrote a Secure Remote Password implementation and
>> after the research I did for that, not checking the DH params in the
>> OP seems like a weakness. I might just be overly paranoid here and
>> OpenID really doesn't need that level of security, but I thought I'd
>> ask.
>
> <http://groups.google.com/group/openid4java/browse_thread/thread/
> f96a7b68bb15272d/c9f0f1a85e3372cc#c9f0f1a85e3372cc>
>
> I am not a security expert either, but this seems a valid point to
> me. Can someone with deeper crypto knowledge please confirm / infirm?
>
>
> I think we should either mention that the OP SHUOLD perform such
> validation, or at least mention the possible eavesdropping attack in
> the security considerations section.
I do not think so.
The originator of the DH parameters, whether he is the is the entity you
think you are talking to, or is a man in the middle, has every reason to
supply valid parameters. SRP faces different problems to DH initiation.
More information about the security
mailing list