[security] security hole in signature algorithm
Dick Hardt
dick at sxip.com
Mon Nov 20 06:34:22 UTC 2006
On 19-Nov-06, at 5:13 PM, Josh Hoyt wrote:
> On 11/19/06, Dick Hardt <dick at sxip.com> wrote:
>> By manipulating the return_to parameter, an attacked can impersonate
>> another user at an RP.
>
> it's hard to do a careful reading of your message with mhy 2-year-old
> playing piano in the background, but I don't think I understand your
> attack.
>
> I don't see any KV form strings in your description, and those are the
> things that get signed. In KV form, the pairs are indeed suffixed with
> a newline, which is the reason that newlines are not allowed.
>
> the x-www-urlencoded string:
>
> foo=bar&baz=quux
>
> looks like:
>
> foo:bar
> baz:quux
>
> in KV form.
>
> Am I missing something?
The KV form you discuss with a newline and colon delimiters does
resolve the attack, but that is not the format of what I interpret
from the specification.
The 6.1 of draft 10 spec says:
To compute the list of key/value pairs to be signed:
1. Iterate through the list of keys to be signed in the order they
appear in the input to the algorithm. For each key, find the value in
the message whose key is equal to the signed list key prefixed with
"openid."
2. Append the signed list key and the associated value to the message
to be signed.
I don't see the newline and colon in this description. Is it hidden
somewhere else in the spec?
-- Dick
More information about the specs
mailing list