shared secret using diffie-hellman
paul at ciphergoth.org
Sun Jun 5 01:33:53 PDT 2005
Brad Fitzpatrick wrote:
> Here's how I'd see the shared secret setup as outlined before (and
> corrected by Paul), but using diffie-hellman for finding the shared
> secret, instead of passing it in the clear.
I had envisaged something more like
Consumer chooses p, g and random x less than p.
p and g can be hardwired into the source if need be.
consumer --> idserver
openid.mode = get_hmac_sha1_secret_dh
openid.dh.p = <modulus>
openid.dh.g = <generator>
openid.dh.gx = <g ^ x mod p>
IDserver chooses random y less than p, and calculates
K = SHA-1(gx ^ y)
idserver --> consumer
openid.dh.gy = <g ^ y mod p>
openid.nonce = <random nonce>
openid.payload = CTR_K(<payload>)
where <payload> is a reply as get_hmac_sha1_secret sends in the clear,
and CTR is AES in CTR mode, using openid.nonce to initialize the
counter. Normally it's very bad practice to use encryption without a
MAC, but in this instance any active attacker can just act as a man in
the middle and know everything, so there's not much point in defending
against them, thus using CTR rather than the small extra complexity of
something like EAX.
Everything else works as before. This means that we can do it all in a
single HTTP transaction. Also it favours consumers over servers, since
they choose the size of keys to use and they don't need to use more than
x and y must not be re-used. In practice, we should probably work in the
Schnorr group (the group DSA uses), but that's a detail for a later post.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis