shared secret using diffie-hellman

Paul Crowley paul at
Sun Jun 5 01:33:53 PDT 2005

Brad Fitzpatrick wrote:
> Here's how I'd see the shared secret setup as outlined before (and
> corrected by Paul), but using diffie-hellman for finding the shared
> secret, instead of passing it in the clear.

I had envisaged something more like

Consumer chooses p, g and random x less than p.
p and g can be hardwired into the source if need be.

consumer --> idserver

     openid.mode = get_hmac_sha1_secret_dh
     openid.dh.p = <modulus>
     openid.dh.g = <generator>
     openid.dh.gx = <g ^ x mod p>

IDserver chooses random y less than p, and calculates
K = SHA-1(gx ^ y)

idserver --> consumer = <g ^ y mod p>
     openid.nonce = <random nonce>
     openid.payload = CTR_K(<payload>)

where <payload> is a reply as get_hmac_sha1_secret sends in the clear, 
and CTR is AES in CTR mode, using openid.nonce to initialize the 
counter.  Normally it's very bad practice to use encryption without a 
MAC, but in this instance any active attacker can just act as a man in 
the middle and know everything, so there's not much point in defending 
against them, thus using CTR rather than the small extra complexity of 
something like EAX.

Everything else works as before.  This means that we can do it all in a 
single HTTP transaction.  Also it favours consumers over servers, since 
they choose the size of keys to use and they don't need to use more than 
one key.

x and y must not be re-used. In practice, we should probably work in the 
Schnorr group (the group DSA uses), but that's a detail for a later post.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list