shared secret using diffie-hellman

Nathan D. Bowen nbowen+yadis at andtonic.com
Tue Jun 7 11:06:35 PDT 2005


I too had assumed that we would create HMACs directly using the digest 
of the DH-generated secret.

I can see that the XORing benefits LiveJournal, because LiveJournal 
already has LJ::get_secret. On the other hand, if XORing with a 
self-generated key is required by the protocol, every server implementor 
is required to include an HMAC-secret-generator, even though DH itself 
works as a perfectly-good (if not perfectly storage-efficient) 
HMAC-secret-generator.

Since self-generating HMAC secrets is a non-critical optimization, it 
seems like it should be a per-implementation decision, not a protocol 
requirement.

Would there be any problem with allowing each server to choose for 
itself whether or not to XOR against a self-generated secret?

If a consumer receives an "openid.enc_secret" value, it will know that 
the HMAC secret is
    SHA1(DH-Generated Secret) XOR (openid.enc_secret)

But if the server didn't send any value for "openid.enc_secret", the 
consumer will know that the HMAC secret is
    SHA1(DH-Generated Secret).

The only complexity this adds to the protocol is that of conditionally 
skipping a step, and this removes the complexity of requiring a good 
implementation of get_secret for those who don't want it.

But I'm counting on someone to let me know if I'm way off-base, here.



More information about the yadis mailing list