shared secret alternative to DSA

Nathan D. Bowen nbowen+yadis at andtonic.com
Sat Jun 4 13:20:38 PDT 2005 

Paul Crowley wrote:

> This is a great model of the attacker.

Good!

> This is the right kind of thinking, but the trouble with this example 
> is that it's much easier for him to just sniff her cookie once she's 
> logged in, isn't it?

Yep, but a single compromised cookie is a single compromised user; a 
single compromised secret key is many compromised users, because the 
whole server-client relationship is compromised. So this is that 
situation where one target is easier, but the slightly harder target is 
much more valuable/attractive.

You're correct that any consumer more complicated than a 
post-to-my-guestbook application will need session state and will 
probably identify that state with a cookie after you log in. And, yes, 
the ISP (or college IT staff, or whatever) can sniff that.

Let's say that if anyone cares so much about privacy they should get SSL 
hosting.

So let's say I run an OpenID consumer site, and I do get SSL hosting. 
Now I am much more confident that my ISP isn't passively sniffing my 
session cookies or content.

But if secret keys are sent in the clear, I cannot be confident that no 
one is sniffing those. OpenID secret keys just became my weakest link, 
and there's nothing I can do, even with money, to improve my security. 
All I can do is try to persuade all of the OpenID servers in the world 
to get SSL hosting -- or damage my interoperability by refusing users 
from non-SSL OpenID servers.

> And why does forging IP headers make him feel like a cracker, but 
> forging OpenID authentication tokens feels OK?

If he asked me, I'd recommend that he use the OpenID auth forging, his 
feelings aside. He's more likely to get caught actively forging IP 
headers at work than to get caught forging OpenID tokens after work from 
the cafe down the street.

> As I say, though, I'm not stuck on this - I am a bit worried about 
> whether this is best for the simplest clients, and if I can't bring 
> people round, I'll drop it and move on to working out how to do DSA 
> properly...

How broken is our current use of DSA? I guess I've talked the 
shared-secret stuff to death without really knowing what we're up 
against if we skip it and keep DSA; I'm interested to hear about that.

More information about the yadis mailing list