shared secret using diffie-hellman

Brad Fitzpatrick brad at danga.com
Sun Jun 5 02:01:24 PDT 2005


On Sun, 5 Jun 2005, Paul Crowley wrote:

> Brad Fitzpatrick wrote:
> > Here's how I'd see the shared secret setup as outlined before (and
> > corrected by Paul), but using diffie-hellman for finding the shared
> > secret, instead of passing it in the clear.
>
> I had envisaged something more like
>
> Consumer chooses p, g and random x less than p.
> p and g can be hardwired into the source if need be.
>
> consumer --> idserver
>
>      openid.mode = get_hmac_sha1_secret_dh
>      openid.dh.p = <modulus>
>      openid.dh.g = <generator>
>      openid.dh.gx = <g ^ x mod p>
>
> IDserver chooses random y less than p, and calculates
> K = SHA-1(gx ^ y)

K = SHA-1(gx ^ y mod p), right?

> idserver --> consumer
>
>      openid.dh.gy = <g ^ y mod p>
>      openid.nonce = <random nonce>
>      openid.payload = CTR_K(<payload>)
>
> where <payload> is a reply as get_hmac_sha1_secret sends in the clear,
> and CTR is AES in CTR mode, using openid.nonce to initialize the
> counter.
> Normally it's very bad practice to use encryption without a

CTR?  Where did AES come into play?  Why is any encryption necessary?

> Everything else works as before.  This means that we can do it all in a
> single HTTP transaction.

Single HTTP transaction to setup the shared secret, or for the identity
check as well?  Because your openid.mode in your example above seems to
suggest this round-trip was just for shared-secret setup, except you had a
payload in the second half.

> Also it favours consumers over servers, since
> they choose the size of keys to use and they don't need to use more than
> one key.
>
> x and y must not be re-used.

I'm confused about you saying consumers don't need to use more than one
key and "x" must not be re-used.  Doesn't x influence the key?  Which key?

- Brad


More information about the yadis mailing list