shared secret using diffie-hellman
Nathan D. Bowen
nbowen+yadis at andtonic.com
Tue Jun 7 11:06:35 PDT 2005
I too had assumed that we would create HMACs directly using the digest
of the DH-generated secret.
I can see that the XORing benefits LiveJournal, because LiveJournal
already has LJ::get_secret. On the other hand, if XORing with a
self-generated key is required by the protocol, every server implementor
is required to include an HMAC-secret-generator, even though DH itself
works as a perfectly-good (if not perfectly storage-efficient)
HMAC-secret-generator.
Since self-generating HMAC secrets is a non-critical optimization, it
seems like it should be a per-implementation decision, not a protocol
requirement.
Would there be any problem with allowing each server to choose for
itself whether or not to XOR against a self-generated secret?
If a consumer receives an "openid.enc_secret" value, it will know that
the HMAC secret is
SHA1(DH-Generated Secret) XOR (openid.enc_secret)
But if the server didn't send any value for "openid.enc_secret", the
consumer will know that the HMAC secret is
SHA1(DH-Generated Secret).
The only complexity this adds to the protocol is that of conditionally
skipping a step, and this removes the complexity of requiring a good
implementation of get_secret for those who don't want it.
But I'm counting on someone to let me know if I'm way off-base, here.
More information about the yadis
mailing list