Diffie Hellman parameter checking
Dan Libby
danda at videntity.org
Wed Sep 28 09:18:54 PDT 2005
Steven J. Murdoch wrote:
>It also allows a man in the middle (MitM) to change the parameters so
>that the consumer and server think the key exchange happened
>successfully, but actually they key is trivially guessable. There are a
>number of ways to do this, but the simplest is to modify the g^x sent
>by the consumer (X') and the g^y sent by the server (Y') to both be 1.
>Then the consumer thinks the DH secret is Y'^x = 1^x = 1 and the
>server thinks they DH secret is X'^y = 1^y = 1. Now the consumer and
>server have a shared key which the MitM also knows.
>
>
I actually ran into this already with my PHP-OpenID implementation. It
has several implementations of powmod() based on differing PHP
installations and one of the implementations was always returning 1.
Yet authentication succeeded, and I didn't discover the problem until
several days later.
I'd be be happy to have the spec tell us the right thing to do here.
-dan
More information about the yadis
mailing list