Diffie Hellman parameter checking

Dan Libby danda at videntity.org
Wed Sep 28 09:18:54 PDT 2005

Steven J. Murdoch wrote:

>It also allows a man in the middle (MitM) to change the parameters so
>that the consumer and server think the key exchange happened
>successfully, but actually they key is trivially guessable. There are a
>number of ways to do this, but the simplest is to modify the g^x sent
>by the consumer (X') and the g^y sent by the server (Y') to both be 1.
>Then the consumer thinks the DH secret is Y'^x = 1^x = 1 and the
>server thinks they DH secret is X'^y = 1^y = 1. Now the consumer and
>server have a shared key which the MitM also knows.
I actually ran into this already with my PHP-OpenID implementation.  It
has several implementations of powmod() based on differing PHP
installations and one of the implementations was always returning 1. 
Yet authentication succeeded, and I didn't discover the problem until
several days later.

I'd be be happy to have the spec tell us the right thing to do here.


More information about the yadis mailing list