Johnny Bufu wrote: > Jason Fritcher pointed out in a thread on the openid4java list that > there may be a security issue with the way the DH session is > established: > >> I've been thinking about how the RP can supply DH parameters to the >> OP, and was wondering if any discussion has occurred about whether to >> include language in the spec about how OPs should do validation of the >> DH params that get sent to them. A few quick checks of the modulus >> like primality checking and possibly enforcing the use of safe primes. >> It might also be good to check the supplied generator to make sure it >> is valid for the supplied modulus. I'm no where close to being being a >> crypto guru, but I wrote a Secure Remote Password implementation and >> after the research I did for that, not checking the DH params in the >> OP seems like a weakness. I might just be overly paranoid here and >> OpenID really doesn't need that level of security, but I thought I'd >> ask. > > <http://groups.google.com/group/openid4java/browse_thread/thread/ > f96a7b68bb15272d/c9f0f1a85e3372cc#c9f0f1a85e3372cc> > > I am not a security expert either, but this seems a valid point to > me. Can someone with deeper crypto knowledge please confirm / infirm? > > > I think we should either mention that the OP SHUOLD perform such > validation, or at least mention the possible eavesdropping attack in > the security considerations section.
I do not think so. The originator of the DH parameters, whether he is the is the entity you think you are talking to, or is a man in the middle, has every reason to supply valid parameters. SRP faces different problems to DH initiation. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
