David Fuelling wrote: > Can you elaborate on this attack a bit more? What would the MITM gain by > sending a fake "valid" response, when the OP actually sent "invalid" (or > vice versa)?
When the OP sends "valid" and Mallory changes that to "invalid" the attack is denial of service. This is a fairly useless attack since Alice probably notices it fairly quickly. The main attack is when the OP sends "invalid" and Mallory changes that to "valid". The RP would then believe Alice has authenticated to OP, and thus let Mallory successfully impersonate Alice on the RP's system. (There is no feedback step to the OP, so the OP never sees this attack.) > Also, why is the assoc step harder to MITM? Isn't there a DH computation on > both the direct verification step and the association step? The heavy lifting is only at DH key exchange in the assoc step. Once the key has been shared, the time complexity of the signing and verification is fast (typically HMAC time). Hans _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
