I need to say one last word about the security of OpenID against MITM attacks. Recent emails have suggested that using associations somehow improves the resistance of OpenID to these attacks relative to using direct verification. This really isn't true. Please read the section on this topic in the current OpenID 2.0 draft. <http://openid.net/specs/openid-authentication-2_0-11.html#rfc.section.15.1.2> This section correctly describes the reliance on the DNS or the transport security: "If DNS resolution or the transport layer is compromised signatures on messages are not adequate, since the attacker can impersonate the OP and issue its own associations, or its own decisions in Stateless Mode. If an attacker can tamper with the discovery process they can specify any OP, and so does not have to impersonate the OP." In short, associations are useful for reducing the cost of verifying assertions by allowing the verification to be performed by the RP. However they do not add to the resistance to MITM attacks. Terry (here's my MITM code, for those that are into this sort of thing!) 1) Capture the associate request, save base64_encode(H(base64_decode(dh_consumer_public))), and dh_gen 2) Modify the associate response, replace dh_server_public with the dh_gen and enc_mac_key with the value computed from dh_consumer_public from step 1 3) Left as an exercise to the reader! -----Original Message----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [email protected] Sent: Wed, 7 Feb 2007 11:01 AM Subject: Re: [security] [OpenID] OpenId Association Timeout Recommendations David Fuelling wrote: > Can you elaborate on this attack a bit more? What would the MITM gain by > sending a fake "valid" response, when the OP actually sent "invalid" (or > vice versa)?
When the OP sends "valid" and Mallory changes that to "invalid" the attack is denial of service. This is a fairly useless attack since Alice probably notices it fairly quickly. The main attack is when the OP sends "invalid" and Mallory changes that to "valid". The RP would then believe Alice has authenticated to OP, and thus let Mallory successfully impersonate Alice on the RP's system. (There is no feedback step to the OP, so the OP never sees this attack.) > Also, why is the assoc step harder to MITM? Isn't there a DH computation on > both the direct verification step and the association step? The heavy lifting is only at DH key exchange in the assoc step. Once the key has been shared, the time complexity of the signing and verification is fast (typically HMAC time). Hans _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security ________________________________________________________________________ Check out the new AOL. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
