All geek questions in one place

Embedding OpenID User Information

For OpenID smart mode, the specification uses Diffie-Hellman key exchange. I am wondering if it is possible to use public and private keys (provided that they are not compromised), or if they should be created for each request. I use the PHP OpenSSL library (my code: $key = openssl_pkey_new(array('private_key_type' => OPENSSL_KEYTYPE_DH)); ) to generate the keys, and it's terribly slow (on average 22 seconds to generate the key - very unacceptable to the website) . If keys cannot be reused, is there a faster way to generate keys using OpenSSL? I would prefer not to do it manually due to dependencies on math libraries, etc.

EDIT: To be clear, I am looking for two things in the answer: can I reuse Diffie-Hellman keys in OpenID association mode, and if not, is there a faster way to generate keys using OpenSSL than openssl_pkey_new() , since it takes a lot of time.

+4
source share
2 answers

Jeff,

I want to start by supporting your decision to build this solution myself. I agree that other solutions (for the most part) are weak in several areas. I have not completely switched to PHP 5.3.5, but I’ll be on the heels.

In any case, there are several answers to your question:

  • Yes, if you can guarantee that private and public keys will not be compromised, you can reuse them. I'm always a little paranoid about this, so I use cron to update my keys every second, and then use session tracking to make sure I don't have a transaction that starts under the old key and ends under the new one. This extra step (regeneration every 24 hours) is not needed, but can help ease your worries.

  • No, there should not be 22 seconds to generate new keys. My server takes 3-5 seconds to create them (which I still feel for too long, so the cron job is on the side when users are not exposed / waiting for you. You might want to look in your logs to see any warnings. There may be a problem with your openssl.cnf or some configuration on the server. I suppose it can take a long time if your server is somewhat overstrained for resources or you have an insanely slow processor. You can check that it is running in the background. .. maybe some b gly endless loop connects your processor and drum? Is option reboots?

Good luck

+1
source

OpenID Intelligent Mode

What is this OpenID smart mode? If you are NOT talking about consuming openID, I think you could stop reading (although I don't think you should create another OpenID provider. Enough of them already)

. I have never read the openid specs (long / complex reading: $. I would like to read / find out someday), but when OpenID authentication (?) Is required, it takes 21 seconds. Then I think you are doing something wrong. The LightOpenID library (a true simple library) (consumer) performs OpenID authentication within a second. I created this library that wraps the LightOpenID + openid selector . You can see the demo posted on my hosting .

+1
source

Source: https://habr.com/ru/post/1336730/

More articles:


All Articles