The OpenID 2.0 specification says very little about the relation between the session type and association type in OpenID association requests. My questions: (1) Is a combination of session type "DH-SHA1" and association type "HMAC-SHA256" valid? (2) How about the reverse, i.e. "DH-SHA256" and "HMAC-SHA1"?
I don't think these mixed combinations are explicitly forbidden by the spec, but section 8.2.3 describes the process of encrypting the MAC key for transport as follows:
enc_mac_key
Value: base64(H(btwoc(g ^ (xa * xb) mod p)) XOR MAC key)
Description: The MAC key (shared secret), encrypted with the
secret Diffie-Hellman value. H is either "SHA1" or "SHA256"
depending on the session type.
Does this imply that the MAC key length must be 20 bytes for session type DH-SHA1 and 32 byte for session type DH-SHA256? Section 6.2 of the spec states
OpenID Authentication supports two signature algorithms:
o HMAC-SHA1 - 160 bit key length ([RFC2104] and [RFC3174])
o HMAC-SHA256 - 256 bit key length ([RFC2104] and [FIPS180-2]
Does this then imply that DH-SHA1 always must be paired with HMAC-SHA1 and the same for the ...256 versions?
Another data point: the OpenId provider at https://me.yahoo.com/ seems to accept association requests with session type DH-SHA1 and association type HMAC-SHA256, returning a 20 byte MAC key.