hi all, this mail is highly inspired from a research done by Quan Nguyen [0].
As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack. Now I read the JWA spec and I did not find any mention that the ephemeral public key contained in the message should be validate in order to be on the curve. Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver. Quan already found a pretty well known JOSE library vulnerable to it. So did I. WDYT? regards antonio [0] https://research.google.com/pubs/pub45790.html [1] https://tools.ietf.org/html/rfc7518 _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
