Hi Antonio, Thank you for making us aware of this.
I just checked the ECDH-ES section in JWA, and the curve check apparently hasn't been mentioned: https://tools.ietf.org/html/rfc7518#section-4.6 It's not in the security considerations either: https://tools.ietf.org/html/rfc7518#section-8 Vladimir On 09/02/17 12:39, Antonio Sanso wrote: > hi all, > > this mail is highly inspired from a research done by Quan Nguyen [0]. > > As he discovered and mention in his talk there is an high chance the JOSE > libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack. > Now I read the JWA spec and I did not find any mention that the ephemeral > public key contained in the message should be validate in order to be on the > curve. > Did I miss this advice in the spec or is it just missing? If it is not clear > enough the outcome of the attack will be the attacker completely recover the > private static key of the receiver. > Quan already found a pretty well known JOSE library vulnerable to it. So did > I. > > WDYT? > > regards > > antonio > > [0] https://research.google.com/pubs/pub45790.html > [1] https://tools.ietf.org/html/rfc7518 > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
