hi Vladimir, thanks a lot for taking the time and verifying. I really think it should be mentioned somewhere. The problem is that Elliptic Curves are over the head of many people/developer and it should be at least some reference on the JOSE spec about defending against this attack. Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting….
regards antonio On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <[email protected]> wrote: > Hi Antonio, > > Thank you for making us aware of this. > > I just checked the ECDH-ES section in JWA, and the curve check > apparently hasn't been mentioned: > > https://tools.ietf.org/html/rfc7518#section-4.6 > > It's not in the security considerations either: > > https://tools.ietf.org/html/rfc7518#section-8 > > > Vladimir > > On 09/02/17 12:39, Antonio Sanso wrote: >> hi all, >> >> this mail is highly inspired from a research done by Quan Nguyen [0]. >> >> As he discovered and mention in his talk there is an high chance the JOSE >> libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack. >> Now I read the JWA spec and I did not find any mention that the ephemeral >> public key contained in the message should be validate in order to be on the >> curve. >> Did I miss this advice in the spec or is it just missing? If it is not clear >> enough the outcome of the attack will be the attacker completely recover the >> private static key of the receiver. >> Quan already found a pretty well known JOSE library vulnerable to it. So did >> I. >> >> WDYT? >> >> regards >> >> antonio >> >> [0] https://research.google.com/pubs/pub45790.html >> [1] https://tools.ietf.org/html/rfc7518 >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
