hi all, as said in order to try spread the voice about this issue I have wrote a blog post and posted in different sources [0,1,2]
I will also submit an errata shortly. I hope it helps regards antonio [0] http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html [1] http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html [2] https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ On Feb 13, 2017, at 4:34 PM, John Bradley <[email protected]> wrote: > An errata is possible. There is no way to update the original RFC. > > The problem tends to be that most developers miss the errata when reading > specs if they ever look at the specs at all. > > We probably also need a more direct way to communicate this to library > developers as well. > > In the OIDF we are talking about developing a certification for JOSE/JWT > libraries like we have for overall server implementations. > > John B. > > >> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <[email protected]> wrote: >> >> hi Vladimir, >> >> thanks a lot for taking the time and verifying. >> I really think it should be mentioned somewhere. >> The problem is that Elliptic Curves are over the head of many >> people/developer and it should be at least >> some reference on the JOSE spec about defending against this attack. >> Said that I have so far reviewed 3 implementations and all 3 were somehow >> vulnerable. And counting…. >> >> regards >> >> antonio >> >> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <[email protected]> >> wrote: >> >>> Hi Antonio, >>> >>> Thank you for making us aware of this. >>> >>> I just checked the ECDH-ES section in JWA, and the curve check >>> apparently hasn't been mentioned: >>> >>> https://tools.ietf.org/html/rfc7518#section-4.6 >>> >>> It's not in the security considerations either: >>> >>> https://tools.ietf.org/html/rfc7518#section-8 >>> >>> >>> Vladimir >>> >>> On 09/02/17 12:39, Antonio Sanso wrote: >>>> hi all, >>>> >>>> this mail is highly inspired from a research done by Quan Nguyen [0]. >>>> >>>> As he discovered and mention in his talk there is an high chance the JOSE >>>> libraries implementing ECDH-ES in JWE are vulnerable to invalid curve >>>> attack. >>>> Now I read the JWA spec and I did not find any mention that the ephemeral >>>> public key contained in the message should be validate in order to be on >>>> the curve. >>>> Did I miss this advice in the spec or is it just missing? If it is not >>>> clear enough the outcome of the attack will be the attacker completely >>>> recover the private static key of the receiver. >>>> Quan already found a pretty well known JOSE library vulnerable to it. So >>>> did I. >>>> >>>> WDYT? >>>> >>>> regards >>>> >>>> antonio >>>> >>>> [0] https://research.google.com/pubs/pub45790.html >>>> [1] https://tools.ietf.org/html/rfc7518 >>>> _______________________________________________ >>>> jose mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/jose >>> >>> >>> _______________________________________________ >>> jose mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/jose >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
