IETF Logo Mail Archive

Re: [jose] Use of ECDH-ES in JWE

Antonio Sanso <asanso@adobe.com> Mon, 13 March 2017 18:32 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F98129771 for <jose@ietfa.amsl.com>; Mon, 13 Mar 2017 11:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afk3q-9lDgaE for <jose@ietfa.amsl.com>; Mon, 13 Mar 2017 11:32:52 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0061.outbound.protection.outlook.com [104.47.38.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B3D712945E for <jose@ietf.org>; Mon, 13 Mar 2017 11:32:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tqKQioiDfAVZMkyCxgNvWjqP0llfxm7C4Qxhy73/j20=; b=MmFxmWmoSDXyBpWuCAktHduNLovi7u4ELAexoBv4Hunwpyd2kFLOYLC+DZV8vFAssWCTjiNYvbKHjlfRMjkHaR/bns9G5Ch6Eirtp0xdmgtWGYb1a6WxwynfE9uO4jzzJWGPpI/kN0HqGhFmGh0GpuhO1Y9yj1+fK14lQNzbnXU=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.17; Mon, 13 Mar 2017 18:32:50 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0961.021; Mon, 13 Mar 2017 18:32:50 +0000
From: Antonio Sanso <asanso@adobe.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [jose] Use of ECDH-ES in JWE
Thread-Index: AQHSgsDPoQk+ME/+VEGhScUUvt0P5qFmgv4AgABHsQCAAE0iAIAsMyQA
Date: Mon, 13 Mar 2017 18:32:50 +0000
Message-ID: <5CEC6DB2-A491-43C4-B765-AC0813C1CF69@adobe.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com> <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com> <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com>
In-Reply-To: <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [85.5.8.6]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:T7TJkV6V/FPhztUO094/Y0UNptWyDpLHOnbvSzTJfmHnF0Qa5gSNufKzlRTZ2kkUzmTCPlQitGUC1kYR0Oir/GPZRyVY/dBMtXyXbPv3HHqSlJLgrvpk6Ft+8/pyLDVReWbA7wXqEEe3SMD3aG3L4gCqeTfiikUZ3OFvbODlG7tdCXmhTIhriCN+ivdH7DU5SKPYEoniBx2DrHRdH3CFuzG3iVNatwDC4d+kxRqFA9WL4rrBVNiYfQafncD/MD2bvdSIJQ2ogcNAZxBE+iMPFTaZ/dSyAKGDyUGv9gwGHNPy2OfR6yXE0CvI6TIp1VdeCmj04m37pqlqsY5oOqc5DA==; 20:QoxlkxQVSY76p4SWklrIC52AIsquC2LsWti0tAUVi81eVOq6eb2SmMeoKwxTpIp4PW60pOli2c1//L+tfSUIh5+boFiNgqUqyOgo/dTJEef7RdkKwOMFnbZj5zhEJB9DH78KXVPA7VhgJKEMkj7enf4MGe2bn8L6dAVbGJEEn4g=
x-ms-office365-filtering-correlation-id: 4b5ed7f3-e5bc-4ede-184b-08d46a3f5abf
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1029;
x-microsoft-antispam-prvs: <BY1PR0201MB1029E445E6B4FE132757B09ED9250@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(201822940525970)(158342451672863)(192374486261705)(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123558025)(20161123564025)(20161123555025)(20161123560025)(6072148); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029;
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(39450400003)(39410400002)(39850400002)(39840400002)(53754006)(24454002)(377454003)(93886004)(76176999)(7736002)(305945005)(966004)(33656002)(2906002)(81166006)(77096006)(6486002)(86362001)(50986999)(122556002)(25786008)(54356999)(345774005)(6116002)(6436002)(8936002)(3846002)(53546007)(102836003)(2900100001)(3280700002)(106116001)(3660700001)(6916009)(2950100002)(6306002)(4326008)(189998001)(54906002)(66066001)(99286003)(6506006)(6512007)(5660300001)(53936002)(110136004)(38730400002)(229853002)(82746002)(8676002)(6246003)(36756003)(83716003)(10090500001)(104396002)(579124003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <929D1D9B05A42E42B7063F31BE70287C@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 18:32:50.1070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/BfmV4C9FtOsfn-akb9-F-fgGs5E>
Cc: "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 18:32:54 -0000

hi all,

as said in order to try spread the voice about this issue I have wrote a blog post and posted in different sources [0,1,2]

I will also submit an errata shortly.

I hope it helps

regards

antonio

[0] http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
[1] http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
[2] https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/

On Feb 13, 2017, at 4:34 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> An errata is possible.   There is no way to update the original RFC.
> 
> The problem tends to be that most developers miss the errata when reading specs if they ever look at the specs at all.
> 
> We probably also need a more direct way to communicate this to library developers as well.
> 
> In the OIDF we are talking about developing a certification for JOSE/JWT libraries like we have for overall server implementations.
> 
> John B.
> 
> 
>> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>> 
>> hi Vladimir,
>> 
>> thanks a lot for taking the time and verifying.
>> I really think it should be mentioned somewhere.
>> The problem is that Elliptic Curves are over the head of many people/developer and it should be at least 
>> some reference on the JOSE spec about defending against this attack.
>> Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting….
>> 
>> regards
>> 
>> antonio
>> 
>> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
>> 
>>> Hi Antonio,
>>> 
>>> Thank you for making us aware of this.
>>> 
>>> I just checked the ECDH-ES section in JWA, and the curve check
>>> apparently hasn't been mentioned:
>>> 
>>> https://tools.ietf.org/html/rfc7518#section-4.6
>>> 
>>> It's not in the security considerations either:
>>> 
>>> https://tools.ietf.org/html/rfc7518#section-8
>>> 
>>> 
>>> Vladimir
>>> 
>>> On 09/02/17 12:39, Antonio Sanso wrote:
>>>> hi all,
>>>> 
>>>> this mail is highly inspired from a research done by Quan Nguyen [0].
>>>> 
>>>> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
>>>> Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
>>>> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
>>>> Quan already found a pretty well known JOSE library vulnerable to it. So did I.
>>>> 
>>>> WDYT?
>>>> 
>>>> regards
>>>> 
>>>> antonio
>>>> 
>>>> [0] https://research.google.com/pubs/pub45790.html
>>>> [1] https://tools.ietf.org/html/rfc7518
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>> 
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email