Re: [jose] Use of ECDH-ES in JWE
Antonio Sanso <asanso@adobe.com> Mon, 13 February 2017 10:57 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0EFD129440 for <jose@ietfa.amsl.com>; Mon, 13 Feb 2017 02:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrtQJ8kZd2RM for <jose@ietfa.amsl.com>; Mon, 13 Feb 2017 02:57:53 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0083.outbound.protection.outlook.com [104.47.36.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37ECC127076 for <jose@ietf.org>; Mon, 13 Feb 2017 02:57:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wrbj2RVhE6gP35VbDlGIFZUDw7MWGo77CwTzd5cU92c=; b=Wkcbo3XXkjGAdLvab1UMAtSymlt8NXxW1muBBDTz5a0om7E4zfAvH8Et/Uk1o5of3qVaX6fKE7mHVk2/M4yNDgD96Rnrj+0j4XiOwoGaFUn8IJ31p6RrYIDx74vpEoTg3wH0oC8WszCFz/ioXOOXise0HG5XH0RA01BUvTV64e4=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Mon, 13 Feb 2017 10:57:51 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0888.030; Mon, 13 Feb 2017 10:57:51 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Thread-Topic: [jose] Use of ECDH-ES in JWE
Thread-Index: AQHSgsDPoQk+ME/+VEGhScUUvt0P5qFmgv4AgABHsQA=
Date: Mon, 13 Feb 2017 10:57:50 +0000
Message-ID: <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com>
In-Reply-To: <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: 5c42421b-1631-4224-795f-08d453ff2788
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1030;
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1030; 7:68LJ+RogAmazAP3YbsILqwFyfyhRKVt91/DPYmhMo4og2/0CkXVEprVpVgNpC+M+KPQBHXCfPTW0jLWHn5mqEE8QW4f4b3swLIz/5HK9SebZjAhIVuWSPQCRBblqpNAnszIudHLGF3KHGgrAEchwT91Sg/Fzbrlb9vM/VDkgZqsBTZytA5QBnSzDFSWUU5ddH18PfRYxRX9m/oLcZKXWFcOMrBNVMlZTL20hvDBlbXowg1XHdHqbn7iItJKsi7u1J4k4hDLGKpi6XMOHfn13OJyVSYOHbiwELvVKc/ism53HFq9mdX0YCgVac0Bc1wotv2xt1KSvew+0gFYv3eO6hEZrkzKZAtIGV7HCuBi4wjPJnUH8ePDA/U6zgfxYJ2Hmp58DX+z5Kr7Qgn85m+dzAWD8wppp9ZWwb6TB7bdksP6f6nXMpuzqZhXdVzb46GpPTcITCjPJExvZXS4rEoZk88g/6hwArC8LUDjULBK9GTbgmXqfJ3EPVqasqgP62LFHezRhs4eLOFVNj8nfM9FQbA==; 20:d36LO621tf/f3dYRPxf0EZx3Wsm7nj/80qkdgexPd1rMV1OErV2BbJQRUukbH8/t73KaiFb88CnHROg3tgMYVpedfLNwvtswPttUxpcPzti5pNRARXJAZjR6OcoyIQ4sIvS0o/VUzbPXvWlxqcTAilGVplOKM1oXbThqRlg9+0A=
x-microsoft-antispam-prvs: <BY1PR0201MB10301BB3DFBBD064B6536F32D9590@BY1PR0201MB1030.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123558025)(20161123560025)(20161123562025)(6072148)(6042181); SRVR:BY1PR0201MB1030; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1030;
x-forefront-prvs: 02176E2458
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(199003)(189002)(377454003)(53754006)(50986999)(76176999)(189998001)(10090500001)(54356999)(36756003)(53546003)(53936002)(33656002)(6246003)(106116001)(105586002)(106356001)(3660700001)(305945005)(3280700002)(7736002)(101416001)(110136004)(38730400002)(92566002)(2900100001)(3846002)(82746002)(6116002)(2906002)(8676002)(102836003)(25786008)(6506006)(66066001)(77096006)(6486002)(122556002)(229853002)(6306002)(4326007)(8936002)(83716003)(6916009)(6512007)(68736007)(2950100002)(86362001)(345774005)(81156014)(81166006)(5660300001)(6436002)(97736004)(99286003)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1030; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <8D34FDFEE40DE34C92C2DBB57C1387D4@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2017 10:57:50.8491 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1030
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/NH330YoYPQNgm8lzHuGR1lVAyQY>
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 10:57:56 -0000
hi Vladimir, thanks a lot for taking the time and verifying. I really think it should be mentioned somewhere. The problem is that Elliptic Curves are over the head of many people/developer and it should be at least some reference on the JOSE spec about defending against this attack. Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting…. regards antonio On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote: > Hi Antonio, > > Thank you for making us aware of this. > > I just checked the ECDH-ES section in JWA, and the curve check > apparently hasn't been mentioned: > > https://tools.ietf.org/html/rfc7518#section-4.6 > > It's not in the security considerations either: > > https://tools.ietf.org/html/rfc7518#section-8 > > > Vladimir > > On 09/02/17 12:39, Antonio Sanso wrote: >> hi all, >> >> this mail is highly inspired from a research done by Quan Nguyen [0]. >> >> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack. >> Now I read the JWA spec and I did not find any mention that the ephemeral public key contained in the message should be validate in order to be on the curve. >> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver. >> Quan already found a pretty well known JOSE library vulnerable to it. So did I. >> >> WDYT? >> >> regards >> >> antonio >> >> [0] https://research.google.com/pubs/pub45790.html >> [1] https://tools.ietf.org/html/rfc7518 >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Vladimir Dzhuvinov
- Re: [jose] Use of ECDH-ES in JWE John Bradley
- Re: [jose] Use of ECDH-ES in JWE Brian Campbell
- Re: [jose] Use of ECDH-ES in JWE Jim Schaad
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Kathleen Moriarty
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso