Re: [jose] Use of ECDH-ES in JWE

Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 13 February 2017 06:42 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98F31129553 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2017 22:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idTurTqaIKRV for <jose@ietfa.amsl.com>; Sun, 12 Feb 2017 22:42:23 -0800 (PST)
Received: from p3plsmtpa11-07.prod.phx3.secureserver.net (p3plsmtpa11-07.prod.phx3.secureserver.net [68.178.252.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51C44129550 for <jose@ietf.org>; Sun, 12 Feb 2017 22:42:23 -0800 (PST)
Received: from [192.168.8.104] ([185.4.80.2]) by :SMTPAUTH: with SMTP id dAKbcrM3RdGAjdAKccso5k; Sun, 12 Feb 2017 23:41:52 -0700
To: jose@ietf.org
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com>
Date: Mon, 13 Feb 2017 08:41:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030905040808040308010501"
X-CMAE-Envelope: MS4wfItKH7yH4T2cXkSOKvqOq0pzvdgIDm26EXZWfzlbzJz1KlzVmxBLjLiCodW938DuMGeEMt8S8RSN53jg0BGFNPja27h+cLDYHwr8W2WQle8YobBHmpuc AyQqMgAVy04o3mvG+lHh3DP+yJFpsAgyp4B8FeWC9JJZPzAJvGepJmDw
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hB8vYaAUTHUNbSCe8btG869ZY5Y>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 06:42:24 -0000

Hi Antonio,

Thank you for making us aware of this.

I just checked the ECDH-ES section in JWA, and the curve check
apparently hasn't been mentioned:

https://tools.ietf.org/html/rfc7518#section-4.6

It's not in the security considerations either:

https://tools.ietf.org/html/rfc7518#section-8


Vladimir

On 09/02/17 12:39, Antonio Sanso wrote:
> hi all,
>
> this mail is highly inspired from a research done by Quan Nguyen [0].
>
> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
> Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
> Quan already found a pretty well known JOSE library vulnerable to it. So did I.
>
> WDYT?
>
> regards
>
> antonio
>
> [0] https://research.google.com/pubs/pub45790.html
> [1] https://tools.ietf.org/html/rfc7518
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose