Re: [jose] Use of ECDH-ES in JWE
Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 13 February 2017 06:42 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98F31129553 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2017 22:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idTurTqaIKRV for <jose@ietfa.amsl.com>; Sun, 12 Feb 2017 22:42:23 -0800 (PST)
Received: from p3plsmtpa11-07.prod.phx3.secureserver.net (p3plsmtpa11-07.prod.phx3.secureserver.net [68.178.252.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51C44129550 for <jose@ietf.org>; Sun, 12 Feb 2017 22:42:23 -0800 (PST)
Received: from [192.168.8.104] ([185.4.80.2]) by :SMTPAUTH: with SMTP id dAKbcrM3RdGAjdAKccso5k; Sun, 12 Feb 2017 23:41:52 -0700
To: jose@ietf.org
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com>
Date: Mon, 13 Feb 2017 08:41:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030905040808040308010501"
X-CMAE-Envelope: MS4wfItKH7yH4T2cXkSOKvqOq0pzvdgIDm26EXZWfzlbzJz1KlzVmxBLjLiCodW938DuMGeEMt8S8RSN53jg0BGFNPja27h+cLDYHwr8W2WQle8YobBHmpuc AyQqMgAVy04o3mvG+lHh3DP+yJFpsAgyp4B8FeWC9JJZPzAJvGepJmDw
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hB8vYaAUTHUNbSCe8btG869ZY5Y>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 06:42:24 -0000
Hi Antonio, Thank you for making us aware of this. I just checked the ECDH-ES section in JWA, and the curve check apparently hasn't been mentioned: https://tools.ietf.org/html/rfc7518#section-4.6 It's not in the security considerations either: https://tools.ietf.org/html/rfc7518#section-8 Vladimir On 09/02/17 12:39, Antonio Sanso wrote: > hi all, > > this mail is highly inspired from a research done by Quan Nguyen [0]. > > As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack. > Now I read the JWA spec and I did not find any mention that the ephemeral public key contained in the message should be validate in order to be on the curve. > Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver. > Quan already found a pretty well known JOSE library vulnerable to it. So did I. > > WDYT? > > regards > > antonio > > [0] https://research.google.com/pubs/pub45790.html > [1] https://tools.ietf.org/html/rfc7518 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Vladimir Dzhuvinov
- Re: [jose] Use of ECDH-ES in JWE John Bradley
- Re: [jose] Use of ECDH-ES in JWE Brian Campbell
- Re: [jose] Use of ECDH-ES in JWE Jim Schaad
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Kathleen Moriarty
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso