Re: [jose] Use of ECDH-ES in JWE

John Bradley <ve7jtb@ve7jtb.com> Mon, 13 February 2017 15:34 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9361296D5 for <jose@ietfa.amsl.com>; Mon, 13 Feb 2017 07:34:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBiKh060HrSm for <jose@ietfa.amsl.com>; Mon, 13 Feb 2017 07:34:35 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E275B1296E5 for <jose@ietf.org>; Mon, 13 Feb 2017 07:34:34 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id v23so86277456qtb.0 for <jose@ietf.org>; Mon, 13 Feb 2017 07:34:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=7DIQusudBhaGzu5rV95rQiWXVXnkPKiaprIlmYqHciM=; b=AIjnZbapdSC93fQgXrYiGpQH0MgZSMgU56kIDUQJtFx0eVx565Mw8wPbrDdtenFfrP 09XVWOtgpO7hoMlSkA43vMbgp0B6cAfObTB/41Vylq8SCftz7BfdmxWE/gRjJwhEh7iZ f3SlMdkfMZU2EvDi/ZqXZGBOHdLJn0DZQJGT762aH/LE1yuYaU5e0YIHFChO8TgMmI1v DxofciL9CRR95yFF2JQWmMc7ydZaoLb1P2MTOn9qYuyBqJwZQaiTMlgk4jBV5Zz0Fmou 7uRtfcF0+UFxBwENUIUjyV6kf0LhFBQKd5m1V7vDiNeHyanp/VqUFmKwSyTpPZ/lmYHC p6RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=7DIQusudBhaGzu5rV95rQiWXVXnkPKiaprIlmYqHciM=; b=TgaoBWTMsoNLwHJWg1LIq861eUwwsqwfL/8kTXLrwlv5XS5eD5uVdjszG3DJrGLUx9 K0lOtbiqEx4hNinqwpy17utFwL9yyX1wU+4Dn+IC+UzL3/hjRbPFJPLzR1DcxF77Z4bL l1RdmU0MF3zZmBg888DFPCvY6DKHU0gl124MFFw7V9VZkWWCEQqQ1fVRVpvcgLa/FrIx k+AlR54xEHjTNVVtT0BUs7QY5CD0Q1U9+9ZetcLJG5gvc3ergZ0oSvfi+Vm3BqQWmQOO fD1q3Bgje4UWtFo6BeA7kt02A5zL/k1v7+/vHHSFse+K7U9zLxqQON9+jtBc3lKMhD1S laPA==
X-Gm-Message-State: AMke39m2BuYHr6u0QXf2s59H4/ZNcgST/KvQIokjiayS5EiJk5O+WYukPG63vdJECRaudHko
X-Received: by 10.200.50.18 with SMTP id x18mr23672348qta.58.1487000073941; Mon, 13 Feb 2017 07:34:33 -0800 (PST)
Received: from [192.168.86.130] ([191.115.241.136]) by smtp.gmail.com with ESMTPSA id u54sm7716166qtu.35.2017.02.13.07.34.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Feb 2017 07:34:33 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_F597234D-4F24-4948-B7A7-846DFFF2F74B"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com>
Date: Mon, 13 Feb 2017 12:34:28 -0300
Message-Id: <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com> <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/kHbH3i0SC8C3sed0W5u_sJn_wMk>
Cc: "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 15:34:37 -0000

An errata is possible.   There is no way to update the original RFC.

The problem tends to be that most developers miss the errata when reading specs if they ever look at the specs at all.

We probably also need a more direct way to communicate this to library developers as well.

In the OIDF we are talking about developing a certification for JOSE/JWT libraries like we have for overall server implementations.

John B.


> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
> 
> hi Vladimir,
> 
> thanks a lot for taking the time and verifying.
> I really think it should be mentioned somewhere.
> The problem is that Elliptic Curves are over the head of many people/developer and it should be at least 
> some reference on the JOSE spec about defending against this attack.
> Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting….
> 
> regards
> 
> antonio
> 
> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
>> Hi Antonio,
>> 
>> Thank you for making us aware of this.
>> 
>> I just checked the ECDH-ES section in JWA, and the curve check
>> apparently hasn't been mentioned:
>> 
>> https://tools.ietf.org/html/rfc7518#section-4.6
>> 
>> It's not in the security considerations either:
>> 
>> https://tools.ietf.org/html/rfc7518#section-8
>> 
>> 
>> Vladimir
>> 
>> On 09/02/17 12:39, Antonio Sanso wrote:
>>> hi all,
>>> 
>>> this mail is highly inspired from a research done by Quan Nguyen [0].
>>> 
>>> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
>>> Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
>>> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
>>> Quan already found a pretty well known JOSE library vulnerable to it. So did I.
>>> 
>>> WDYT?
>>> 
>>> regards
>>> 
>>> antonio
>>> 
>>> [0] https://research.google.com/pubs/pub45790.html
>>> [1] https://tools.ietf.org/html/rfc7518
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose