[jose] Use of ECDH-ES in JWE

Antonio Sanso <asanso@adobe.com> Thu, 09 February 2017 10:39 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55A5D129972 for <jose@ietfa.amsl.com>; Thu, 9 Feb 2017 02:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.888
X-Spam-Level:
X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUX-kS-wOKad for <jose@ietfa.amsl.com>; Thu, 9 Feb 2017 02:39:38 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0063.outbound.protection.outlook.com [104.47.40.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D424129970 for <jose@ietf.org>; Thu, 9 Feb 2017 02:39:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eVghJUoGD21HQxSml8jRpoTiVXuGAkpqmvszsLnuhs0=; b=kNcQgdspRC9DqqXzNIqb5XuVXsjLyFwAHoWXWMkzkMqsW1G0ionjCt6fBbWRh2vwqzfsUA5/DAcP7UhbWur66taN2/bBEwPsns3GGuZgTQIEgwvq14TwnmU/cxO5Ab8eQ1ITkNerXILYivplGDYeJKjlppOFgQL/OqyYzCrdjIE=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 10:39:37 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 10:39:37 +0000
From: Antonio Sanso <asanso@adobe.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Use of ECDH-ES in JWE
Thread-Index: AQHSgsDPoQk+ME/+VEGhScUUvt0P5g==
Date: Thu, 9 Feb 2017 10:39:37 +0000
Message-ID: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: d0ae1906-01e3-42b2-5a12-08d450d7f1dd
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1029;
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:0Qb/wC/nxtVsb5AGB34T9HS9nGDGrz+wLm+X46a6n0qBoUgyeAdgN0HNY5XW2ZhZv7AavXsEOspv2U5qndbDRzi9BjBbKIPApAe8TTBgeWifZArf12Uc+1ESyWbUuj+XdE9l4CaNc1anDvWG1xObX4EGpfKuYdavrVlbxkEyzTC3du+8TFnJMSKw+5rSx+YsAMs5bG2fXydnJYYonHV7JIti5EOIPuEy3ZBLYvNjxBcuA3WeMSeaZOlJoGc1XXlTb+U6TPomQb4XBT+wBPnFtZM0QbZmkGVOtuaqPjO4xiA69QFoihZIxztoDt+VTV4y+ZXB4YHWO3H8N+4PUbvS/bavqdhyOV2sgA5zHjg/RGx07+MvaLCpehU/GipnULNrHuhSRLafHRQW2yyXuC4g1oGk9TRN1BGxGgk2VL7oaOHOnN6kXgiYWgyseKNNRie8KVrVAWommWcxwrXxIKPjo6CyvRf9ApNhzJTbcoCkf9IjWM6/KRFxbvFB9W6Bt7qJAKLkCBus9shoSuocm+oNOw==; 20:HBYu0dMsXbaT9xkFyk2Q1ZlsGY6SBygCydtctfLUMylBOELdi/JdaT1prbm7NjDwtWoLsNTF6o6ui4JaV/GWlVSzervo7wV/b8SufgoURhpXKSflV++UWp8mOQlcpZPMk4axsMukkg1nw0HndHgYVQeEnL3ZZoiRSFca9TpCuLs=
x-microsoft-antispam-prvs: <BY1PR0201MB1029FF43DF34170B215FFD15D9450@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123558025)(20161123560025)(6072148); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39840400002)(39450400003)(39850400002)(39860400002)(39410400002)(199003)(189002)(53754006)(2501003)(83716003)(66066001)(10090500001)(7736002)(5660300001)(101416001)(450100001)(92566002)(86362001)(122556002)(82746002)(53936002)(6506006)(6486002)(2906002)(33656002)(50986999)(54356999)(6306002)(77096006)(6512007)(305945005)(3660700001)(5640700003)(99286003)(25786008)(38730400002)(6436002)(110136004)(106356001)(106116001)(3280700002)(6916009)(81166006)(1730700003)(81156014)(8676002)(8936002)(97736004)(36756003)(105586002)(2900100001)(3846002)(6116002)(102836003)(68736007)(2351001)(189998001)(104396002)(579124003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D4A6949570B46A45B0DC76C466D1A472@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 10:39:37.0727 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/oGme8BaRErp8qN3PK1gMEBnq2t4>
Subject: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 10:39:40 -0000

hi all,

this mail is highly inspired from a research done by Quan Nguyen [0].

As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
Quan already found a pretty well known JOSE library vulnerable to it. So did I.

WDYT?

regards

antonio

[0] https://research.google.com/pubs/pub45790.html
[1] https://tools.ietf.org/html/rfc7518