Return-Path: <asanso@adobe.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 55A5D129972
 for <jose@ietfa.amsl.com>; Thu,  9 Feb 2017 02:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.888
X-Spam-Level: 
X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id GUX-kS-wOKad for <jose@ietfa.amsl.com>;
 Thu,  9 Feb 2017 02:39:38 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com
 (mail-co1nam03on0063.outbound.protection.outlook.com [104.47.40.63])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 6D424129970
 for <jose@ietf.org>; Thu,  9 Feb 2017 02:39:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=eVghJUoGD21HQxSml8jRpoTiVXuGAkpqmvszsLnuhs0=;
 b=kNcQgdspRC9DqqXzNIqb5XuVXsjLyFwAHoWXWMkzkMqsW1G0ionjCt6fBbWRh2vwqzfsUA5/DAcP7UhbWur66taN2/bBEwPsns3GGuZgTQIEgwvq14TwnmU/cxO5Ab8eQ1ITkNerXILYivplGDYeJKjlppOFgQL/OqyYzCrdjIE=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by
 BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb
 2017 10:39:37 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by
 BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with
 mapi id 15.01.0888.026; Thu, 9 Feb 2017 10:39:37 +0000
From: Antonio Sanso <asanso@adobe.com>
To: "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Use of ECDH-ES in JWE 
Thread-Index: AQHSgsDPoQk+ME/+VEGhScUUvt0P5g==
Date: Thu, 9 Feb 2017 10:39:37 +0000
Message-ID: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=asanso@adobe.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-ms-office365-filtering-correlation-id: d0ae1906-01e3-42b2-5a12-08d450d7f1dd
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081);
 SRVR:BY1PR0201MB1029; 
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029;
 7:0Qb/wC/nxtVsb5AGB34T9HS9nGDGrz+wLm+X46a6n0qBoUgyeAdgN0HNY5XW2ZhZv7AavXsEOspv2U5qndbDRzi9BjBbKIPApAe8TTBgeWifZArf12Uc+1ESyWbUuj+XdE9l4CaNc1anDvWG1xObX4EGpfKuYdavrVlbxkEyzTC3du+8TFnJMSKw+5rSx+YsAMs5bG2fXydnJYYonHV7JIti5EOIPuEy3ZBLYvNjxBcuA3WeMSeaZOlJoGc1XXlTb+U6TPomQb4XBT+wBPnFtZM0QbZmkGVOtuaqPjO4xiA69QFoihZIxztoDt+VTV4y+ZXB4YHWO3H8N+4PUbvS/bavqdhyOV2sgA5zHjg/RGx07+MvaLCpehU/GipnULNrHuhSRLafHRQW2yyXuC4g1oGk9TRN1BGxGgk2VL7oaOHOnN6kXgiYWgyseKNNRie8KVrVAWommWcxwrXxIKPjo6CyvRf9ApNhzJTbcoCkf9IjWM6/KRFxbvFB9W6Bt7qJAKLkCBus9shoSuocm+oNOw==;
 20:HBYu0dMsXbaT9xkFyk2Q1ZlsGY6SBygCydtctfLUMylBOELdi/JdaT1prbm7NjDwtWoLsNTF6o6ui4JaV/GWlVSzervo7wV/b8SufgoURhpXKSflV++UWp8mOQlcpZPMk4axsMukkg1nw0HndHgYVQeEnL3ZZoiRSFca9TpCuLs=
x-microsoft-antispam-prvs: <BY1PR0201MB1029FF43DF34170B215FFD15D9450@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123558025)(20161123560025)(6072148);
 SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029; 
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(6009001)(7916002)(39840400002)(39450400003)(39850400002)(39860400002)(39410400002)(199003)(189002)(53754006)(2501003)(83716003)(66066001)(10090500001)(7736002)(5660300001)(101416001)(450100001)(92566002)(86362001)(122556002)(82746002)(53936002)(6506006)(6486002)(2906002)(33656002)(50986999)(54356999)(6306002)(77096006)(6512007)(305945005)(3660700001)(5640700003)(99286003)(25786008)(38730400002)(6436002)(110136004)(106356001)(106116001)(3280700002)(6916009)(81166006)(1730700003)(81156014)(8676002)(8936002)(97736004)(36756003)(105586002)(2900100001)(3846002)(6116002)(102836003)(68736007)(2351001)(189998001)(104396002)(579124003);
 DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029;
 H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;
 A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: adobe.com does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D4A6949570B46A45B0DC76C466D1A472@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 10:39:37.0727 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/oGme8BaRErp8qN3PK1gMEBnq2t4>
Subject: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>,
 <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>,
 <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 10:39:40 -0000

hi all,

this mail is highly inspired from a research done by Quan Nguyen [0].

As he discovered and mention in his talk there is an high chance the JOSE l=
ibraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack=
.
Now I read the JWA spec and I did not find any mention that the  ephemeral =
public key contained in the message should be validate in order to be on th=
e curve.
Did I miss this advice in the spec or is it just missing? If it is not clea=
r enough the outcome of the attack will be the attacker completely recover =
the private static key of the receiver.
Quan already found a pretty well known JOSE library vulnerable to it. So di=
d I.

WDYT?

regards

antonio

[0] https://research.google.com/pubs/pub45790.html
[1] https://tools.ietf.org/html/rfc7518=