Re: [jose] Use of ECDH-ES in JWE

Antonio Sanso <> Fri, 24 February 2017 12:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 308321296ED for <>; Fri, 24 Feb 2017 04:40:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y3MPm27hmfM1 for <>; Fri, 24 Feb 2017 04:40:25 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B19431296CD for <>; Fri, 24 Feb 2017 04:40:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HQRDYRdy9/OwteEONiixOz3bE6a4QumtCuOuAmyyvfM=; b=JmxTFQnr67u534tPxjvnNGBMjy/59v5Cl57l+1ycEAe6zdZ5A2tIS+QH+AwXTpPA/RSLU9CaVt8P17tnuUS8mX7ZmgfiU9eIvnFS48Ghs2gTMUnq3FHKxTzdBu787aDllw3H4CdeVHjRl752L+M+p/Z8mdmxBEj0T1isaLmeLB8=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.13; Fri, 24 Feb 2017 12:40:23 +0000
Received: from ([]) by ([]) with mapi id 15.01.0919.018; Fri, 24 Feb 2017 12:40:23 +0000
From: Antonio Sanso <>
To: Jim Schaad <>
Thread-Topic: [jose] Use of ECDH-ES in JWE
Thread-Index: AQHSgsDPoQk+ME/+VEGhScUUvt0P5qFmgv4AgABHsQCAAE0iAIAM41SAgAB4B4CAA72mAA==
Date: Fri, 24 Feb 2017 12:40:23 +0000
Message-ID: <>
References: <> <> <> <> <> <03be01d28cbc$5a8aecc0$0fa0c640$>
In-Reply-To: <03be01d28cbc$5a8aecc0$0fa0c640$>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 7a28cf2d-aaeb-48db-6016-08d45cb24d35
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY1PR0201MB1029;
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:GNuHeBoQmNNmuesmFrZlpWzc1TuU8uRuVHjGjZAMdSMJhgR/dEMS+zcPArP0wf0+QzymF/p5C5kGE+N2ppPLnY+gSZzchkCOTs19ndaCcEOBd4ubkqPr7vREiayG76A2uzFO5oCJIB5NOM7ROyz4UjWgLr1lqGY+q8aEVk4dVWbslR0puh/hcPxaHXPU6qJUEKamL5LeWQ0ENE2xEB4s2lD8Ouqe+pZD3YutmFm5ZFzMYdUpXX5waC3FB72Db0qs196/jikvEYt4bHiO1ML9SQOd0FFBHb1n5FswfoS20uFFzujMboOtKsmUqB9x/fHhmZKXsk4t3QgSQcqSkfe3GQ==; 20:8HgYKfocYpjVwD8z9hT/W8wSU8A1L87VkkR7rZ6lbuua+DoPZzd7a8JPVTVxUM9PqV9UaKixD5mHXOLtbse5UitZJTrpnF3j3ZMk4XLuq19GjpiSs1JeFgo07HrVi0IhX7Wb1vSFEFYP0Iqos5pbvtFPDEbyGWDqrpFkmw6KzbM=
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029;
x-forefront-prvs: 0228DDDDD7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(39840400002)(39850400002)(39450400003)(39860400002)(39410400002)(377454003)(189002)(53754006)(199003)(24454002)(2950100002)(6436002)(122556002)(53936002)(189998001)(66066001)(229853002)(6486002)(236005)(6512007)(6916009)(8936002)(82746002)(3660700001)(83716003)(6506006)(16799955002)(77096006)(3280700002)(7906003)(53546006)(606005)(25786008)(93886004)(7736002)(97736004)(101416001)(345774005)(6246003)(92566002)(6116002)(3846002)(5660300001)(4326007)(33656002)(102836003)(81156014)(81166006)(10090500001)(8676002)(54906002)(86362001)(54356999)(54896002)(6306002)(99286003)(50986999)(2906002)(76176999)(110136004)(38730400002)(106356001)(106116001)(2900100001)(105586002)(36756003)(68736007)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_B96D47CAF0B14E3999001EE75875FEC7adobecom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2017 12:40:23.1277 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <>
Cc: John Bradley <>, Brian Campbell <>, "" <>, Vladimir Dzhuvinov <>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Feb 2017 12:40:28 -0000

Thanks a lot guys for the suggestions. I will take a stub so and submit an errata…



On Feb 22, 2017, at 4:32 AM, Jim Schaad <<>> wrote:

I would welcome an errata even for the people that might miss it from reading the documents.  If nothing else, it gives us some hints about what things need to be dealt with in the (presumably) next revisions of the documents.


From: jose [] On Behalf Of Brian Campbell
Sent: Tuesday, February 21, 2017 12:23 PM
To: John Bradley <<>>
Cc: Antonio Sanso <<>>;<>; Vladimir Dzhuvinov <<>>
Subject: Re: [jose] Use of ECDH-ES in JWE

This seems similar in nature to some of the security consideration advice in JWE and and JWA and that an average implementer (like myself) would very likely not be aware of unless some attention is called to it.
The point about people missing the errata is totally legit. But in the absence of some other way to convey it, perhaps it'd be better to have it written down as errata than not at all? Maybe Antonio would be the one to submit an errata for RFC 7518 ?

Certification for JOSE/JWT libraries sounds interesting. Having an errata for this would serve as a reminder for at least one negative test that should be done in that, if/when it comes to pass.

On Mon, Feb 13, 2017 at 8:34 AM, John Bradley <<>> wrote:
An errata is possible.   There is no way to update the original RFC.

The problem tends to be that most developers miss the errata when reading specs if they ever look at the specs at all.

We probably also need a more direct way to communicate this to library developers as well.

In the OIDF we are talking about developing a certification for JOSE/JWT libraries like we have for overall server implementations.

John B.

> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <<>> wrote:
> hi Vladimir,
> thanks a lot for taking the time and verifying.
> I really think it should be mentioned somewhere.
> The problem is that Elliptic Curves are over the head of many people/developer and it should be at least
> some reference on the JOSE spec about defending against this attack.
> Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting….
> regards
> antonio
> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <<>> wrote:
>> Hi Antonio,
>> Thank you for making us aware of this.
>> I just checked the ECDH-ES section in JWA, and the curve check
>> apparently hasn't been mentioned:
>> It's not in the security considerations either:
>> Vladimir
>> On 09/02/17 12:39, Antonio Sanso wrote:
>>> hi all,
>>> this mail is highly inspired from a research done by Quan Nguyen [0].
>>> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
>>> Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
>>> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
>>> Quan already found a pretty well known JOSE library vulnerable to it. So did I.
>>> WDYT?
>>> regards
>>> antonio
>>> [0]
>>> [1]
>>> _______________________________________________
>>> jose mailing list
>> _______________________________________________
>> jose mailing list
> _______________________________________________
> jose mailing list

jose mailing list<>