[Openid-specs-ab] [jose] Use of ECDH-ES in JWE

John Bradley ve7jtb at ve7jtb.com
Mon Feb 13 15:34:28 UTC 2017


An errata is possible.   There is no way to update the original RFC.

The problem tends to be that most developers miss the errata when reading specs if they ever look at the specs at all.

We probably also need a more direct way to communicate this to library developers as well.

In the OIDF we are talking about developing a certification for JOSE/JWT libraries like we have for overall server implementations.

John B.


> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso at adobe.com> wrote:
> 
> hi Vladimir,
> 
> thanks a lot for taking the time and verifying.
> I really think it should be mentioned somewhere.
> The problem is that Elliptic Curves are over the head of many people/developer and it should be at least 
> some reference on the JOSE spec about defending against this attack.
> Said that I have so far reviewed 3 implementations and all 3 were somehow vulnerable. And counting….
> 
> regards
> 
> antonio
> 
> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir at connect2id.com> wrote:
> 
>> Hi Antonio,
>> 
>> Thank you for making us aware of this.
>> 
>> I just checked the ECDH-ES section in JWA, and the curve check
>> apparently hasn't been mentioned:
>> 
>> https://tools.ietf.org/html/rfc7518#section-4.6
>> 
>> It's not in the security considerations either:
>> 
>> https://tools.ietf.org/html/rfc7518#section-8
>> 
>> 
>> Vladimir
>> 
>> On 09/02/17 12:39, Antonio Sanso wrote:
>>> hi all,
>>> 
>>> this mail is highly inspired from a research done by Quan Nguyen [0].
>>> 
>>> As he discovered and mention in his talk there is an high chance the JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve attack.
>>> Now I read the JWA spec and I did not find any mention that the  ephemeral public key contained in the message should be validate in order to be on the curve.
>>> Did I miss this advice in the spec or is it just missing? If it is not clear enough the outcome of the attack will be the attacker completely recover the private static key of the receiver.
>>> Quan already found a pretty well known JOSE library vulnerable to it. So did I.
>>> 
>>> WDYT?
>>> 
>>> regards
>>> 
>>> antonio
>>> 
>>> [0] https://research.google.com/pubs/pub45790.html
>>> [1] https://tools.ietf.org/html/rfc7518
>>> _______________________________________________
>>> jose mailing list
>>> jose at ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> 
>> _______________________________________________
>> jose mailing list
>> jose at ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose at ietf.org
> https://www.ietf.org/mailman/listinfo/jose

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3773 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170213/78a14d36/attachment.p7s>


More information about the Openid-specs-ab mailing list