eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.

OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe

ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb

Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV

mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8

1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi

6UklfCpIMfIjf7iGdXKHzg.

48V1_ALb6US04U3b.

5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji

SdiwkIr3ajwQzaBtQD_A.

XFBoMYUZodetZdvTiFvSkQ

RSA-OAEP

A256GCM

1. directly as the Content Encryption Key (CEK) for the "enc" algorithm, in the Direct Key Agreement mode, or

2. as a symmetric key used to wrap the CEK with the A128KW , A192KW , or A256KW algorithms, in the Key Agreement with Key Wrapping mode.

ECDH-ES

AES-GCM

AES-CBC

HMAC

Decryption/Signature verification’ input is always under attacker’s control

As we will see thorough this post this simple observation will be enough to fully recover the receiver’s private key. But first we need to dig a bit into elliptic curve bits and pieces.



An elliptic curve is the set of solutions defined by an equation of the form

y^2 = x^3 + ax + b

y^2 = x^3 + 4x + 20

q . The same curve will then look like below over Finite Field of size 191:





y^2 = x^3 + 4x + 20 over Finite Field of size 191

The Attack

b

y^2 = ax^3 + ax + b

P

O(2447)



At the end of the day the issue here is that the specification and consequently all the libraries I checked missed to validate that the received public key (contained in the JWE Protected Header) is on the curve. You can see the Vulnerable Libraries section below to check how the various libraries fixed the issue. And finally Chinese Remainder Theorem for the win!At the end of the day the issue here is that the specification and consequently all the libraries I checked missed to validate that the received public key (contained in theis on the curve. You can see thebelow to check how the various libraries fixed the issue.

Demo Time

Explanation

https://github.com/asanso/jwe-receiver contains the code of the vulnerable server .

. https://github.com/asanso/jwe-sender contains the code of the attacker.

Vulnerable Libraries



node-jose v0.9.3 include the fixes necessary, which was published few weeks ago. Here the Gist of the original proof of concept. *

jose2go's fix landed in version 1.3.

Nimbus JOSE+JWT pushed out a fixed artifact to Maven central as v4.34.2 . Here the Gist of the original proof of concept. **

jose4j now comes with a fix for this problem since v 0.5.5 . Here the Gist of the original proof of concept. **

Here the Gist of the original proof of concept. go-jose (this is the original library found vulnerable by Quan Nguyen) Some of the libraries were implemented in a programming language that already protects against this attack checking that the result of the scalar multiplication is on the curve:



* Latest version of Node.js is immune to this attack. It was still possible to be vulnerable when using browsers without web crypto support.



** Affected was the default Java SUN JCA provider that comes with Java prior to version 1.8.0_51. Later Java versions and the BouncyCastle JCA provider are not affected.

Here you can find a list of libraries that were vulnerable to this particular attack so far:

Improving the JWE standard

I reported this issue to the JOSE working group via a mail to the appropriate mailing list . We all seem to agree that an errata where the problem is listed is at least welcomed.This post is a direct attempt to raise awareness about this specific problem.

Acknowledgement

Equations of this type are called. An elliptic curve would look like:In order to apply the theory of elliptic curves to cryptography we need to look at elliptic curves whose points have coordinates in a finite field FFor JWE the elliptic curves in scope are the one defined in Suite B and ( only recently DJB 's curve.Between those, the curve that so far has reached the higher amount of usage is the famous P-256 (defined in Suite B).Time to open Sage . Let's define P-256:The order of the curve is a really huge number hence there isn't much an attacker can do with this curve (if the software implements ECDH correctly) in order to guess the private key used in the agreement. This brings us to the next section:The attack described here is really the classical Invalid Curve Attack . The attack is as simple as powerful and takes advantage from the mere fact that Weierstrass's formula for scalar multiplication does not take in consideration the coefficientof the curve equation:The original's P-256 equation isAs we mention above the order of this curve is really big. So we need now to find a more convenient curve for the attacker. Easy peasy with Sage:As you can see from the image above we just found a nicer curve (from the attacker point of view) that has an order with many small factors. Then we found a pointon the curve that has a really small order (2447 in this example).Now we can build malicious JWEs (see thebelow) and extract the value of the secret key modulo 2447 with complexityA crucial part for the attack to succeed is to have the victim to repeat his own contribution to the resulting shared key. In other words this means that the victim should have his private key to be the same for each key agreement. Conveniently enough this is how the Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) works. Indeed ES stands for Ephemeral-Static were Static is the contribution of the victim!At this stage we can repeat these operations (find a new curve, craft malicious JWEs, recover the secret key modulo the small order) many many times and collecting information about the secret key modulo many many small orders.Again you can find details of the attack in the original paper In order to show how the attack would work in practice I set up a live demo in Heroku. In https://obscure-everglades-31759.herokuapp.com/ is up and running one Node.js server app that will act as a victim in this case. The assumption is this: in order to communicate with this web application you need to encrypt a token using the Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) . The static public key from the server needed for the key agreement is in https://obscure-everglades-31759.herokuapp.com/ecdh-es-public.json An application that want to POST data to this server needs first to do a key agreement using the server's public key above and then encrypt the payload using the derived shared key using the JWE format. Once the JWE is in place this can be posted to https://obscure-everglades-31759.herokuapp.com/secret . The web app will respond with aif all went well (namely if it can decrypt the payload content) and with aif for some reason the received token is missing or invalid. This will act as an oracle for any potential attacker in the way shown in the previoussection.I set up an attacker application in https://afternoon-fortress-81941.herokuapp.com/ You can visit it and click the '' button and observe how the attacker is able to recover the secret key from the server piece by piece. Note that this is only a demo application so the recovered secret key is really small in order to reduce the waiting time. In practice the secret key will be significantly larger (hence it will take a bit more to recover the key).In case you experience problem with the live demo, or simply if want to see the code under the hood, you can find the demo code in Github:The author would like to thanks the maintainers of go-jose Nimbus JOSE+JWT and jose4j for the responsiveness on fixing the issue. Francesco Mari for helping out with the development of the demo application. Tommaso Teofili and Simone Tripodi for troubleshooting. Finally as mentioned above I would like to thank Quan Nguyen from Google , indeed this research could not be possible without his initial incipit.