A number of JSON libraries using the JSON Web Encryption specification (JWE) to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key.
Researcher Antonio Sanso of Adobe said the go-jose, node-jose, jose2go, Nimbus JOSE+WT and jose4 libraries were vulnerable to the known Invalid Curve Attack if the libraries implement JWE for encryption with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).
Sanso wrote in a technical description of the attack published this week that an attacker, or sender, could extract a receiver’s private key.
“Assuming the library is vulnerable the actually exploit is actually pretty easy,” Sanso told Threatpost, adding that he did not believe there were a large number of vulnerable implementations.
Regardless, the libraries identified by Sanso have all taken steps to address the vulnerability.
Sanso said he also reported the issue to the JavaScript Object Signing and Encryption (JOSE) working group with the hope that the group would publish an errata noting the issue is present in the specification.
“The main problem is that the JWE specification doesn’t warn at all about this classical attack on elliptic curve (invalid curve attack),” Sanso said. “This led everyone implementing this part of the spec to [make these] trivial mistakes.”
Building on original research done by Google’s Quan Nguyen, Sanso describes that his attack requires the victim repeat his private key over and over, which is part of the ECDH-ES standard.
“The attacker will be able to learn the secret key piece by piece (with different modulo) and use the vulnerable party as an oracle,” Sanso said. “And then will use the Chinese Remainder Theorem to finally recompose the secret key.”
Sanso said in his technical description that the libraries he checked that were built on the specification failed to validate the public key received in a message; Sanso shared a demo of his attack.
JSON Web Encryption is part of the JOSE specifications, and it defines the process by which a JSON Web Token (JWT) is encrypted. These tokens are used in popular protocols such as OAUTH 2.0 to represent an access token in API authorization. It’s also used in OpenID to represent an identity to a web application. Also part of the JOSE specifications are the JSON Web Signature (JWS) which describes how JSON Web Tokens are to be signed, the JSON Web Algorithm (JWA) which is a list of algorithms to be used when digitally signing or encrypting messages, and the JSON Web Key, which describes how crypto keys are to be represented.
Sanso said it’s likely these vulnerabilities were present since the initial implementations of JWE, and added that it’s likely these issues have not been publicly exploited.
