Multi-level defence against invalid curve attacks

Posted on 2017-04-15

Reliable defences work on multiple levels. The latest release of the Nimbus JOSE + JWT library adds an extra protection against invalid curve attacks by preventing construction and parsing of public EC JSON Web Keys whose public coordinates don’t fit the specified curve. With that the number of checks is increased to three:

  • First level: Preventing parsing and construction of EC JWK instances with invalid curve.

  • Second level: A curve check is performed prior to ECDH-ES decryption or ECDSA signature validation.

  • Third level: Curve check performed by the underlying JCA provider, where available (the default SUN provider after v 1.8.0_51, BouncyCastle).

The invalid curve attack targets ECDH-ES encryption, with the aim to recover the private EC key.


Release notes

version 4.36 (2017-04-13)

  • Adds a check at ECKey construction time to ensure the public ‘x’ and ‘y’ coordinates are on the specified curve (iss #217).
  • Adds a check at ECDSAVerifier construction time to ensure the public key is on the specified curve (iss #217).
  • Adds a new ECDSAProvider.supportedECDSAAlgorithm() method that returns the name of the supported ECDSA algorithm (ES256, ES384 or ES512).

Connect2id server 6.6.1 maintenance release

Posted on 2017-04-12

This is a small maintenance release of the Connect2id server.

Summary:

  1. Fixes client_secret provisioning client_secret_jwt authentication with HS384 and HS512 at the token endpoint to ensure the client secret is of sufficient length for the HMAC algorithm.

  2. Upgrades several dependencies under the hood - the OAuth 2.0 / OpenID Connect SDK, Nimbus JOSE+JWT, the JDBC connector for MySQL databases and Log4j.

Download

To download a ZIP package of Connect2id server 6.6.1:

https://connect2id.com/assets/products/server/download/6.6.1/Connect2id-server.zip

(SHA-256: a8360793842a68aa3758682bf16b69a7bf1aac9f6ffb309b609a7518e922d549)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.6.1/c2id.war

(SHA-256: 7dd33494e40a889cbcd4427117af1d08d4b28539a4402b916c62dff1b1fca739)

Questions?

Get in touch Connect2id support to receive assistance.


Release notes

6.6.1 (2017-04-12)

Configuration

  • No changes

Web API

  • No changes

Bug fixes

  • For client_secret provisioning for client_secret_jwt authentication with HS384 and HS512 at the token endpoint to ensure the client secret is of sufficient length for the HMAC algorithm (issue #272).

Dependencies

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.24.2

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.35

  • Upgrades to mysql:mysql-connector-java:5.1.41

  • Upgrades to Log4j 2.8.2

Nimbus JOSE+JWT 4.35 deprecates use of SHA-1 and RSA encryption with PKCS1v1.5 padding

Posted on 2017-04-10

Deprecates use of SHA-1

CWI and Google’s announcement of a practical technique for producing SHA-1 collisions served a wake-up call to the industry to finally commit to phasing out the 22 year old hash algorithm and move to the newer and more secure SHA-2 and SHA-3.

Today’s 4.35 release of the the Nimbus JOSE+JWT library encourages developers to do just that:

  • Use of the x5t certificate SHA-1 thumbprint parameter in JWS and JWE headers is deprecated now, use x5t#S256 (SHA-256) instead.

  • Use of the x5t certificate SHA-1 thumbprint parameter in JWK objects is also marked as deprecated, use x5t#S256 instead.

  • The RSA-OAEP JWE algorithm that uses SHA-1 as the hash function is deprecated, use RSA-OAEP-256 instead.

Deprecates use of RSA encryption with PKCS#1v1.5 padding

RSA encryption with PKCS#1v1.5 padding was another long-time candidate for phasing out, due to its timing attack vulnerability. Its RSA1_5 JWE algorithm identifier is marked as deprecated now. Developers should consider using RSA-OAEP-256 or the ECDH-ES family of JWE algorithms.


Release notes

version 4.35 (2017-04-09)

  • Adds support for JWK x5t#S256 header parameter (iss #205).
  • Deprecates use of RSA1_5 JWE algorithm as security measure to encourage use of RSA-OEAP-256 (iss #215).
  • Deprecates use of JWK x5t header parameter as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Deprecates use of JWS and JWE x5t header parameter as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Deprecates use of RSA-OAEP JWE algorithm as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Upgraded JSON Smart dependency to support version range from 1.3.1 to 2.3.
  • Refines exception messages of DefaultJOSEProcessor and DefaultJWTProcessor.