Multi-level defence against invalid curve attacks

Posted 2017-04-15

Reliable defences work on multiple levels. The latest release of the Nimbus JOSE + JWT library adds an extra protection against invalid curve attacks by preventing construction and parsing of public EC JSON Web Keys whose public coordinates don’t fit the specified curve. With that the number of checks is increased to three:

  • First level: Preventing parsing and construction of EC JWK instances with invalid curve.

  • Second level: A curve check is performed prior to ECDH-ES decryption or ECDSA signature validation.

  • Third level: Curve check performed by the underlying JCA provider, where available (the default SUN provider after v 1.8.0_51, BouncyCastle).

The invalid curve attack targets ECDH-ES encryption, with the aim to recover the private EC key.

Release notes

version 4.36 (2017-04-13)

  • Adds a check at ECKey construction time to ensure the public ‘x’ and ‘y’ coordinates are on the specified curve (iss #217).
  • Adds a check at ECDSAVerifier construction time to ensure the public key is on the specified curve (iss #217).
  • Adds a new ECDSAProvider.supportedECDSAAlgorithm() method that returns the name of the supported ECDSA algorithm (ES256, ES384 or ES512).

comments powered by Disqus