FW: Critical Vulnerability Uncovered in JSON Encryption from Christopher Allen on 2017-03-14 (public-credentials@w3.org from March 2017)

From: Christopher Allen <ChristopherA@blockstream.com>
Date: Tue, 14 Mar 2017 17:29:41 +0000
To: Credentials CG <public-credentials@w3.org>
Message-ID: <CA+HTxFckuzYOvwTfZxp9DfoKs3ZmUvqD1WsHTh5=de3Ma045Cg@mail.gmail.com>

If you are using  <http://blogs.adobe.com/security>go-jose
<https://github.com/square/go-jose>, node-jose
<https://github.com/cisco/node-jose>, jose2go
<https://github.com/dvsekhvalnov/jose2go>, Nimbus JOSE+JWT
<https://bitbucket.org/connect2id/nimbus-jose-jwt/wiki/Home> or jose4
<https://bitbucket.org/b_c/jose4j/wiki/Home> with ECDH-ES
<https://tools.ietf.org/html/rfc7518>please update to the latest version. RFC
7516 aka JSON Web Encryption (JWE)
<https://tools.ietf.org/html/rfc7516> Invalid
Curve Attack
<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.107.3920&rep=rep1&type=pdf>.
This can allow an attacker to recover the secret key of a party using JWE
with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static
(ECDH-ES) <https://tools.ietf.org/html/rfc7518>, where the sender could
extract receiver’s private key..


http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html

-- Christopher Allen

Received on Tuesday, 14 March 2017 17:30:26 UTC