dcsimg

Researcher Warns About JSON Web Encryption Flaw

By HTMLGoodies Staff

According to Antonio Sanso, a senior software engineer at Adobe Research Switzerland, software libraries implementing the JSON Web Encryption (JWE), or RFC 7516, specification are vulnerable to invalid curve attacks. Web applications using some JWE protocols could allow attackers to retrieve private encryption keys. Affected libraries include go-jose, node-jose, jose2go, Nimbus JOSE+JWT, or jose4 with ECDH-ES.

"At the end of the day the issue here is that the specification and consequently all the libraries I checked missed validating that the received public key (contained in the JWE Protected Header) is on the curve," Sanso wrote.

View article



Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.

    By submitting your information, you agree that htmlgoodies.com may send you HTMLGOODIES offers via email, phone and text message, as well as email offers about other products and services that HTMLGOODIES believes may be of interest to you. HTMLGOODIES will process your information in accordance with the Quinstreet Privacy Policy.

  •  
  •  
  •  
Thanks for your registration, follow us on our social networks to keep up-to-date