Thursday, March 28, 2024

Researcher Warns About JSON Web Encryption Flaw

According to Antonio Sanso, a senior software engineer at Adobe Research Switzerland, software libraries implementing the JSON Web Encryption (JWE), or RFC 7516, specification are vulnerable to invalid curve attacks. Web applications using some JWE protocols could allow attackers to retrieve private encryption keys. Affected libraries include go-jose, node-jose, jose2go, Nimbus JOSE+JWT, or jose4 with ECDH-ES.

“At the end of the day the issue here is that the specification and consequently all the libraries I checked missed validating that the received public key (contained in the JWE Protected Header) is on the curve,” Sanso wrote.

View article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Popular Articles

Featured