Allele Security Alert
Invalid Curve Attack
OpenPGP.js versions before 4.3.0
OpenPGP.js version 4.3.0
Proof of concept
The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm does not verify that the communication partner’s public key is valid (i.e. that the point lies on the elliptic curve). This causes the application to implicitly calculate the resulting secret key not based on the specified elliptic curve but rather an altered curve. By carefully choosing multiple altered curves (and therefore the resulting public key), and observing whether decryption fails, an attacker can extract the victim’s private key.
This attack requires the attacker to be able to provide multiple manipulated messages and to observe whether decryption fails.
Wolfgang Ettlinger (SEC Consult Vulnerability Lab)
Multiple Vulnerabilities in OpenPGP.js
Mailvelope Extensions Security Audit
Mailvelope Extensions Security Audit [PDF]
Release v4.3.0 – Security Release · openpgpjs/openpgpjs
Validate ECC public keys
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019