ASA-2019-00530 – OpenPGP.js: Invalid Curve Attack

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00530

Identifier(s)

ASA-2019-00530, CVE-2019-9155

Title

Invalid Curve Attack

Vendor(s)

ProtonMail

Product(s)

OpenPGP.js

Affected version(s)

OpenPGP.js versions before 4.3.0

Fixed version(s)

OpenPGP.js version 4.3.0

Proof of concept

Yes

Description

The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm does not verify that the communication partner’s public key is valid (i.e. that the point lies on the elliptic curve). This causes the application to implicitly calculate the resulting secret key not based on the specified elliptic curve but rather an altered curve. By carefully choosing multiple altered curves (and therefore the resulting public key), and observing whether decryption fails, an attacker can extract the victim’s private key.

This attack requires the attacker to be able to provide multiple manipulated messages and to observe whether decryption fails.

Technical details

Unknown

Credits

Wolfgang Ettlinger (SEC Consult Vulnerability Lab)

Reference(s)

Multiple Vulnerabilities in OpenPGP.js
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/

Mailvelope Extensions Security Audit
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html

Mailvelope Extensions Security Audit [PDF]
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile

Release v4.3.0 – Security Release · openpgpjs/openpgpjs
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0

SEC_Consult_BSI_Mailvelope-invalid_curve_attack.txt
https://sec-consult.com/wp-content/uploads/2019/08/SEC_Consult_BSI_Mailvelope-invalid_curve_attack.txt

Validate ECC public keys
https://github.com/openpgpjs/openpgpjs/pull/816/commits/cb3f6447084672610f0132cc8f0a2dddcbf2c501

CVE-2019-9155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9155

CVE-2019-9155
https://nvd.nist.gov/vuln/detail/CVE-2019-9155

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.