ASA-2019-00530 – OpenPGP.js: Invalid Curve Attack

The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm does not verify that the communication partner’s public key is valid (i.e. that the point lies on the elliptic curve). This causes the application to implicitly calculate the resulting secret key not based on the specified elliptic curve but rather an altered curve. By carefully choosing multiple altered curves (and therefore the resulting public key), and observing whether decryption fails, an attacker can extract the victim’s private key. This attack requires the attacker to be able to provide multiple manipulated messages and to observe whether decryption fails.