, the deriveSharedSecret function only checks whether the format of the public key object is legal, but does not check whether its content is legal, this will lead to an invalid curve attack, an attacker can send an invalid point which not on the curve as public key, and then he can get the derived shared secret.
For example, if the attacker set the public key point to (0, 0), then the derived shared secret will always be 0:
// Change Bob's public key to a invalid point which not on the curve, e.g. (0, 0)
bobKeys.publicKey.Q.x.x = BigInteger.ZERO
bobKeys.publicKey.Q.y.x = BigInteger.ZERO
// Alice generate the shared secret:
var aliceSharedSecret = aliceKeys.privateKey.deriveSharedSecret(bobKeys.publicKey);
// the shared secret will always be 00000000000000000000000000000000
console.log('shared secret:', aliceSharedSecret.toString('hex'));
Since I see there are also some other projects depend on this implementation, I think it might be necessary to check and fix this vulnerability.
You can also contact me if you have any other question, best wishes.
The text was updated successfully, but these errors were encountered:
Hi.
Recently I found a vulnerability in
ecdh/index.js
Line 164 in 2aca0e3
deriveSharedSecretfunction only checks whether the format of the public key object is legal, but does not check whether its content is legal, this will lead to an invalid curve attack, an attacker can send an invalid point which not on the curve as public key, and then he can get the derived shared secret.This is a classic attack method on ECDH, more details can be seen at https://crypto.stackexchange.com/questions/3820/why-do-public-keys-need-to-be-validated.
For example, if the attacker set the public key point to (0, 0), then the derived shared secret will always be 0:
Since I see there are also some other projects depend on this implementation, I think it might be necessary to check and fix this vulnerability.
You can also contact me if you have any other question, best wishes.
The text was updated successfully, but these errors were encountered: