Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

Benutzt hier jemand JSON Encryption?If you are using ...

Benutzt hier jemand JSON Encryption?
If you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4 with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption (JWE) Invalid Curve Attack. This can allow an attacker to recover the secret key of a party using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES), where the sender could extract receiver’s private key.
Bonus: Der Angriff wurde auf dem 31c3 im Vortrag von Dan Bernstein und Tanja Lange erklärt :-)

Don't be the product, buy the product!

Schweinderl