Commit441b742

authored and

committed

ec: validate that a point before deriving keys

This update checks to make sure that the public key passed in toECDH is a point that actually exists on the curve. This isimportant to prevent a twist attack that can be used to revealthe private key of a party in an ECDH operation over a number ofoccurances.For more details on the attack see this blog post:https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.mdCVE:CVE-2020-28498

1 parente71b2d9 commit441b742Copy full SHA for 441b742

File tree

+17

-0

lines changed

+17

-0

lines changed

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,9 @@ KeyPair.prototype._importPublic = function _importPublic(key, enc) {`
`100`	`100`
`101`	`101`	`// ECDH`
`102`	`102`	`KeyPair.prototype.derive=functionderive(pub){`
	`103`	`+if(!pub.validate()){`
	`104`	`+assert(pub.validate(),'public point not validated');`
	`105`	`+}`
`103`	`106`	`returnpub.mul(this.priv).getX();`
`104`	`107`	`};`
`105`	`108`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,17 @@ describe('ECDH', function() {`
`27`	`27`	`test('ed25519');`
`28`	`28`	`test('secp256k1');`
`29`	`29`	`});`
	`30`	`+`
	`31`	`+describe('ECDH twist attack',()=>{`
	`32`	`+it('should be able to prevent a twist attack for secp256k1',()=>{`
	`33`	`+varbobEcdh=newelliptic.ec('secp256k1');`
	`34`	`+varmalloryEcdh=newelliptic.ec('secp256k1');`
	`35`	`+varbob=bobEcdh.genKeyPair();`
	`36`	`+// This is a bad point that shouldn't be able to be passed to derive.`
	`37`	`+// If a bad point can be passed it's possible to perform a twist attack.`
	`38`	`+varmallory=malloryEcdh.keyFromPublic({x:14,y:16});`
	`39`	`+assert.throws(function(){`
	`40`	`+bob.derive(mallory.getPublic());`
	`41`	`+});`
	`42`	`+});`
	`43`	`+});`

Comments

(0)