Skip to content

Commit 441b742

Browse files
kdenhartogindutny
authored andcommitted
ec: validate that a point before deriving keys
This update checks to make sure that the public key passed in to ECDH is a point that actually exists on the curve. This is important to prevent a twist attack that can be used to reveal the private key of a party in an ECDH operation over a number of occurances. For more details on the attack see this blog post: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md CVE: CVE-2020-28498
1 parent e71b2d9 commit 441b742

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

lib/elliptic/ec/key.js

+3
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,9 @@ KeyPair.prototype._importPublic = function _importPublic(key, enc) {
100100

101101
// ECDH
102102
KeyPair.prototype.derive = function derive(pub) {
103+
if(!pub.validate()) {
104+
assert(pub.validate(), 'public point not validated');
105+
}
103106
return pub.mul(this.priv).getX();
104107
};
105108

test/ecdh-test.js

+14
Original file line numberDiff line numberDiff line change
@@ -27,3 +27,17 @@ describe('ECDH', function() {
2727
test('ed25519');
2828
test('secp256k1');
2929
});
30+
31+
describe('ECDH twist attack', () => {
32+
it('should be able to prevent a twist attack for secp256k1', () => {
33+
var bobEcdh = new elliptic.ec('secp256k1');
34+
var malloryEcdh = new elliptic.ec('secp256k1');
35+
var bob = bobEcdh.genKeyPair();
36+
// This is a bad point that shouldn't be able to be passed to derive.
37+
// If a bad point can be passed it's possible to perform a twist attack.
38+
var mallory = malloryEcdh.keyFromPublic({ x: 14, y: 16 });
39+
assert.throws(function () {
40+
bob.derive(mallory.getPublic());
41+
});
42+
});
43+
});

0 commit comments

Comments
 (0)