SJCL Improper Verification of Cryptographic Signature Vulnerability Allowing Invalid Curve Attack

A vulnerability exists in all versions of the Stanford JavaScript Crypto Library (SJCL) package that supports elliptic curve cryptography (ECC), specifically versions 1.0.0 through 1.0.8. The issue arises from improper validation of points on the curve in the `sjcl.ecc.basicKey.publicKey()` function. This flaw allows an attacker to recover a victim's Elliptic Curve Diffie-Hellman (ECDH) private key by sending crafted off-curve public keys and analyzing the ECDH output. The `dhJavaEc()` function exacerbates the issue by returning the raw x-coordinate of the scalar multiplication result without any hashing, effectively creating a plaintext oracle that does not require decryption feedback.

Impact

Exploitation of this vulnerability allows for the recovery of ECDH private keys, which could lead to unauthorized decryption of data or impersonation in cryptographic protocols that rely on ECDH key exchange.

Reproduction

The vulnerability can be reproduced by creating a public key object with an off-curve point using the `sjcl.ecc.elGamal.publicKey()` constructor. This point can be crafted to lie on a different virtual curve, bypassing the library's validation checks. Once the public key object is created, the `dhJavaEc()` function can be called to retrieve the raw x-coordinate, which serves as an oracle for private key recovery.

Remediation

Users are advised to update to SJCL version 1.0.9, in which this vulnerability has been fixed.