Hi Ilari Let me clarify what change I am thinking about making. In Section 3.4 of https://datatracker.ietf.org/doc/html/draft-ietf-cose-hpke-01 the text is about the two-level structure of COSE HPKE. I am suggesting to change the text in that section to
" 3.4. Info Structure HPKE algorithms take an info parameter that can be used to influence the generation of keys (e.g., to fold in identity information) and an aad parameter that provides additional authenticated data to the AEAD algorithm in use. The use of the aad and the info structures for these two functions is optional. In the absence of an application profile standard specifying otherwise, a COSE-HPKE-compliant implementation MUST leave the info and the aad parameters are empty. " At layer below, where COSE_Encrypt is used, there is still the enc_structure of Section 5.3 of RFC 8152 being used. For the one-layer structure, which isn't covered in draft-ietf-cose-hpke-01, new text is needed. There I think we should just re-use the same enc_structure of RFC 8152 to keep the code uniform. Ciao Hannes -----Original Message----- From: COSE <[email protected]> On Behalf Of Ilari Liusvaara Sent: Sunday, July 10, 2022 3:06 PM To: cose <[email protected]> Subject: Re: [COSE] COSE-HPKE COSE_KDF_Context On Sun, Jul 10, 2022 at 10:48:53AM +0000, Hannes Tschofenig wrote: > Unless someone else in the group objects, I will change the text in > Section 3.4 ("Info Structure") to say that the aad and the info > structures for SealBase() and OpenBase() functions are empty unless > specified by an application-specific profile of the COSE-HPKE > specification. There is a problem with leaving aad empty: It treats AEAD-capable HPKE as AE algorithm, causing limitations: - There is no protected bucket. - Nothing seems to prevent re-interpretting recipients as messages. What I think should be done is using canonical Enc_structure as aad input, like for any AEAD in RFC 8152(bis-struct). That approach would solve both of the above limitations. Now, it does have external_aad field, which needs to be empty unless the application specifies otherwise. Checking my code, this is exactly what it does (modulo the external aad on recipient always being empty). -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
