On Thu, Oct 20, 2022 at 09:33:13AM -0700, [email protected] wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the CBOR Object Signing and Encryption WG of the > IETF. > > Title : CBOR Object Signing and Encryption (COSE): AES-CTR > and AES-CBC > Authors : Russ Housley > Hannes Tschofenig > Filename : draft-ietf-cose-aes-ctr-and-cbc-00.txt
Some quick comments after a quick read: Like with AE modes (RFC 9052 section 5.4.), there needs to be check both encrypting and decrypting that protected headers are empty byte string, and exernal additioanl data is empty byte string (because there is no way to validate such data). However, I do not see the requirement anywhere. With CBC mode, the data must be authenticated before trying to decrypt, or there is an attack (CTR mode does not suffer from this). However, I do not find any text about order of authentication and CBC decryption (and presumably CTR decryption too, for consistency). -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
