Ilari: > On Thu, Oct 20, 2022 at 09:33:13AM -0700, [email protected] wrote: >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the CBOR Object Signing and Encryption WG of >> the IETF. >> >> Title : CBOR Object Signing and Encryption (COSE): AES-CTR >> and AES-CBC >> Authors : Russ Housley >> Hannes Tschofenig >> Filename : draft-ietf-cose-aes-ctr-and-cbc-00.txt > > Some quick comments after a quick read: > > > Like with AE modes (RFC 9052 section 5.4.), there needs to be check both > encrypting and decrypting that protected headers are empty byte string, > and exernal additioanl data is empty byte string (because there is no > way to validate such data). However, I do not see the requirement > anywhere.
Yes, this needs to be added. > With CBC mode, the data must be authenticated before trying to decrypt, > or there is an attack (CTR mode does not suffer from this). However, I > do not find any text about order of authentication and CBC decryption > (and presumably CTR decryption too, for consistency). I think you are calling to an additional sentence in the security considerations. Which attack are you thinking about? Reference? Russ _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
