Introducing AES-CTR and/or AES-CBC into COSE tokens that already support AES-GCM will open the GCM implementations to new security issues. Namely, potential padding oracle vulnerabilities.
At minimum, the Security Considerations section of draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out: Applications that encrypt or decrypt with AES-GCM *MUST NOT* support AES-GCM or AES-CTR with the same cryptographic materials, due to the existence of cross-protocol issues. One way to safeguard users from potential misuse is to use a separate "type" for keys used with unauthenticated encryption modes; similar to how COSE distinguishes MACs from Signatures. Additionally, I'd like to recommend sharing this draft with the CFRG mailing list to ensure it has the appropriate level of oversight from the IETF's cryptography experts. ________________________________ From: COSE <[email protected]> on behalf of Russ Housley <[email protected]> Sent: Tuesday, October 25, 2022 9:40:08 AM To: [email protected] Subject: [EXTERNAL] [COSE] COSE Support for AES-CTR and AES-CBC CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. After draft-ietf-cose-aes-ctr-and-cbc-00 was posted, we got a few very good comments from Ilari. Those were addressed in -01. I am unaware of any open issues, so I think this document is ready for WG Last Call. Russ On Oct 11, 2022, at 12:42 PM, Mike Jones <[email protected]<mailto:[email protected]>> wrote: Support was expressed for adoption of this draft by multiple parties and no opposition was expressed. The draft is hereby adopted. Authors, please submit a -00 working group draft based on the current individual draft. -- Mike (for the COSE chairs) From: Mike Jones Sent: Thursday, September 22, 2022 10:20 AM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Call for adoption of CBOR Object Signing and Encryption (COSE): AES-CTR and AES-CBC This note starts a two-week call for adoption of https://datatracker.ietf.org/doc/html/draft-housley-cose-aes-ctr-and-cbc-00 – ending on Thursday, October 6th. Please reply either expressing support for adoption or stating your objections. Thank you, -- Mike (COSE co-chair)
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
