To me the dangers about counter mode are well-known and well-documented. Issues with AEAD are less-well known to me. Maybe it’s just me, but...
It seems that draft-ietf-cose-aes-ctr-and-cbc should say add something like this: It is strongly suggest that COSE libraries that accept AAD as input should return an error if a non-AEAD content encryption algorithm is selected. This is to make sure the caller doesn’t inadvertently assume AAD is protected when it is not. COSE is complicated, particularly encryption, and it seems pretty easy to misunderstand how AEAD and AAD fit together. This seems like the most important security consideration for draft-ietf-cose-aes-ctr-and-cbc, perhaps deserving a sub section of its own so it stands out. Next, it seems like RFC 9052 should have a strong warning about the limits of AEAD. Something like this: While AEAD does provide integrity protection in a form, it does not provide true authenticity of the data in the same way signing does. It is not a substitute for signing in any way. Similarly AAD added to COSE_Encryption is not actually authenticated. With all the emphasis on AEAD these days one might come to the conclusion that it is so valuable that it does provide authenticity, so it seems worth pointing this out. Probably should be a whole paragraph explaining attacks and limitations of AEAD. Would appreciate confirmation from others on this list about this limitation of AEAD. If I am right about this, it seems kind of worth Errata for RFC 9052. LL > On Jan 17, 2023, at 2:39 PM, Mike Jones > <[email protected]> wrote: > > Dear all, > > This message starts the Working Group Last Call of > draft-ietf-cose-aes-ctr-and-cbc > –https://datatracker.ietf.org/doc/html/draft-ietf-cose-aes-ctr-and-cbc > <https://datatracker.ietf.org/doc/html/draft-ietf-cose-aes-ctr-and-cbc> . > > The working group last call will run for two weeks, ending on Tuesday, > January 31, 2023. > > Please review and send any comments or feedback to the working group. Even > if your feedback is "this is ready", please let us know. > > Thank you, > -- Mike and Ivaylo, > COSE Chairs > > _______________________________________________ > COSE mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/cose > <https://www.ietf.org/mailman/listinfo/cose>
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
