Laurence: Obviously it is too late to add anything to RFC 9052.
I propose the following for draft-ietf-cose-aes-ctr-and-cbc: X. Implementation Considerations COSE libraries that support either AES-CTR or AES-CBC and accept Additional Authenticated Data (AAD) as input should return an error if one of these non-AEAD content encryption algorithm is selected. This would ensure that a caller does not expect the AAD to be protected when the cryptographic algorithm is unable to do so. Russ > On Jan 18, 2023, at 1:36 PM, Laurence Lundblade <[email protected]> > wrote: > > To me the dangers about counter mode are well-known and well-documented. > Issues with AEAD are less-well known to me. Maybe it’s just me, but... > > It seems that draft-ietf-cose-aes-ctr-and-cbc should say add something like > this: > > It is strongly suggest that COSE libraries that accept AAD as input should > return an error if a non-AEAD content encryption algorithm is selected. This > is to make sure the caller doesn’t inadvertently assume AAD is protected when > it is not. > > COSE is complicated, particularly encryption, and it seems pretty easy to > misunderstand how AEAD and AAD fit together. This seems like the most > important security consideration for draft-ietf-cose-aes-ctr-and-cbc, perhaps > deserving a sub section of its own so it stands out. > > > Next, it seems like RFC 9052 should have a strong warning about the limits of > AEAD. Something like this: > > While AEAD does provide integrity protection in a form, it does not provide > true authenticity of the data in the same way signing does. It is not a > substitute for signing in any way. > > Similarly AAD added to COSE_Encryption is not actually authenticated. > > With all the emphasis on AEAD these days one might come to the conclusion > that it is so valuable that it does provide authenticity, so it seems worth > pointing this out. Probably should be a whole paragraph explaining attacks > and limitations of AEAD. > > Would appreciate confirmation from others on this list about this limitation > of AEAD. If I am right about this, it seems kind of worth Errata for RFC 9052. > > LL > > > > > >> On Jan 17, 2023, at 2:39 PM, Mike Jones >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Dear all, >> >> This message starts the Working Group Last Call of >> draft-ietf-cose-aes-ctr-and-cbc >> –https://datatracker.ietf.org/doc/html/draft-ietf-cose-aes-ctr-and-cbc >> <https://datatracker.ietf.org/doc/html/draft-ietf-cose-aes-ctr-and-cbc> . >> >> The working group last call will run for two weeks, ending on Tuesday, >> January 31, 2023. >> >> Please review and send any comments or feedback to the working group. Even >> if your feedback is "this is ready", please let us know. >> >> Thank you, >> -- Mike and Ivaylo, >> COSE Chairs >> >> _______________________________________________ >> COSE mailing list >> [email protected] <mailto:[email protected]> >> https://www.ietf.org/mailman/listinfo/cose >> <https://www.ietf.org/mailman/listinfo/cose> > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
