On Wed, Jan 18, 2023 at 01:53:10PM -0500, Russ Housley wrote: > Laurence: > > Obviously it is too late to add anything to RFC 9052. > > I propose the following for draft-ietf-cose-aes-ctr-and-cbc: > > X. Implementation Considerations > > COSE libraries that support either AES-CTR or AES-CBC and accept > Additional Authenticated Data (AAD) as input should return an error > if one of these non-AEAD content encryption algorithm is selected. > This would ensure that a caller does not expect the AAD to be > protected when the cryptographic algorithm is unable to do so.
RFC 9052 already requires that if using AE algorithm: - Attempt to encrypt or decrypt with non-empty external aad MUST fail. - Attempt to encrypt with any protected header parameters MUST fail. - Atttept to decrypt message with any protected header parameters MUST fail. It seems to me that AES-CTR and AES-CBC are analogous to these, but with even more serious limitations, so all these limitations should be inherited. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
