On Mon, Mar 13, 2023 at 12:08:24PM +0100, Hannes Tschofenig wrote: > Hi Laurence,
> It is fine if not everything was already envisioned at the time the > initial COSE RFC was published. There is a lot of other work ongoing > that probably wasn't envisioned either, for example the PQC algorithms > or the privacy mechanisms that are currently being discussed. Funnily enough, RFC 8152/9052 does envision using AEAD at layer1+, but none of the defined content key distribution methods make use of that capability. This is not the only case where COSE envisions something, but does not use it. E.g., four-layer structures. COSE-HPKE does not fit into any of the previous content key distribution methods. So looks like the COSE-HPKE demonstrators were the first implementations to actually use AEAD at layer1, and thus the first implementations to use Enc_Recipient. > With the COSE mechanisms today, ignoring HPKE for a moment, a developer > has to provide the following information for an ephemeral-static > Diffie-Hellman content key distribution using AES-GCM as content > encryption algorithm: > > * Enc_structure for the content encryption layer utilizing AES-GCM, > which includes the external AAD. > > * Info structure for the key derivation function used at the recipient > layer to generate the KEK, which is then used to encrypt the CEK via AES-KW. > > > With HPKE we still have to provide the info structure (which goes into > SealBase). Since we are not using AES-KW but an AEAD cipher via HPKE we > need to provide an additional AAD. We can put the Enc_structure there > with a different context string, as you suggest, but leave the > external_aad as nil. This would give HPKE the same "interface" as the > ephemeral-static DH content key distribution algorithm. RFC 9052 already specifies what context string to use in that case: "Enc_Recipient". And you probably mean empty external_aad, not nil, since external_aad is always a bstr. And the interface is not quite the same: Key Agreement with Key Wrap has one slot for external AAD, Two-layer HPKE has two. I think the layer1 one should be left empty by default, even if application uses the layer0 external AAD. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
