On Mon, Jun 05, 2023 at 05:07:30PM +0000, lgl island-resort.com wrote: > > > On Jun 4, 2023, at 12:12 AM, AJITOMI Daisuke <[email protected]> wrote: > > > > Hi Laurence, Ilari, > > > > > My proposal is to fully replace the Enc_structure with > > > COSE_KDF_Context in COSE-HPKE. I am not proposing double > > > protection. > > > > ... > > > > Given that there's no need to use it, it's not required by the core > > spec, and there's the issue, as Ilari has repeatedly pointed out, > > of not being able to input a meaningful value into > > SuppPubInfo.keyDataLength, > > For multiple recipient COSE-HPKE, it IS It is possible to put a > meaningful value in for both COSE_KDF_Context. AlgorithmID and > COSE_KDF_Context.SuppPubInfo.keyDataLength.
>From what I understand, AlgorithmID and keyDataLength are for the algorithm key is derived for (and there is unused special case for IV derivation if required). However, for HPKE, the algorithm key is derived for is the AEAD. HPKE already internally adds the algorithm ID and key data length into the KDF context. This is analogous to ECDH+KW algorithms. When using those algorithms, then AlgorithmID is the ECDH+KW alg value, and keyDataLength is whatever the KW part needs. Since there is no nalg, this leaves the ultimate bulk cipher unprotected. > Single recipient COSE-HPKE is kind of a degenerate case for this. > It doesn’t need these values because it is all handled internally, > so we can just put none/0. There is no value for none. And good that there isn't, because that is a major footgun in JOSE. And this case is analgous to using ECDH without any KW: The derived key is for bulk cipher and that is what gets recorded in the COSE_KDF_Context. HPKE already records the same information internally. > Ironically, it is the COSE standard COSE_Recipient alg -29 in RFC 9053 > that has the problem mixing in the content encryption algorithm > because AES Key Wrap is not an AEAD and in the way. Actually all COSE standard ECDH algorithms have this problem in multi- recipient setting. And only algs -25, -26, -27 and -28 have actual single-recipient setting that does not have this issue. Hence, to cover all the bases, one would need both nalg and AEAD KW algorithms (which would use "Enc_Recipient"). -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
