On Thu, Oct 12, 2023 at 02:23:11PM +0000, Aritra Banerjee (Nokia) wrote: > Hello all, > > The revised version of the draft draft-ra-cose-hybrid-encrypt-01 - > Hybrid key exchange in JOSE and COSE > (ietf.org)<https://datatracker.ietf.org/doc/draft-ra-cose-hybrid-encrypt/> > address the comments from the COSE WG. > > Further feedback and suggestions are welcome. > > A new version of Internet-Draft draft-ra-cose-hybrid-encrypt-01.txt has been > successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-ra-cose-hybrid-encrypt > Revision: 01 > Title: Hybrid key exchange in JOSE and COSE > Date: 2023-10-06 > Group: Individual Submission > Pages: 30 > URL: https://www.ietf.org/archive/id/draft-ra-cose-hybrid-encrypt-01.txt > Status: https://datatracker.ietf.org/doc/draft-ra-cose-hybrid-encrypt/ > HTML: https://www.ietf.org/archive/id/draft-ra-cose-hybrid-encrypt-01.html > HTMLized: https://datatracker.ietf.org/doc/html/draft-ra-cose-hybrid-encrypt > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-ra-cose-hybrid-encrypt-01
The KDF looks like it is intended to be NIST SP 800-56C KDF, but it misuses the salt parameter (the key to KMAC). The salt can not be fixed. NIST SP 800-56C requires that the application can give explicit salt to use (which goes raw into KMAC key) or if the application does not provode salt, then the default salt is used. Additionally, the default default salt has off-by-one problem: It is one byte too big. The key format should be <alg><ct1><ss1><ct2><ss2>. There is no need for lengths: Those are either impiled by <alg> or if those are variable, it is _not_ _sufficient_ to just include lengths, there must be inner hash. And the algorithm choices seem pretty bad: 1) KMAC128 should not be used with any variant of Kyber, the capacity does not match. Use KMAC256 instead. 2) Don't use HKDF-256 with Kyber. Especially not in COSE! 3) Don't use AES128KW, This is post-quantum. Use AES256KW instead. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
