I want to be explicit about this — The Context Info Structure can prevent the AES attack presented at IETF 118. This gives credibility to Context Info Structure. HPKE (not COSE-HPKE) by itself also prevents this attack. So it’s good to see that work has been done that anticipated attacks like this.
But, there’s issues with multi-recipient COSE: 1) Even though alg ID -29 (section 6.4 of 9053) uses Context Info Structure, it is vulnerable because key wrap is in hierarchy and it doesn’t do AEAD and Context Info Structure is not really put to use. This is kind of a (big?) hole and oversight in RFC 9053. 2) COSE-HPKE in the current draft has Context Info Structure is optional. So the current draft is clearly not sufficient. (It’s also not particularly clear on how protected headers are actually protected). We need to do something thorough about both of these. There’s been some back and forth between me and Ilari about 2) COSE-HPKE but I suspect many of you haven’t tracked it. Last, I don’t think we have to use Context Info Structure in COSE-HPKE, but I do think we need to provide an equivalent, because I think it has earned some credibility because it anticipated this attack. What to do about 1) seems tougher. Seems like at least errata security considerations should be issued warning about this. LL _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
