On Nov 15, 2023, at 1:19 PM, Ilari Liusvaara <[email protected]<mailto:[email protected]>> wrote:
On Wed, Nov 15, 2023 at 08:35:34PM +0000, lgl island-resort.com<http://island-resort.com/> wrote: I want to be explicit about this — The Context Info Structure can prevent the AES attack presented at IETF 118. This gives credibility to Context Info Structure. HPKE (not COSE-HPKE) by itself also prevents this attack. So it’s good to see that work has been done that anticipated attacks like this. This is not about context information structure, it is about direct versus indirect recipients. The reason I say Context Info Structure (definition pasted below) anticipated this is because of the AlgorithmID data item (and keyDataLength). If I understand correctly, it exactly is the solution proposed. If the COSE-HPKE draft made Context Info mandatory, we’d be done, though there may be a better solution. I’m bring up Context Info Structure here, because it anticipated this problem and deserved to be taken seriously. Maybe we don’t use it exactly, but we probably should provide most of what it provides for all COSE encryption or disclose the particular encryption mode as vulnerable. LL COSE_KDF_Context = [ AlgorithmID : int / tstr, PartyUInfo : [ PartyInfo ], PartyVInfo : [ PartyInfo ], SuppPubInfo : [ keyDataLength : uint, protected : empty_or_serialized_map, ? other : bstr ], ? SuppPrivInfo : bstr ]
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
