On Sun, Mar 17, 2024 at 11:46:29PM +0000, lgl island-resort.com wrote: > Not just the lamps attack but best known security practice. > > Internally, HPKE locks down all the algorithm IDs ā best known > security practice ā even though it only allows AEAD algorithms. > > I dunno if Iād call COSE_KDF_Context best practice, but it covers the > next algorithm ID too.
There is a subtle pitfall here: That only applies to Direct Key Agreement. It does not apply to Key Agreement with Key Wrap. If using KAwKW, the next algorithm id in COSE_KDF_Context is the key wrapping algorithm, not what the wrapped key gets used for. Worse, most key wrap algorithms are AE, not AEAD (it is bit subtle that AEAD key wraps are even supported in COSE), so using protected headers to bind the next algorithm will not work. > Knowing what we know now, I think we would be kind of negligent to > not protect the bulk encryption alg in any new encryption standard. That turns out not to work well with some algorithms. It is especially problematic with Key Encryption/Key Transport type algorithms. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
