On Tue, Mar 19, 2024 at 09:13:36PM +0900, AJITOMI Daisuke wrote:
> Thanks, Ilari.
>
> My question was not correct. When we restrict the algorithms at layer0 for
> "HPKE key encryption" to AEAD algorithms, specifically A{128,192, 256}GCM
> and ChaCha20Poly1305, are there any reasons why we need next_alg?
No need for next_alg in that case.
Looking at the algorithm list, I see 8 AES-CCM algorithms. Those are also
section 5.3 (AEAD) algorithms. Not needing next_alg applies to any section
5.3. algorithm.
I think that for layer0, one should require any encryption to be capable
of aad, and any symmetric encryption to be AEAD. Otherwise attackers
can cause some weird stuff to happen (which might or might not be
exploitable).
For other layers, the requirement is for any symmetric encryption to be
AE or AEAD.
The reason for not outright requiring AEAD on layer0 is that HPKE would
fail such requirement, because it is not symmetric, but can still appear
on layer0.
-Ilari
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
