On Sat, Mar 23, 2024 at 08:35:32AM +0900, AJITOMI Daisuke wrote: > > Ilari, I interpreted what you said as meaning that there is no algorithm > for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE, > that can prevent the lamps attack. Am I mistaken? > If I was mistaken, could you tell me how the next_alg can specifically > protect against the lamps attack to the algorithms that takes a key?
My point was that no _existing_ algorithm does so. And some of the existing algorithms can not even be modified to do so. Having insecure algorithms is a major problem. CMS is in the same situation. And because CMS allows unauthenticated content encryption, the solution they picked (add KDF step before content encryption) is the only possible one. > > Could you tell me specific attack methods or threats? > > This is the question I posted previously, and I found a threat myself. I > thought there might be a slight possibility for a lamps attack to succeed > if the victim can accept both A128CBC and A128GCM as content encryption > algorithms at Layer0 and uses the same CEK for both algorithms. However, > the next_alg is only bound to the key wrapping the CEK and cannot affect > the CEK itself. Therefore, it doesn't seem like a meaningful measure since > it can't limit the reuse of the CEK. _If_ key management algorithm is aad-capable, adding next_alg to aad is an easy way to make decryption fail if attacker alters algorithms. However, the problem is that COSE explicitly allows aad-incapable key management algorithms (e.g., Key Transport or the whole section 5.4 stuff). And often there isn't even hacks around that. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
