On Mar 23, 2024, at 10:13 AM, Ilari Liusvaara <[email protected]> wrote:
_If_ key management algorithm is aad-capable, adding next_alg to aad is an easy way to make decryption fail if attacker alters algorithms. COSE -25 and for COSE-HPKE key management is aad-capable. With a little extra work I think content_encryption_algorithm (formerly next_alg) can work for COSE -29. I’m starting to think about a new draft to define the -29 replacement. Probably not a large document. It would not use COSE_KDF_Context. It would use a new Enc_structure with content_encryption_algorithm. It could define a -25 replacement too, one without COSE_KDF_Context. However, the problem is that COSE explicitly allows aad-incapable key management algorithms (e.g., Key Transport or the whole section 5.4 stuff). And often there isn't even hacks around that. You are talking about 6.1.1 and 6.2 from 9053 used with the non-AEADs in 5.4, right? The others in section 6 of 9053 have a KDF, so they are OK (except for -29 which gets tripped up by key wrap). I suppose errata might be issued with additional security considerations. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
