On Tue, Jun 18, 2024 at 10:58:35AM +0000, Tschofenig, Hannes wrote: > Hi Ilari, > > -----Original Message----- > From: [email protected] <[email protected]> > Sent: Monday, June 17, 2024 7:49 PM > To: cose <[email protected]> > Subject: [COSE] Re: Context Information Structure and COSE-HPKE > > > [Hannes] HPKE allows the inclusion of context-specific information via > the info parameter, and therefore application layer identities, such > as party U and party V. By default, HPKE does not know about these > identifiers since it is a building block. In COSE HPKE we also need to > make it possible to pass this information into the building block. > With the current design we make it impossible to incorporate this > information.
There are problems with using HPKE info parameter. Even without explicit context information, the application could use external aad (it should be independent per layer for exactly that sort of stuff) to pass the identities. Mismatch causes decryption failure. Including identities in protected headers would be possible, but is way too easy to get wrong. > For any application protocol, either: > > 1) Guarantees of HPKE are sufficient. > 2) The application itself must take action for safety. > > There is nothing COSE-HPKE can do about that. > > [Hannes] I disagree with you. The reason why this is the case is that the receiver must either reconstruct or check the message context (with reconstruction being preferred because it is much safer). Both require application support. Just blindly trusting the context the message claims is obviously insecure. > The problems with this have been brought up before: > > - The definition of SuppPubInfo.keyDataLength is self-contradictory if > used with HPKE. > - Using identities safely requires explicit application support. > - HPKE restrictions on using info (length and combining info and aad). > - HPKE info is much slower than HPKE aad to process. > > [Hannes] I understand that there is a desire to make things faster but > I fear we are degrading security. Using aad works just as well in causing decryption failure on mismatch (in fact, even slightly better). And it is not just speed, it also the other restrictions on info, like the 64(!) byte length limit. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
