Thanks Lawrence,
For what it's worth, based on discussions in the JOSE WG meeting on Monday, the
next draft will not include the ECDH algorithm registration -52 that you're
referring to (or any other ECDH registrations).
I obviously fully support dealing with cross-mode attacks in COSE. But the
Fully-Specified Algorithms draft looks like it's not going a place to do this.
Best wishes,
-- Mike
From: lgl island-resort.com <[email protected]>
Sent: Thursday, July 25, 2024 12:14 PM
To: cose <[email protected]>
Subject: [COSE] fully specified algorithm and cross-mode attack
This draft was handled in the JOSE WG, but makes a change to COSE:
https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-03.html.
It defines alg ID -52 that would kind of replace -29. Fully-specified seems
the way of the future here in the halls of the IETF.
After looking at Ken's nice diagram, it seems to me that most of the content
key distribution methods for encryption defined in RFC 9053 section
6<https://www.rfc-editor.org/rfc/rfc9053.html#name-content-key-distribution-me>
are subject to the cross mode attack (the one presented in Lamps in Prague).
Both the Recipient_structure fix I proposed or the KDF fix that Hannes proposed
are applicable to content key distribution methods and will require a new
algorithm ID.
It seems like we should do one set of new algorithm IDs that addresses both.
For example -52, would be fully specified and would have a fix for the
cross-mode attack.
This is a lot of work. We probably should continue to focus on COSE-HPKE first,
but keep the rest in mind as coming next.
LL
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
