Hi, I think informing users of RFC 9053 about the AEAD-downgrade attack (AKA Lamps attack, cross mode attack) is important. It seems the right thing to do, particularly because of the weight given to informing of similar things in security considerations.
I looked at the IETF security vulnerability process<https://www.ietf.org/process/rfcs/vulnerabilities/>. Errata are one of the options. It seems reasonable here because we are not altering the meaning of RFC 9053. Also, the attack was unknown at the time. Errata seems faster and more efficient than publishing an updating RFC. Note that RFC 9053 is safe if you don’t use a non-AEAD cipher. Here’s the proposed text. Comments? The following paragraph should be added to the beginning of section 4. While this document defines no IDs for non-AEAD ciphers, they are permitted in COSE. When considering support for a non-AEAD cipher, the security considerations in [RFC9459] should be thoroughly reviewed. Additionally, consideration should be given to the AEAD downgrade attack described in [AEAD-Downgrade] which is applicable to COSE and can be avoided by never performing decryption with a non-AEAD cipher. [AEAD-Downgrade] Falko Strenzke and Johannes Roth, “ Legacy Encryption Downgrade Attacks against LibrePGP and CMS”, Cryptology ePrint Archive, 2024 <https://eprint.iacr.org/2024/1110> [RFC9459] Housley, R. and H. Tschofenig, "CBOR Object Signing and Encryption (COSE): AES-CTR and AES-CBC", RFC 9459, DOI 10.17487/RFC9459, September 2023, <https://www.rfc-editor.org/rfc/rfc9459>. Thx, LL
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
