On Wed, Jun 18, 2025 at 02:27:46PM -0700, Sophie Schmieg wrote: > With the draft as written, I'm not certain if there isn't a cross-protocol > attack present when the same public key can be used both in direct mode and > in key encryption mode, as the info field of HPKE is not used. Basically, I > think with the draft as written I can take a direct mode encrypted message > and reframe it as a key encryption mode message, now using the direct > message as encryption key.
Trying to decrypt messages in wrong direct/keyencrypt mode will inevitably cause HPKE AAD to mismatch (causing decryption failure with very high probability). Direct mode HPKE AAD always starts with 0x83 "hEncrypt0", while key encryption mode HPKE AAD always starts with 0x84 "iRecipient". However, there is one potential confusion, between key encrypted and key encrypted / key wrapped modes (the latter makes little sense). The simplest way to prevent this would be to add layer number to the recipient context. > Given that HPKE (and COSE counterpart) are not authenticated in the > first place, I'm not certain whether this actually is exploitable, I did come up with potential exploit for this that could work with badly enough done application (and there are plenty of very badly done applications). The KE / KE-KW confusion seems virtually impossible to exploit, since key wraps presumably change the key, and key wraps use yet another different AAD. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
