Ilari, What I meant by "the underlying polymorphic algorithm families" is the fact that AES-KW (not the COSE code points) can operate with many combinations of KEK lengths and CEK lengths. Implementations of these (for example in Python cryptography [2]) do not restrict combinations of lengths.
The COSE algorithm code points are meant for three specific input KEK lengths, which are described in Table 13 of RFC 9053, but there isn't an actual normative statement to enforce this. So is this the responsibility for an implementation of COSE to enforce based on the non-normative algorithm descriptions? I understand that this is picking nits, but have run into this a couple of times inadvertently when testing. It seems like a stronger normative statement about this kind of constraint is meaningful for an implementer. Brian S. [2] https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/keywrap.py#L39 > -----Original Message----- > From: [email protected] <[email protected]> > Sent: Friday, November 21, 2025 2:38 PM > To: cose <[email protected]> > Subject: [COSE] Re: [EXT] Re: RFC 9053 checks on symmetric key length > > APL external email warning: Verify sender [email protected] > before clicking links or attachments > > On Fri, Nov 21, 2025 at 04:19:06PM +0000, Sipos, Brian J. wrote: > > Ilari, > > Yes, the issue that I ran into this discrepancy is the fact that the > > underlying (polymorphic) algorithm families (i.e. general AES-KW) do > > accept input keys of any length (provided they are valid for AES), and > > the crypto-function implementation I am using also will accept input > > keys of whatever you provide. But the COSE algorithm code point -5 > > described as "AES Key Wrap w/ 256-bit key" strongly implies that the > > input key is 256-bit as well, and the COSE library I'm using does not > > enforce this because... it just isn't explicitly defined anywhere AFAIK. > > AES-KW does not seem polymorphic, all the A*KW algorithms take fixed- > length key: 32 bytes for -5, 24 bytes for -4 and 16 bytes for -3. > > However, AES-KW can encrypt any multiple of 8 bytes, so ciphertext length > can vary. > > Checking the alg registry, seems like every algorithm taking symmetric key > either takes key of fixed 16/24/32 bytes (anything based on AES or > Chacha20), or key of (practically) any length (anything based on HMAC). > > > > > -Ilari > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
