#8: Direct mode for key agreement needs security analysis
Comment (by [email protected]): Personal Opinion - I have no problems with using the key that is the output of a key agreement directly as the content encryption key. The rules here are going to be the standard ones such as you must make sure that the same key is not going to be generated each time and thus there is a requirement for a random value to be included from the senders side. However there is not going to be a significant difference between the case of using this output to wrap a key vs using this output to wrap a body. I have no issues with this mode of encryption from a cryptography standpoint. I think that a more significant question deals with the processing. Allowing this generates a new path for dealing with processing of messages which potentially complicates the analysis of the code. The requirement exists for doing the key wrap state in the event of multiple recipients and potentially should be a requirement for even the single recipient case. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-jose-json-web- [email protected] | [email protected] Type: defect | Status: new Priority: major | Milestone: Component: json-web- | Version: encryption | Resolution: Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: <http://tools.ietf.org/wg/jose/trac/ticket/8#comment:1> jose <http://tools.ietf.org/jose/> _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
