Concat KDF in draft-ietf-jose-json-web-algorithms-12 can now conform to how NIST SP 800-56A defines it. Yay!
The (last?) issue with Concat KDF is whether or not the recipient needs to verify that PartyVInfo is actually about them. As currently specified, the recipient of a JOSE message can (and will) mechanically copy the “apu” and “apv” values into the Concat KDF calculation. The recipient will not bother looking “inside” these values, because the spec doesn’t require it. In contrast, the recipient will look “inside” the AlgorithmID value as it is used to select the encryption algorithm. I suspect Concat KDF only achieves the security it is designed to deliver when the recipient does verify PartyVInfo so I doubt Concat KDF is secure as specified. -- James Manger
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
