On Mon, Oct 30, 2023 at 8:20 AM Ilari Liusvaara <[email protected]> wrote:
> On Mon, Oct 30, 2023 at 07:55:09AM -0600, Brian Campbell wrote: > > On Tue, Oct 24, 2023 at 4:46 AM Ilari Liusvaara < > [email protected]> > > wrote: > > > > > And another is why Direct Encryption REALLY SHOULD NOT be used. > > > > > > > Can you say more about why? This is one I don't recall having seen > > much discussion/criticism about. > > Basically, none of the algorithms is suitable for that. Either the > algorithm has nonces that are too small, or is not meant for bulk > encryption. > > For algorithm to be suitable for direct encryption, one would need > algorithm meant for bulk encryption that is either MRAE or has > large nonces. There are none currently. > Are the AES_CBC_HMAC_SHA2 Algorithms <https://datatracker.ietf.org/doc/html/rfc7518#section-5.2> in JWE unsafe with Direct Encryption? I guess that asking the question does suggest that more guidance would be useful. But I've generally assumed that it was okay. JWA does kinda mention nonce/IV reuse and limiting the number of invocations in its AES GCM Security Considerations <https://datatracker.ietf.org/doc/html/rfc7518#section-8.4> but that's only about GCM. > The problem does not extend to modes with KDF, because the KDF makes > things behave like there was a large nonce. > > > > > -Ilari > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
