Hello,

There was an excellent presentation from Falko and Russ in Lamps, that
impacts jose and cose content encryption schemes.

https://datatracker.ietf.org/meeting/118/session/lamps

See the slides for attack against aead, and kdf for content encryption.

In particular we may need to consider adding some binding between the key
and the algorithm, even when using the fully specified algorithms, such as
the recently suggested hpke suites.

The issue is not whether or not the algorithm is fully specified, it is
whether or not the algorithm is mixed by some kdf to prevent cross mode
attacks on the aead.

Some of my language may not be perfect here, I'm still in the lamps session
where the work was presented.

OS
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to