Hello, There was an excellent presentation from Falko and Russ in Lamps, that impacts jose and cose content encryption schemes.
https://datatracker.ietf.org/meeting/118/session/lamps See the slides for attack against aead, and kdf for content encryption. In particular we may need to consider adding some binding between the key and the algorithm, even when using the fully specified algorithms, such as the recently suggested hpke suites. The issue is not whether or not the algorithm is fully specified, it is whether or not the algorithm is mixed by some kdf to prevent cross mode attacks on the aead. Some of my language may not be perfect here, I'm still in the lamps session where the work was presented. OS
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
