On Wed, Nov 08, 2023 at 04:48:57PM +0100, Orie Steele wrote: > > There was an excellent presentation from Falko and Russ in Lamps, that > impacts jose and cose content encryption schemes. > > https://datatracker.ietf.org/meeting/118/session/lamps > > See the slides for attack against aead, and kdf for content encryption. > > In particular we may need to consider adding some binding between the key > and the algorithm, even when using the fully specified algorithms, such as > the recently suggested hpke suites. > > The issue is not whether or not the algorithm is fully specified, it is > whether or not the algorithm is mixed by some kdf to prevent cross mode > attacks on the aead.
COSE/JOSE do have modes where the key is output by KDF. These modes do mix in the algorithm identifier. And when using symmetric keys, the key should specify alg[1]. The issue is with modes that wrap keys. Fixing this is complicated by: 1) There can be multiple parallel key wraps, and all output keys must match. 2) Key wraps usually do not admit associated data. One possible solution would be to have header parameter that causes key to be run through KDF before use at the same layer, only allowed for AEAD ciphers with other recipient type. Bonus points for also handling IVs. [1] I noticed that pretty quick when trying to work with COSE/JOSE implementation, the symmetric keys turn into mess as there is no subtyping. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
