On Wed, Jan 24, 2024 at 08:09:41AM -0600, Orie Steele wrote: > I will open a new PR that just uses the hkdf, and add some details so it is > easier to compare approaches. > > I feel like the hkdf approach does not work when you communicate the key > using key wrapping, and it is not generated from ECDH, but better examples > will hopefully make this clearer.
There are two different attacks: 1) JOSE-HPKE crossmode attack. 2) CTR/CBC Oracle attack (LAMPS slide deck). Adding extra KDF step does absolutely nothing to stop 1), because the problem is in HPKE aad construction for Key Encryption. And JWE without JOSE-HPKE is not vulnerable to 2). However, JOSE-HPKE allows ignoring enc, which may allow that attack. Adding KDF step really seems useful only with Direct Encryption (due to the GCM nonce-too-short problem). And KDF step should work fine with everything but Direct Key Agreement. However, it is unnecessary in that case, as DKA already binds the algorithm. (For comparison with COSE-HPKE, use of enc_structure blocks the crossmode attack, but COSE is vulnerable to CTR/CBC oracle attack. Fixing the latter would require adding KDF step between input key and encryption) -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
