On Sun, Jan 28, 2024 at 11:55:20AM -0600, Orie Steele wrote:
> 3. The AAD for HPKE Seal and Open MUST be the same as the AAD used
> with AEAD for content encryption ("protected" + "." + "aad" or just
> "protected" in case there is no "jwe aad").
Take a compact HPKE JWE for 32 byte payload and make flattened
JWE with the following:
- Protected is protected of the original JWE
- Unprotected contains enc: A256GCM, and ek with encrypted key of
original JWE.
- Encrypted key contains ciphertext of original JWE.
- Initialization Vector, Ciphertext and Authentication Tag contain
something.
Now try to decrypt that. Result is trying to decrypt the given
IV/ciphertext/tag using the original payload as the key...
Or if sender has put enc in unprotected bucket (which is allowed), do
the reverse of previous. Now the resulting JWE decrypts to the CEK...
I find the second one rather disturbing...
-Ilari
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
