On Sun, Jan 28, 2024 at 06:03:48PM -0600, Orie Steele wrote: > Has this issue been addressed in JWE prior to HPKE?
Actually, there is existing problem with AES-GCM Key Wrapping. For recipients using A???GCMKW, it is possible to construct JWE that successfully decrypts to the CEK. Might be worth defining new versions of those with that issue fixed. But then, GCMKW is bit of a footgun anway. > It seems like simply saying, when an hpke alg value is in a protected > header, there must not be an enc value in the protected header, solves this. Nope. Protected alg + unprotected enc is legal but very weird, and still suffers from the second problem (decrypt ot . The proper way to solve this is to use fixed aad that can not collide with top-level aad. > You will know which serialization you are using with HPKE JWE because the > protected headers are always used as AAD to seal and open, so any attempt > to switch from one to the other ( by switching alg and enc ) will break and > those operations. You don't, because aad does not depend on serialization! > I think it's best for us to avoid creating new serializations if possible. Yes. > This means compact is single recipient, and JSON is multiple recipient or > single recipient. There is also flattened, which is single recipient (supporting things like JWE aad and unprotected headers, which compact does not). > Even if we removed the "only alg or enc, never both criteria", I am not > sure it would be a problem. Many attack papers have involved very much nontrivial stuff. E.g., the recent SSH attack paper. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
