On Wed, Feb 28, 2024 at 07:55:24AM -0600, Orie Steele wrote:
> For HPKE, we can simplify things and protected against the attack by:
<snip stuff that does not work>
> What do you think?
What you are proposing does not work.
1) HPKE already mixes in enc, there is no reason to do it again, that
just breaks some HPKE libraries for no good reason.
IE and KE are so massively different that aligning the two is not
a good reason.
2) Mixing anything between levels will lead to severe implementation
problems.
The best way to break existing implmentations is to throw an
unexpected curveball. And this is one.
3) ?OSE-HPKE can do nothing with the oracle attack.
a) In JOSE, no action is needed, JWE already blocks the attack.
b) In COSE, it needs separate document to fix.
The "fix" you gave just does not work.
4) Crossmode attack is easy to solve.
a) In JOSE-HPKE, HPKE AAD needs to be fixed by KE to some value that
can not happen in IE.
b) In COSE, it is already solved by Enc_structure context field.
Doing that with JOSE-HPKE will also solve the more severe cross-layer
mixing issue.
The simplest HPKE AAD stuff that actually works is:
* JOSE/IE: HPKE AAD constructed as in JWE section 5.1. step 14.
* JOSE/KE: HPKE AAD is fixed string "Key Encryption".
* COSE: HPKE AAD is CDE of Enc_Structure, just like for symmeric AEAD.
External_aad only applies to layer 0.
Just ignore the oracle (AES-CTR/AES-CBC) attack for this. Fixing that
(in COSE) is separate issue.
-Ilari
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
