On Wed, Feb 28, 2024 at 02:08:50PM -0600, Orie Steele wrote:
> * JOSE/KE: HPKE AAD is fixed string "Key Encryption".
>
> ^ This seems less good than using the protected header,
> which already includes the "alg" for which you are encrypting the key,
> which implies and specifies more precisely that you are indeed doing key
> encryption.
> It also keeps JOSE IE and JOSE KE relying on similar AAD structures.
- that might be unsafe.
- that is a breaking change (by introducing layer-mixing).
- "enc" is not necessarily protected, because it does not need to be.
> I also think it's a mistake to invent a new and confusing mode "called JOSE
> IE", when it's really just "direct encryption" for HPKE.
>
> ```
> { alg: dir, enc: HPKE...A128GCM }
> ```
That has very specific meaning in JWE. And it is definitely not of the
correct kind.
JWE requirements imply that if { alg: dir, enc: HPKE...A128GCM } is
legal, then { alg:ECDH-ES, enc: HPKE...A128GCM } is also legal. But
the latter tries to derive HPKE key from Direct Key Agreement, which is
absurd. Contradiction. Therefore { alg: dir, enc: HPKE...A128GCM } can
not be legal. Q.E.D.
> * COSE: HPKE AAD is CDE of Enc_Structure, just like for symmetric AEAD.
>
> ^ I do not understand how this proposal secures both the recipient
> protected header, and the top level protected header, while addressing the
> oracle attack.
It does not. Because the only way to address oracle attack without
breaking changes are via totally different kind of mechanism.
> Since HPKE is new, we don't have to forward the vulnerable 2 layer behavior
> for the case where all algorithms in a 2 layer are HPKE algs.
>
> We cannot fix the oracle attack in a "mixed alg" 2 layer cose structure,
> because it would require breaking changes.
Just fixing it for HPKE would already require breaking changes (by
introducing layer-mixing)
-Ilari
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
