On Wed, 12 Jun 2024 at 13:14, Ilari Liusvaara <[email protected]>
wrote:
> On Tue, Jun 11, 2024 at 10:19:29AM -0500, Orie Steele wrote:
> > Sounds like the current best option for HPKE single shot direct
> encryption
> > in JOSE would be:
> >
> > { alg: HPKE-....-A128GCM, enc: dir }
> >
> > Which would require updating JWE, and this part of the IANA registry:
> >
> >
> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
>
> When working on figuring out how to patch the encryption and decryption
> procedures for this mode, I noticed that if the direct encryption
> operation step produces headers, the resulting JWE can not be serialized
> with compact encoding. RFC7516 prohibits bulk encryption stop from
> producing headers (only allowing it to produce JWE Ciphertext and
> Authentication Tag outputs).
>
> This arises because the produced headers must be unprotected (due to
> hard cyclic dependency), and compact serialization not allowing
> unprotected headers. The RFC7516 prohibition on headers means all
> bulk encryption algorithms can work in compact serialization.
>
The cyclic dependency can be prevented by invoking the SetupBaseS to get
the HPKE context and HPKE enc. The HPKE context is then used to invoke the
Seal function with "aad" and "pt" as parameters. The "ek'' parameter can be
within the JWE protected header.
-Tiru
>
> So for compact encoding of the resulting JWE to be possible, the direct
> encryption operation can only output JWE Encrypted Key, Initialization
> Vector, Ciphertext and Authentication Tag fields. However, RFC7516 does
> have single-recipient JWEs that can not be serialized with compact
> serialization (e.g., anything that uses JWE AAD).
>
>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
