Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COSE_KDF_Context is mandatory depending on protected headers #53

Open
OR13 opened this issue Feb 23, 2024 · 5 comments
Open

COSE_KDF_Context is mandatory depending on protected headers #53

OR13 opened this issue Feb 23, 2024 · 5 comments

Comments

@OR13
Copy link
Contributor

OR13 commented Feb 23, 2024

It needs to be computed consistently by both sender and receiver.
If related protected header parameters are present, it must be computed and used.

If no relevant protected header parameters are present, it SHOULD NOT be used.
@dajiaji
Copy link
Contributor

dajiaji commented Feb 25, 2024

Previously, I posted the following message to the COSE mailing list:

https://mailarchive.ietf.org/arch/msg/cose/XjOlXbTvMRqxhdXhovv5K3fYNnw/

In my understanding, it was a mistake in the first place for RFC9053 to define the COSE_KDF_Context structure. There was no need to use the PartyU and PartyV structures in the "Extract-and-Expand" key derivation function.

I believe that in COSE-HPKE, the use of COSE_KDF_Context should be explicitly prohibited to eliminate redundant context binding processes.

I think it will be easier to discuss based on a specific proposal, so I will create a pull request to update the descriptions related to COSE_KDF_Context. I would be happy if you could review it.

@dajiaji dajiaji mentioned this issue Feb 25, 2024
Closed
@laurencelundblade
Copy link
Contributor

I think Enc_structure with context "COSE_Recipient" can be an alternative to mandatory use of COSE_KDF_Context. One of the two MUST be mandatory so that the protected headers in the COSE_Recipient are protected.

I don't agree with
https://mailarchive.ietf.org/arch/msg/cose/XjOlXbTvMRqxhdXhovv5K3fYNnw/

COSE_KDF_Context clearly provides protection against the lamps attack for COSE_Recipient with algorithm -25.

@OR13
Copy link
Contributor Author

OR13 commented Mar 3, 2024

Yes, for -25, the AEAD Algorithm ID is mixed into the kdf via COSE_KDF_Context.

For -29, the key wrapping algorithm (A128KW) is mixed into the kdf via COSE_KDF_Context.

The key wrapping algorithm wraps a key that can be used for A128GCM or A128CBC... thats the problem

@selfissued
Copy link

selfissued commented Mar 3, 2024 via email

@laurencelundblade
Copy link
Contributor

I think binding of the level 0 algorithm ID in with the COSE_Recipient is more than just defending against the lamps attack. It is current security practice:

  • HPKE internally does it. HPKE thoroughly binds all algorithm IDs
  • COSE_KDF_Context does it
  • It anticipated and defeated the lamps attack and may anticipate and defeat others we don’t know of yet.

Binding the alg ID is a more universal and sound practice than excluding non-AEAD modes.

COSE-HPKE should come out of the gate secure, complete and without implementors having to make complicated security decisions like those to do with COSE_KDF_Context. It should address the lamps attack and use current security practice.

There are also use cases for non AEAD algorithms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dajiaji @selfissued @laurencelundblade @OR13