Re: [jose] [COSE] HPKE PartyU / PartyV

* JOSE/KE: HPKE AAD is fixed string "Key Encryption".

^ This seems less good than using the protected header,
which already includes the "alg" for which you are encrypting the key,
which implies and specifies more precisely that you are indeed doing key
encryption.
It also keeps JOSE IE and JOSE KE relying on similar AAD structures.

I also think it's a mistake to invent a new and confusing mode "called JOSE
IE", when it's really just "direct encryption" for HPKE.

```
{ alg: dir, enc: HPKE...A128GCM }
```

* COSE: HPKE AAD is CDE of Enc_Structure, just like for symmetric AEAD.

^ I do not understand how this proposal secures both the recipient
protected header, and the top level protected header, while addressing the
oracle attack.

Since HPKE is new, we don't have to forward the vulnerable 2 layer behavior
for the case where all algorithms in a 2 layer are HPKE algs.

We cannot fix the oracle attack in a "mixed alg" 2 layer cose structure,
because it would require breaking changes.

I do agree that solving the oracle attack for the general case ( -29 / -30
based tag 96 messages), should be done as a separate COSE WG document.

I do not agree that COSE HPKE should be published with the possibility of
targeting the (brand new) HPKE algorithms registered and succeeding in the
oracle attack.

OS

On Wed, Feb 28, 2024 at 1:45 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Feb 28, 2024 at 07:55:24AM -0600, Orie Steele wrote:
>
> > For HPKE, we can simplify things and protected against the attack by:
>
> <snip stuff that does not work>
>
> > What do you think?
>
> What you are proposing does not work.
>
>
> 1) HPKE already mixes in enc, there is no reason to do it again, that
>    just breaks some HPKE libraries for no good reason.
>
>    IE and KE are so massively different that aligning the two is not
>    a good reason.
>
>
> 2) Mixing anything between levels will lead to severe implementation
>    problems.
>
>    The best way to break existing implmentations is to throw an
>    unexpected curveball. And this is one.
>
>
> 3) ?OSE-HPKE can do nothing with the oracle attack.
>    a) In JOSE, no action is needed, JWE already blocks the attack.
>    b) In COSE, it needs separate document to fix.
>
>    The "fix" you gave just does not work.
>
>
> 4) Crossmode attack is easy to solve.
>    a) In JOSE-HPKE, HPKE AAD needs to be fixed by KE to some value that
>       can not happen in IE.
>    b) In COSE, it is already solved by Enc_structure context field.
>
>    Doing that with JOSE-HPKE will also solve the more severe cross-layer
>    mixing issue.
>
>
> The simplest HPKE AAD stuff that actually works is:
>
> * JOSE/IE: HPKE AAD constructed as in JWE section 5.1. step 14.
> * JOSE/KE: HPKE AAD is fixed string "Key Encryption".
> * COSE: HPKE AAD is CDE of Enc_Structure, just like for symmeric AEAD.
>   External_aad only applies to layer 0.
>
> Just ignore the oracle (AES-CTR/AES-CBC) attack for this. Fixing that
> (in COSE) is separate issue.
>
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

-- 

ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>