I think from reading https://tools.ietf.org/html/draft-ietf-cose-msg-14#section-12.4.1 that ECDH-ES is supposed to authenticate the sender, i.e. that successfully decrypting an ECDH-ES message also authenticates it. For example, Table 19 lists a label for a sender's static key for use with ECDH-ES, which would be meaningless if ECDH-ES was supposed to be anonymous.
Given that, I don't see how the sender's static key is included in the key derivation. I would have expected something like the input keying material to HKDF to be ECDH(sender-static, receiver-static) ++ ECDH(sender-ephemeral, receiver-static). That would give one-way forward secrecy and would authenticate the message w.r.t the sender's static key (*) There are many words, so it's very possible that I missed something, so I also looked at https://github.com/cose-wg/cose-implementations/blob/master/csharp/COSE/EncryptMessage.cs#L1529 and I only see a single ECDH operation in there. Is it that I misunderstood the aim and that ECDH-ES is sender-anonymous? If not, how does the sender show possession of their static key? (* Modulo key-compromise impersonation.) Cheers AGL -- Adam Langley [email protected] https://www.imperialviolet.org _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
