On Sun, Jun 22, 2025 at 12:45:11PM -0700, Laurence Lundblade wrote: > > > On Jun 21, 2025, at 11:07 AM, Ilari Liusvaara <[email protected]> > > wrote: > > > Next_layer_alg also does not detect replacing bulk encryption with > > key wrap, but getting a valid key wrap seems very hard. Reusing other > > key wraps does not work, because that needs KEK, which would > > compromise the message anyway. > > To clarify, if an attacker replaced AES-128-GCM with A128KW, > next_layer_alg would cause it to be detected.
It is technically possible to use A128GCM (or any section 5.3 (AEAD) algotihm) for key wrap. In practice, it is probably totally unsupported. And the layer is not going to decrypt anyway (even if HPKE layer would). Things would get more screwy if someone used section 5.4 (AE) algorithm as bulk encryption. However, the only supported AE algorithm is AES-KW, which nobody is going to use as bulk encryption because it is very slow. > If a protocol designer created a three layer COSE encryption (e.g., > HPKE-key-wrap-AES), next_layer_alg would secure the ID of the key > wrap, but not the AES. This is more a problem with the three layer > design than next_layer_alg, so no problem here either. I have no idea why anyone would use HPKE-key-wrap-AES, except that some overly general implementation might end up actually supporting decrypting such messages. The only known use for three-layer structure is having direct key agreement on layer 2. The list of recommended patterns for encryption is: - HPKE - AEAD+DKA - AEAD+HPKE - AEAD+KW - AEAD+KW+DKA - AEAD+KAwKW - AEAD+KT The first two are single-recipient, the remaining 5 are multi-recipient and can be mixed and matched. HPKE has properties that do not fit into any previous mode, thus it is its own mode (such mode needs to satisfy certain assumptions, which HPKE does). > So, you’ve thought through the next_layer_alg design some and haven’t > found a problem with it, right?. This makes me feel more confident. At least I have not found anything that would seem worrying. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
