On Mon, Sep 08, 2025 at 08:40:59AM +0000, Tschofenig, Hannes wrote: > Hi all, > you might recall that there was an attack against CMS where an > attacker manipulates the content-encryption algorithm identifier and > performs an AEAD-to-CBC downgrade attack. Russ worked on the > mitigation for CMS and it can be found in RFC 9709. > > Russ, Ken and I presented a generic mitigation to this attack > applicable to COSE. It is based on RFC 9709. Here is the draft: > https://www.ietf.org/archive/id/draft-tschofenig-cose-cek-hkdf-sha256-02.txt
Some quick comments on the draft: - The encoding of alg does not seem to be specified. I presume canonical CBOR encoding? - Section 5 says alg is "COSE_Key algorithm identifier", which seems off. I presume alg should be the algorithm of this layer? - This mechanism does not seem to work with Direct Key with KDF or Direct Key Agreement (what's the key length?). The attack will not work with those (sub)modes anyway (as the inherent KDF will bind alg), so the simplest solution would be to just disallow it (a diagram in section 3 does present those cases tho). -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
