The following errata report has been submitted for RFC8037, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)".
-------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5329 -------------------------------------- Type: Technical Reported by: Neil Madden <[email protected]> Section: 4 Original Text ------------- The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret. In key exchange, such mixing could be a bad mistake; whereas here either the receiver public key has to be chosen maliciously or the sender has to be malicious in order to cause problems. In either case, all security evaporates. Corrected Text -------------- The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret unless they are included in the "apu" or "apv" claims. It is recommended to include the public keys of both parties in the key derivation. Notes ----- There are two technical errors here. Firstly, the JWA ECDH-ES KDF does allow for mixing keys into the final shared secret via the "apu" and "apv" claims. RFC 7518 (JWA) normatively references NIST SP.800-56A, which explicitly recommends doing this. Secondly, it is not clear what the security issue is here, as there are known security issues in some cases from *not* mixing in public keys and other identifiers, as described in SP.800-56Ar3 Appendix B, and in the Security Considerations of RFC 7748 (another normative reference), which states: "Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities." Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8037 (draft-ietf-jose-cfrg-curves-06) -------------------------------------- Title : CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE) Publication Date : January 2017 Author(s) : I. Liusvaara Category : PROPOSED STANDARD Source : Javascript Object Signing and Encryption Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
