On Tue, Jun 24, 2025 at 05:40:30PM +0000, Nate Jones (Windows Security) wrote: > Hi COSE WG, > > I am reading through the COSE RFCs and there is an inconsistency I want to > dig into. > > RFC 9053 6.1.2 states: > > Either the "salt" parameter for HKDF (Table 9) or the "PartyU nonce" > > parameter for the context structure (Table 10) > > MUST be present (both can be present if desired). The value in the > > "salt"/"nonce" parameter can be generated > > either randomly or deterministically. The requirement is that it be a > > unique value for the shared secret in question. > > However, example "hmac-sha-256-08.json" from the Github-Examples repo > provides an example of "direct+HKDF-SHA-256" without > providing either a PartyU nonce or a salt: > https://github.com/cose-wg/Examples/blob/master/hkdf-hmac-sha-examples/hmac-sha-256-08.json > > Along the lines of the Github example, RFC 9053 5.1 discusses that a salt or > PartyU nonce may not be required in certain cases: > > When using a good random shared secret of the correct length, the extract > > step can be skipped. > ... > > The extract step cannot be skipped if the secret is not uniformly random > > So I'm curious: > * Is Section 6.1.2 incorrect and it is OK to use "direct+HKDF-SHA-256" > without a salt/PartyU nonce as long as your input secret is "uniformly > random" as described in section 5.1? > * Or is section 6.1.2 correct and you "MUST" always have a salt or PartyU > nonce, and hmac-sha-256-08.json is non-compliant with the COSE RFC? > > Or am I missing a different nuance here?
Note that section 5.1 discusses KDF in general, and 6.1.2 is more specific requirements on Direct Key with KDF. And yes, the example looks to be incorrect. I think the section 6.1.2 is incorrect, but in different way: It does not consider that extract step might be skipped, which causes salt to be ignored. In that case PartyU nonce is REQUIRED. And it lists algorithms based on AES, which always skip extract, thus always require PartyU nonce. -Ilari _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
