> On 10 Jun 2024, at 22:30, Orie Steele <[email protected]> wrote:
>
>
> Brian wrote:
>
> > The 'dir" Key Management algorithm for JWE is defined in JWA as Direct
> > Encryption with a Shared Symmetric Key, which is not what's happening with
> > that HPKE Direct Encryption mode.
>
> > This section defines the specifics of directly performing symmetric
> key encryption without performing a key wrapping step. In this case,
> the shared symmetric key is used directly as the Content Encryption
> Key (CEK) value for the "enc" algorithm.
>
> https://www.rfc-editor.org/rfc/rfc7518.html#section-4.5
>
> It is true that when 7518 was written, "alg : dir" only had one meaning, for
> example:
>
> https://datatracker.ietf.org/doc/html/rfc7520#section-5.6
>
> In the case of "HPKE Direct Encryption", consider the single shot APIs:
>
> https://datatracker.ietf.org/doc/html/rfc9180#name-single-shot-apis
>
> Instead of seeing:
>
> {
> "alg": "dir",
> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
> "enc": "A128GCM"
> }
>
> You would see:
>
> {
> "alg": "dir",
> "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
> "enc": "HPKE-Base-P256-SHA256-A128GCM"
> }
>
This is a total nonstarter. “Dir” with any “enc” value currently provides
symmetric *authenticated encryption*. You cannot just change this to suddenly
provide public key unauthenticated encryption. That is an enormous change in
security properties that will absolutely lead to vulnerabilities.
— Neil
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
