RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 8037, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)", January 2017

Source of RFC: jose (sec)

Errata ID: 5329
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Neil Madden
Date Reported: 2018-04-17

Section 4 says:

The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix
keys into the final shared secret.  In key exchange, such mixing
could be a bad mistake; whereas here either the receiver public key
has to be chosen maliciously or the sender has to be malicious in
order to cause problems.  In either case, all security evaporates.

It should say:

The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix
keys into the final shared secret unless they are included in the 
"apu" or "apv" claims. It is recommended to include the public keys 
of both parties in the key derivation. 

Notes:

There are two technical errors here.

Firstly, the JWA ECDH-ES KDF does allow for mixing keys into the final shared secret via the "apu" and "apv" claims. RFC 7518 (JWA) normatively references NIST SP.800-56A, which explicitly recommends doing this.

Secondly, it is not clear what the security issue is here, as there are known security issues in some cases from *not* mixing in public keys and other identifiers, as described in SP.800-56Ar3 Appendix B, and in the Security Considerations of RFC 7748 (another normative reference), which states:

"Thus
using a public key as an identifier and knowledge of a shared secret
as proof of ownership (without including the public keys in the key
derivation) might lead to subtle vulnerabilities."

Report New Errata



Advanced Search