RFC 8037, "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)", January 2017Source of RFC: jose (sec)
Errata ID: 5329
Publication Format(s) : TEXT
Reported By: Neil Madden
Date Reported: 2018-04-17
Section 4 says:
The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret. In key exchange, such mixing could be a bad mistake; whereas here either the receiver public key has to be chosen maliciously or the sender has to be malicious in order to cause problems. In either case, all security evaporates.
It should say:
The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix keys into the final shared secret unless they are included in the "apu" or "apv" claims. It is recommended to include the public keys of both parties in the key derivation.
There are two technical errors here.
Firstly, the JWA ECDH-ES KDF does allow for mixing keys into the final shared secret via the "apu" and "apv" claims. RFC 7518 (JWA) normatively references NIST SP.800-56A, which explicitly recommends doing this.
Secondly, it is not clear what the security issue is here, as there are known security issues in some cases from *not* mixing in public keys and other identifiers, as described in SP.800-56Ar3 Appendix B, and in the Security Considerations of RFC 7748 (another normative reference), which states:
using a public key as an identifier and knowledge of a shared secret
as proof of ownership (without including the public keys in the key
derivation) might lead to subtle vulnerabilities."