RFC 9053, "CBOR Object Signing and Encryption (COSE): Initial Algorithms", August 2022

Errata ID: 8061
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Laurence Lundblade
Date Reported: 2024-08-01

Section 4 says:

(This is an addition to the beginning of section 4)

It should say:

While this document defines no IDs for non-AEAD ciphers, they are
permitted in COSE. When considering support for a non-AEAD cipher,
the security considerations in [RFC9459] should be thoroughly reviewed.
Additionally, consideration should be given to the AEAD downgrade
attack described in [AEAD-Downgrade], which is applicable to COSE
and can be avoided by never performing decryption with a non-AEAD
cipher.

[AEAD-Downgrade] Falko Strenzke and Johannes Roth, 
    “Legacy Encryption Downgrade Attacks against LibrePGP and CMS”,
    Cryptology ePrint Archive, 2024 <https://eprint.iacr.org/2024/1110>

[RFC9459] Housley, R. and H. Tschofenig, 
    "CBOR Object Signing and Encryption (COSE): AES-CTR and AES-CBC",
     RFC 9459, DOI 10.17487/RFC9459, September 2023,
     <https://www.rfc-editor.org/rfc/rfc9459>.

Notes:

This is basically a vulnerability disclosure. The AEAD downgrade
attack was not known at the time of publication. RFC 9459 was
not published. This does not change the meaning of RFC 9053,
just warns about some use of it.

Given the weight we usually put on security considerations (for
example, those in RFC9459), it seems disclosing this is something
that should be done.

Report New Errata