Using 'detached' session information as part of encryption key derivation to solve 'lazy verifier' problem #347
Comments
|
In my opinion, the only way to achieve this with a regular JWE compact form is by using a detached protected header. Note that Example (Unprotected Header / JARM): {
// Could be negotiated or static
"alg": "ECDH-ES",
// Could be negotiated or static
"enc": "A256GCM",
// Could be a web origin, e.g., https://rp.com
"apu": "MTIzNDU2Nzg5MGFiY2RlZmdo",
// Could be a web origin, e.g., https://rp.com
"apv": "YWJjZGVmZ2gxMjM0NTY3ODkw",
// Verifier decryption key identifier
"kid": "P8p0virRlh6fAkh5-YSeHt4EIv-hFGneYk14d8DF51w",
// Ephemeral decryption key produced by the wallet
"epk": {
"kty": "EC",
"crv": "P-256",
"x": "laKMaRZltDtdJV0fmSivSI2dhGyOJilIZcXjdsheEfM",
"y": "jwiLJu_o4PlxGg0RS3zjjT7g3mNcydj5Vc0n5Neby0Y"
}
}For the JWE compact form, all these headers are part of the AAD. If we want to detach any AAD value, the entire protected header must be detached. This creates challenges:
Alternatively, we could explore JWE JSON serialization where only the |
|
Thanks Oliver. I'd tend to agree that calculating the protected header at the verifier is going to be hard/problematic. I think this is the advantage of using JOSE HPKE - that can potentially update the JWE RFC. We only need a very small addition really - a sentence saying that when using compact serialisation a JWE AAD (which is distinct from AAD) can be communicated out of band. As far as I can see the rest of the steps should all work. (The AAD is defined to be The language e.g. around step 14 of https://datatracker.ietf.org/doc/html/rfc7516#section-5.1 makes this probably technically a bit of a grey area: 
Technically I think we could perhaps use that same approach with ECDH-ES too, but I think getting existing libraries updated to support that is potentially troublesome. (If I missed some other nuance please let me know!) |
|
Related issue: ietf-wg-jose/draft-ietf-jose-hpke-encrypt#13 |
Sakurann
added
the
ISO_VirtualMeeting
Sakurann
removed
the
ISO_VirtualMeeting
|
[editor hat on] Already agreed in openid/oid4vc-haip#131 (comment) that not doing detached in Final 1.0, so this is 1.1. However, we need to make sure in PR #380 that how the spec is written does not preclude this detached in the future before going to 1.0, then will change the milestone to 1.1 |
The current encryption methods supported in OID4VP require that any information that is used as part of the key derivation is included in the JWE header (e.g.
apuandapv). This is basically how the JWE specs and libraries currently work and it's not really possible to not send this information and be compliant with the current JWE RFCs.It seems it be advantageous to not send some of this information in the JWE and to instead have the verifier provide it from it's view of the world - in particular if information like the web origin, keys, etc, where included in the key derivation and not transmitted, then the verifier would hopefully fail to decrypt a response that has been injected into the wrong session.
Given we have seen a long history of OAuth clients not implementing security checks like session binding correctly, a mechanism where a response from a different session simply fails to decrypt is highly advantageous from an "overall security of an ecosystem" point of view.
The text was updated successfully, but these errors were encountered: