3

All JWEs are encrypted using authenticated encryption with associated data (AEAD) algorithms. Is there any reason why you would not want to include the IV and Encrypted Content Encryption Key (CEK) in the Additional Authenticated Data (AAD)? Would it in some way make the JWE vulnerable?

Edit: I have continued researching this and found according to RFC 5116 Section 2.1

The nonce is authenticated internally to the algorithm, and it is not necessary to include it in the AD input. The nonce MAY be included in P or A if it is convenient to the application.

And

The secret key K MUST NOT be included in any of the other inputs (N, P, and A). (This restriction does not mean that the values of those inputs must be checked to ensure that they do not include substrings that match the key; instead, it means that the key must not be explicitly copied into those inputs.)

So my only remaining question is considering the encrypted content key is equivalent to a random value is it okay to also include that in the aad? Again entirely for convenience. Or would this cause a possible leak of information?

Community
  • 1
  • 1
k0mrade_kangaroo
  • 31
  • 2

1 Answers1

2

There is no need to integrity protect the IV or the Encrypted Content Encryption Key (CEK). Modification to either would cause the decryption to fail, whether they were included in the AAD or not. However, to avoid timing oracle attacks implementations must proceed through the entire decryption process, including decrypting the CEK, verifying the MAC (for AES-CBC + HMAC-SHA2 algorithms) and content decryption.

OK, so there is no need to integrity protect either the IV or the CEK by including them AAD, but is there any harm in including them there? As you have pointed out in your question, RFC 5116 indicates that it is fine to include the IV in the AAD, but a CEK MUST NOT be included in other algorithm inputs including the AAD. But the Encrypted CEK, assuming the encryption algorithms is secure, is computationally indistinguishable from random data, so it should be OK to include that in the AAD.

Community
  • 1
  • 1
frasertweedale
  • 5,424
  • 3
  • 26
  • 38
  • I am not talking about all authenticated encryption (AE) ciphers, only those with associated data (AEAD). So if I have some AEAD cipher, E(plainText, key, iv, aad) -> (cipherText, tag), would the security of my cryptosystem decrease if aad = F(key) + iv . Where F() is some permutation of the key, in the case of jwe's it would be the key management algorithm. Obviously these things are considered know values as they are transmitted as part of the jwe. But does an adversary gain any advantage by also having an authentication tag with them included in the aad? – k0mrade_kangaroo Apr 08 '15 at 17:31
  • I don't think so - I have updated answer to clarify. But I am not a cryptographer so don't take my suggestion as gospel. – frasertweedale Apr 08 '15 at 22:55