AEAD: Is it secure to decrypt the content encryption key before verifying the MAC?

Question

The JSON Web Encryption (JWE) standard defines a number of encryption modes with the same basic form:

1. First, the a unique content encryption key (CEK) is generated and used to encrypt the payload with associated data in an AEAD mode (e.g. AES-CBC with HMAC or AES-GCM). If a separate block cipher and MAC are used then the individual keys for each are concatenated to form the CEK.
2. Then, the CEK is encrypted with the public key of the recipient (e.g. using RSA with PKCS#1 v1.5 padding) and the result is prepended to the ciphertext.

My question is: while the underlying symmetric cipher provides authenticated encryption, the recipient must decrypt the CEK before they can verify the MAC on the underlying AEAD construction. Does RSA with appropriate padding when used just for key wrapping already provide authenticated encryption?

Answer 1

No, RSA encryption does not provide authenticity, regardless of the padding. This is for the simple reason that anybody can encrypt with the public key. This is irrespective of the asymmetric algorithm used. You need to sign the data to obtain authenticity.

What AEAD does do is to protect e.g. against padding oracle attacks. These can be performed on CBC mode encryption, which could also cost you confidentiality (leaving you with nothing).

In that case however the RSA implementation must also be protected against padding oracle attacks. That basically means that OAEP (or possibly RSA-KEM) should be used instead of PKCS#1 v1.5 compatible padding. Otherwise the PKCS#1 v1.5 unpadding must be performed in such a way that padding oracle attacks are impossible.

---

With regards to this specific protocol it seems that signatures are handled by a separate document: JSON Web Signature (JWS). Section 11.4 is called "11.4. Adaptive Chosen-Ciphertext Attacks" and explains the attack on PKCS#1 described above.