Unclear use of `tag` in key derivation and wrapping algorithm

[jakubkoci]

I don't understand how to use a tag in key derivation/wrapping algorithm as described in sections:

• 5.1.9 ECDH-1PU key wrapping and common protected headers
• 5.1.10 ECDH-ES key wrapping and common protected headers

There is a mention

"As per this requirement, the JWE building must first encrypt the payload, then use the resulting tag as part of the key derivation process when wrapping the cek."

But I don't see any information on how that tag should be used in derivation of kek or wrapping of cek with kek. Am I missing something?

[carez]

In case it helps, my (very own) interpretation is as depicted in this diagram:

Existing implementations

You can also have a look at existing implementations. I am familiar with these two in python:

Authlib

https://github.com/lepture/authlib/blob/1cba9804e8684f92b34b0f2b80dbb5c93795ce9c/authlib/jose/drafts/_jwe_algorithms.py#L137C9-L137C36

Askar

https://github.com/Indicio-tech/didcomm-messaging-python/blob/a0f6b88d39b90552d1a639334b71cb44ce07634e/didcomm_messaging/crypto/backend/askar.py#L266

[jakubkoci]

Thanks @carez

I found that DIDComm spec mentions 2.3 Key Derivation for ECDH-1PU Key Agreement for ECDH-1PU and that actually mentions tag exactly as your diagram depicts.

But, there is no mention of tag in the spec for ECDH-ES I found 4.6 Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)

So, maybe it's just an incorrect copy-paste of the sentence from ECDH-1PU to ECDH-ES.

I also found a mention of the tag in Authenticated encryption part of Understanding JSON Web Encryption (JWE).