Envelope AEAD Malleability

Affected Versions
All Tink versions
Affected Key Types
All Envelope AEAD key types


Envelope encryption uses a third-party provider (such as GCP or AWS) to encrypt a data encryption key (DEK).

It is possible to modify certain parts of the encrypted DEK without detection when using KmsEnvelopeAead with AwsKmsAead or GcpKmsAead as the remote provider. This is due to the inclusion of unauthenticated metadata (for instance version numbers). Modifications to this unauthenticated data are not detected by the provider.

Note that this violates the adaptive chosen-ciphertext attack property (IND-CCA-2) for this interface, although the ciphertext can still decrypt to the correct DEK. When using this interface don't presume that each DEK only corresponds to a single encrypted DEK.