Envelope AEAD Malleability
Stay organized with collections
Save and categorize content based on your preferences.
- Affected Versions
- All Tink versions
- Affected Key Types
- All Envelope AEAD key types
Description
Envelope encryption uses a third-party provider
(such as GCP or AWS) to encrypt a data encryption key (DEK).
It is possible to modify certain parts of the encrypted DEK without detection
when using KmsEnvelopeAead with AwsKmsAead or GcpKmsAead as the remote
provider. This is due to the inclusion of unauthenticated metadata (for instance
version numbers). Modifications to this unauthenticated data are not detected by
the provider.
Note that this violates the adaptive chosen-ciphertext attack property
(IND-CCA-2) for this interface, although the ciphertext can still decrypt to
the correct DEK. When using this interface don't presume that each DEK only
corresponds to a single encrypted DEK.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["All versions of Tink and all Envelope AEAD key types are affected by a security vulnerability."],["The vulnerability allows modification of unauthenticated metadata within encrypted data encryption keys when using KmsEnvelopeAead with AwsKmsAead or GcpKmsAead."],["While the ciphertext can still be decrypted, this vulnerability violates the adaptive chosen-ciphertext attack property (IND-CCA-2)."],["Developers should be aware that a single data encryption key might correspond to multiple encrypted data encryption keys due to this issue."]]],["Envelope encryption, using `KmsEnvelopeAead` with `AwsKmsAead` or `GcpKmsAead`, allows undetectable modifications to the encrypted data encryption key (DEK) due to unauthenticated metadata. All Tink versions and Envelope AEAD key types are affected. While decryption still yields the correct DEK, this violates the adaptive chosen-ciphertext attack property (IND-CCA-2). Each DEK may correspond to multiple encrypted DEKs; users shouldn't assume a one-to-one mapping.\n"]]
