Envelope AEAD Malleability

Affected Versions: All Tink versions
Affected Key Types: All Envelope AEAD key types

Description

Envelope encryption uses a third-party provider (such as GCP or AWS) to encrypt a data encryption key (DEK).

It is possible to modify certain parts of the encrypted DEK without detection when using KmsEnvelopeAead with AwsKmsAead or GcpKmsAead as the remote provider. This is due to the inclusion of unauthenticated metadata (for instance version numbers). Modifications to this unauthenticated data are not detected by the provider.

Note that this violates the adaptive chosen-ciphertext attack property (IND-CCA-2) for this interface, although the ciphertext can still decrypt to the correct DEK. When using this interface don't presume that each DEK only corresponds to a single encrypted DEK.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2023-07-10 UTC.