AEAD, Subtle API

Affected Versions: Tink C++ 1.0 - 1.3.x
Affected Key Types: Subtle API, AES-CTR-HMAC and EncryptThenAuthenticate.

Description

Before Version 1.4.0, AES-CTR-HMAC-AEAD keys and the EncryptThenAuthenticate subtle implementation may be vulnerable to chosen-ciphertext attacks. An attacker can generate ciphertexts that bypass the HMAC verification if and only if all of the following conditions are true:

Tink C++ is used on systems where size_t is a 32-bit integer. This is usually the case on 32-bit machines.
The attacker can specify long (>= 2^29 bytes or ~536MB) associated data.

This issue was reported by Quan Nguyen of Snap security team.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2023-07-11 UTC.