- Affected Versions
- Tink C++ 1.0 - 1.3.x
- Affected Key Types
- Subtle API, AES-CTR-HMAC and EncryptThenAuthenticate.
Description
Before Version 1.4.0, AES-CTR-HMAC-AEAD keys and the EncryptThenAuthenticate subtle implementation may be vulnerable to chosen-ciphertext attacks. An attacker can generate ciphertexts that bypass the HMAC verification if and only if all of the following conditions are true:
- Tink C++ is used on systems where
size_t
is a 32-bit integer. This is usually the case on 32-bit machines. - The attacker can specify long (>= 2^29 bytes or ~536MB) associated data.
This issue was reported by Quan Nguyen of Snap security team.