AEAD, Subtle API

Affected Versions
Tink C++ 1.0 - 1.3.x
Affected Key Types
Subtle API, AES-CTR-HMAC and EncryptThenAuthenticate.

Description

Before Version 1.4.0, AES-CTR-HMAC-AEAD keys and the EncryptThenAuthenticate subtle implementation may be vulnerable to chosen-ciphertext attacks. An attacker can generate ciphertexts that bypass the HMAC verification if and only if all of the following conditions are true:

  • Tink C++ is used on systems where size_t is a 32-bit integer. This is usually the case on 32-bit machines.
  • The attacker can specify long (>= 2^29 bytes or ~536MB) associated data.

This issue was reported by Quan Nguyen of Snap security team.