search

bincyber / go-sqlcrypter

custom Go data type to facilitate column-level encryption
MIT License
12 stars 2 forks source link

IV collision risk #127

Open takeyourhatoff opened 1 year ago

takeyourhatoff commented 1 year ago

There is a risk of an IV collision using the awskms or aesgcm provider. As per NIST SP 800-38D section 8.3, it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. This limit could easily be reached given the use case of database column encryption, worse still, ciphertexts are likely to be persisted and stored together. IV collision could enable an attacker with access to the ciphertexts the ability to decrypt all messages encrypted with the affected key.

It is not possible to fix aesgcm provider without a breaking change. It should be documented that users must not encrypt more than 2^32 values with any key.

It is possible to fix the awskms package without introducing a breaking change by switching to a counter-based IV.

bincyber commented 3 months ago

Thanks for reporting this @takeyourhatoff. Will review and action this finding soon