kste
commented
4 months ago Hi! To close this out: We currently don't plan to modify our existing implementation of schemes like AES-GCM to be key/context committing. Adding a key/context committing version of e.g. AES-GCM would be an option, however as there is no standard for this we are concerned about interoperability issues here. If you require a key committing scheme, then we would recommend to use AES-CTR-HMAC right now.
Hey Tink developers! In 2020, the AWS encryption SDK introduced (announcement ) "key commitment" to mitigate attacks against authenticated encryption schemes using symmetric keys (e.g. aes-gcm). There are now a handful of published papers showing practical attacks (paper). In short, an attacker can craft 2 keys such that the ciphertext authenticates with both keys.
Has Tink implemented or plans to implement any fixes to address this?
My understanding of AWS's scheme: AWS uses HKDF to derive an encryption key and a commit key from a generated data key. Additionally, a EC key pair is generated. Both the commit key and the EC public key are included in the format's header. The derived encryption key is used to authenticate the format's header and encrypt the data. Finally, both the header and the encrypted body are signed with the EC private key. The signature is appended as a footer.
As part of decryption, the commit key is derived and compared against the the one included in the header.