GHSA-g5vf-v6wf-7w2r

Suggest an improvement
Source
https://github.com/advisories/GHSA-g5vf-v6wf-7w2r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-g5vf-v6wf-7w2r/GHSA-g5vf-v6wf-7w2r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g5vf-v6wf-7w2r
Aliases
Published
2020-10-16T00:51:24Z
Modified
2023-11-08T04:04:19.465376Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Ciphertext Malleability Issue in Tink Java
Details

Impact

Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a deterministic AEAD with a single key, and relying on the fact that there is only a single valid ciphertext per plaintext.

No loss of confidentiality or loss of plaintext integrity occurs due to this problem, only ciphertext integrity is compromised.

Patches

The issue was fixed in this pull request.

Workarounds

The only workaround is to backport the fixing pull request.

Details

Tink uses the first five bytes of a ciphertext for a version byte and a four byte key ID. Since each key has a well defined prefix, this extends non-malleability properties (but technically not indistinguishability). However, in the Java version this prefix lookup used a hash map indexed by unicode strings instead of the byte array, which means that invalid Unicode characters would be replaced by U+FFFD by the Java API's default behavior. This means several different values for the five bytes would result in the same hash table key, which allows an attacker to exchange one invalid byte sequence for another, creating a mutated ciphertext that still decrypts (to the same plaintext).

Acknowledgements

We'd like to thank Peter Esbensen for finding this issue and raising it internally.

For more information

If you have any questions or comments about this advisory: * Open an issue in Tink

References

Affected packages

Maven / com.google.crypto.tink:tink

Package

Name
com.google.crypto.tink:tink
View open source insights on deps.dev
Purl
pkg:maven/com.google.crypto.tink/tink

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.2.0-rc2
1.2.0-rc3
1.2.0-rc4
1.2.0
1.2.1
1.2.2
1.3.0-rc1
1.3.0-rc2
1.3.0-rc3
1.3.0-rc4
1.3.0
1.4.0-rc1
1.4.0-rc2
1.4.0