Skip to content

Ciphertext Malleability Issue in Tink Java

Low severity GitHub Reviewed Published Oct 15, 2020 in tink-crypto/tink • Updated Jan 9, 2023

Package

maven com.google.crypto.tink:tink (Maven)

Affected versions

< 1.5.0

Patched versions

1.5.0

Description

Impact

Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a deterministic AEAD with a single key, and relying on the fact that there is only a single valid ciphertext per plaintext.

No loss of confidentiality or loss of plaintext integrity occurs due to this problem, only ciphertext integrity is compromised.

Patches

The issue was fixed in this pull request.

Workarounds

The only workaround is to backport the fixing pull request.

Details

Tink uses the first five bytes of a ciphertext for a version byte and a four byte key ID. Since each key has a well defined prefix, this extends non-malleability properties (but technically not indistinguishability). However, in the Java version this prefix lookup used a hash map indexed by unicode strings instead of the byte array, which means that invalid Unicode characters would be replaced by U+FFFD by the Java API's default behavior. This means several different values for the five bytes would result in the same hash table key, which allows an attacker to exchange one invalid byte sequence for another, creating a mutated ciphertext that still decrypts (to the same plaintext).

Acknowledgements

We'd like to thank Peter Esbensen for finding this issue and raising it internally.

For more information

If you have any questions or comments about this advisory:

  • Open an issue in Tink

References

@thaidn thaidn published to tink-crypto/tink Oct 15, 2020
Reviewed Oct 16, 2020
Published to the GitHub Advisory Database Oct 16, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.056%
(25th percentile)

CVE ID

CVE-2020-8929

GHSA ID

GHSA-g5vf-v6wf-7w2r

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.