Streaming AEAD overflow
Stay organized with collections
Save and categorize content based on your preferences.
- Affected Versions
- Tink version 1.0 - 1.3.x on Java
- Tink version 1.0 - 1.3.x on Android
- Tink version 1.0 - 1.3.x on Golang
- Affected Key Types
- AES-GCM-HKDF
Description
Streaming AEAD implementations encrypt the plaintext in
segments. Tink uses a 4-byte segment counter. When encrypting a stream
consisting of more than 232 segments, the segment counter might
overflow and lead to leakage of key material or plaintext.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-14 UTC.
[null,null,["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eTink versions 1.0 to 1.3.x on Java, Android, and Golang are impacted by a security vulnerability.\u003c/p\u003e\n"],["\u003cp\u003eThe vulnerability affects the AES-GCM-HKDF key type when used with Streaming AEAD.\u003c/p\u003e\n"],["\u003cp\u003eEncrypting large data streams (over 2^32^ segments) with the vulnerable versions can lead to key material or plaintext leakage due to a segment counter overflow.\u003c/p\u003e\n"]]],["Tink versions 1.0-1.3.x on Java, Android, and Golang are affected, specifically with AES-GCM-HKDF key types. The issue arises in Streaming AEAD implementations where data is encrypted in segments. When a stream exceeds 2^32 segments, the 4-byte segment counter overflows. This overflow can potentially cause the leakage of key material or plaintext.\n"],null,["# Streaming AEAD overflow\n\nAffected Versions\n: Tink version 1.0 - 1.3.x on Java\n: Tink version 1.0 - 1.3.x on Android\n: Tink version 1.0 - 1.3.x on Golang\n\nAffected Key Types\n: AES-GCM-HKDF\n\nDescription\n-----------\n\n[Streaming AEAD](/tink/streaming-aead) implementations encrypt the plaintext in\nsegments. Tink uses a 4-byte segment counter. When encrypting a stream\nconsisting of more than 2^32^ segments, the segment counter might\noverflow and lead to leakage of key material or plaintext."]]
