Skip to content

Incorrect sort order for encryption context keys in AES-GCM keyrings #428

@bdonlan

Description

@bdonlan

The encryption context serialization code incorrectly sorts context keys using a locale-dependent comparator:

.sort(([aKey], [bKey]) => aKey.localeCompare(bKey))

While unsorted context keys are generally tolerated in the ESDK header itself, when using the AES-GCM keyring this is used to canonicalize the encryption context before entering it into the AAD for the AES-GCM keyring. As such, when certain unicode characters (eg Cryllic characters) are used in encryption context keys, the sort order can disagree both with other ESDK languages, and even within the JS ESDK (depending on locale selection). @seebees has more specific examples of keys that can cause this failure mode.

The correct sort order is a binary comparison of the UTF-8 encodings of the encryption context keys (this is what the C ESDK does, at least).

Security implications: Even with the locale sort (which may not be a total ordering), the AAD encoding is unambiguous (keys and values are unambiguously delineated) and therefore it's hard to see a way it could lead to incorrectly accepting ciphertexts that shouldn't. As such I would consider this to be purely a compatibility issue unless proven otherwise.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions