Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-537

Switch QE to CBC for user data

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 1.8.0, 1.8.0-alpha0
    • None
    • None
    • None
    • Not Needed

    Description

      Change from CTR cipher mode to CBC cipher mode for encrypting the user data. In final cipher in use will be AES-256-CBC with AEAD provided by HMAC-SHA-256. This is not the same as the FLE 1 algorithm which took half of SHA-512 for AEAD.

      This impacts kFLE2EqualityIndexedValueV2 and kFLE2RangeIndexedValueV2. Also, a new unindexed encrypted value type will be needed that uses CBC.

      In the server code, only the QE code that calls _mongocrypt_fle2aead_do_encryption is affected by this change.

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: