Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-74052

Switch QE to CBC for user data

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 7.0.0-rc0
    • None
    • None
    • None
    • Server Security
    • Fully Compatible
    • Security 2023-02-20, Security 2023-03-06

    Description

      Change from CTR cipher mode to CBC cipher mode for encrypting the user data. In final cipher in use will be AES-256-CBC with AEAD provided by HMAC-SHA-256. This is not the same as the FLE 1 algorithm which took half of SHA-512 for AEAD.

      This impacts kFLE2EqualityIndexedValueV2 and kFLE2RangeIndexedValueV2. Also, a new unindexed encrypted value type will be needed that uses CBC.

      In the server code, only the QE code that calls encryptDataWithAssociatedData is affected by this change.

      Attachments

        Activity

          People

            erwin.pe@mongodb.com Erwin Pe
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: