XML

Word

Printable

JSON

Type: Improvement
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Queryable Encryption
Labels:
None

Assigned Teams:

Server Security
Sprint:
Security 2024-07-08, Security 2024-07-22, Security 2024-08-05, Security 2024-08-19, Security 2024-09-02, Security 2024-09-16, Security 2024-09-30, Security 2024-10-14, Security 2024-10-28, Security 2024-11-11, Security 2024-11-25, Security 2024-12-09, Security 2024-12-23, Security 2025-01-20, RnD Security 2025-03-03, Security 2025-03-17, Security 2025-03-31, Server Security 2025-04-14, Server Security 2025-04-28, Server Security 2025-05-09, Server Security 2025-05-23, Server Security 2025-06-06, Server Security 2025-06-20, Server Security 2025-07-04, Server Security 2025-07-20, Server Security 2025-08-01, Server Security 2025-08-15, Server Security 2025-08-29, Server Security 2025-09-12, Server Security 2025-09-26, Server Security 2025-10-10, Server Security 2025-10-24, Server Security 2025-11-07
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Scope

Add encryption parameters to QE payloads intended for the server. contentionFactor is already present in payloads. Add: min, max, trimFactor, sparsity, precision to the range payloads:

FLE2InsertUpdatePayloadV2
FLE2FindRangePayloadV2.

Reject incoming QE payloads created with values differing from the server's encryptedFields.

Background & Motivation

If a QE payload is generated with parameters that do not match the server, the server may quietly accept the values. This may result in incorrect query responses.

Here is a runnable example. Relevant snippet:

# Create the collection with contention_factor=1
coll = db.create_collection("coll", encryptedFields=encrypted_fields)

# Insert with contention_factor=2
payload = client_encryption.encrypt(
    "foo", Algorithm.INDEXED, key_id, contention_factor=2
)
coll.insert_one({"encrypted": payload})  # No error!

# Find with contention_factor=1
find_payload = client_encryption.encrypt(
    "foo",
    Algorithm.INDEXED,
    key_id,
    query_type=QueryType.EQUALITY,
    contention_factor=1,
)

doc = coll.find_one({"encrypted": find_payload})
print(f"Got document: {doc}") # Sometimes 'None'!

See Safeguard mismatched encryption parameters for a further description.

has to be done after

SERVER-91889 Add parameter placeholders in QE payloads

Closed

related to

DRIVERS-3255 Get explicit encryption parameters from schema

Backlog

Assignee:: Mark Benvenuto
Reporter:: Kevin Albertson
Participants:: Kevin Albertson, Mark Benvenuto
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jun 26 2024 08:17:47 PM UTC
Updated:: Oct 27 2025 04:44:43 PM UTC

Details

Description

Scope

Background & Motivation

Attachments

Issue Links

Activity

People

Dates