Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-537

Switch QE to CBC for user data

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.8.0, 1.8.0-alpha0
    • Affects Version/s: None
    • Component/s: None
    • None

      Change from CTR cipher mode to CBC cipher mode for encrypting the user data. In final cipher in use will be AES-256-CBC with AEAD provided by HMAC-SHA-256. This is not the same as the FLE 1 algorithm which took half of SHA-512 for AEAD.

      This impacts kFLE2EqualityIndexedValueV2 and kFLE2RangeIndexedValueV2. Also, a new unindexed encrypted value type will be needed that uses CBC.

      In the server code, only the QE code that calls _mongocrypt_fle2aead_do_encryption is affected by this change.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: