The algorithm used for TDE is AES-CTR, which is robust for ensuring confidentiality.
However, AES-CTR does not ensure integrity, which means the cipherText could be tampered with, and no one would know.
This kind of vulnerability can lead to subtle real-life attacks:
- efail.de which affected OpenPGP and S/MIME
- PDFEx which affected PDF encryption
- more recently Mega https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry.pdf in which the malleability of the AES-CTR is exploited to leak bits of the private key encrypted with it…
I know there is a checksum that uses either CRC32 or XXHash64, and that there is a sanity check to assess if the encryption key is the correct one, but faced with a malicious attacker, those mechanisms are probably not robust enough.
Would it be possible to either:
- change the encryption algorithm to AES-GCM which has very similar properties since it also is a counter mode, but which is an authenticated encryption scheme which ensure both confidentiality and integrity
- add a MAC (like HMAC-SHA256) calculated with a secondary key for each cipherText and check it before decrypting it.