Encryption algorithm used for TDE does not provide integrity protection

The algorithm used for TDE is AES-CTR, which is robust for ensuring confidentiality.

However, AES-CTR does not ensure integrity, which means the cipherText could be tampered with, and no one would know.

This kind of vulnerability can lead to subtle real-life attacks:

I know there is a checksum that uses either CRC32 or XXHash64, and that there is a sanity check to assess if the encryption key is the correct one, but faced with a malicious attacker, those mechanisms are probably not robust enough.

Would it be possible to either:

  • change the encryption algorithm to AES-GCM which has very similar properties since it also is a counter mode, but which is an authenticated encryption scheme which ensure both confidentiality and integrity
  • add a MAC (like HMAC-SHA256) calculated with a secondary key for each cipherText and check it before decrypting it.
1 Like