javacryptographytink

Google Tink Hybrid params

Google Tink supports "hybrid encryption" - a convenience method of encrypting a symmetric key with an asymmetric one, encrypting a plaintext with the symmetric key, and bundling the two ciphertexts as one message.

However, seems like it basically supports two sets of parameter combinations:

EciesAeadHkdfPrivateKeyManager.eciesP256HkdfHmacSha256Aes128GcmTemplate();
EciesAeadHkdfPrivateKeyManager.eciesP256HkdfHmacSha256Aes128CtrHmacSha256Template();

Internally, these are mapped to e.g.

  public static final KeyTemplate eciesP256HkdfHmacSha256Aes128GcmTemplate() {
    return createKeyTemplate(
        EllipticCurveType.NIST_P256,
        HashType.SHA256,
        EcPointFormat.UNCOMPRESSED,
        AesGcmKeyManager.aes128GcmTemplate(),
        KeyTemplate.OutputPrefixType.TINK,
        EMPTY_SALT);
  }

It'd seem fairly straightforward to swap e.g. AesGcmKeyManager.aes128GcmTemplate() for AesGcmKeyManager.aes256GcmTemplate(), except createKeyTemplate is private, and THAT uses package-private methods, and EciesAeadHkdfPrivateKeyManager is final, and overall it just seems like it's going out its way to prevent us from messing with those parameters. Is there a reason for that? Should I reconstitute my own modified version from code scrounged from the Tink source and/or just use reflection to bypass private, or are there hidden non-orthogonalities to trip me up and make the result insecure?

Solution

  • The creators cite "Hard-to-misuse" as a design goal, specifically the idea of "security guarantees" for interfaces. (https://github.com/google/tink/blob/master/docs/SECURITY-USABILITY.md)

    "For example, if the underlying encryption mode requires nonces and is insecure if nonces are reused, then Tink does not allow the passing of nonces by the user."

    I can see how that applies in this case, but there is a deprecated class (com.google.crypto.tink.hybrid.HybridKeyTemplates) that does what you describe. It has a public method createEciesAeadHkdfKeyTemplate that accepts all the internal params (https://github.com/google/tink/blob/master/java_src/src/main/java/com/google/crypto/tink/hybrid/HybridKeyTemplates.java#L127)