Additional authenticated data (AAD) is any string that you pass toCloud Key Management Service as part of an encrypt or decrypt request. AAD is used as anintegrity check and can help protect your data from aconfused deputy attack. The AAD string must be no larger than 64 KiB.

Cloud KMS will not decrypt ciphertext unless the same AAD value isused for both encryption and decryption.

AAD is bound to the encrypted data, because you cannot decrypt the ciphertextunless you know the AAD, but it is not stored as part of the ciphertext. AAD alsodoes not increase the cryptographic strength of the ciphertext. Instead it is anadditional check by Cloud KMS to authenticate a decryption request.

In Cloud KMS, AAD is always present when you make a call to encryptor decrypt - if you do not provide a value for AAD, then an empty string isused. If an empty string is used as the AAD for the encryption of plaintext,then only an empty string will allow decryption of the ciphertext.

AAD is not logged byCloud Audit Logs.

Another example is if your application needs to use bearer tokens that containsome private information, such as an email address. Inputs to the bearer tokenwould be the authenticated data used for a bearer token plus the plaintext emailaddress. These inputs would then get encrypted so the bearer token that getsexchanged is in the form ofAdditional Encrypted Authenticated Data (AEAD).

Confused deputy attack example

This example shows how an application could be tricked into decryptingciphertext on behalf of a malicious user. The application is the confused deputyin this example because the application is unaware the attacker has tricked theapplication into misusing its authority. The result is the attacker is able toview decrypted data that originally was encrypted for another user. Note in thisattack, the attacker does not need to know the encryption key, because it relieson the confused deputy to perform the decryption.

1. A diary application allows users to maintain a private diary. Each diaryentry is encrypted and intended to be decrypted only by the user that createdthe diary entry.

2. Alice creates a diary entry. The application encrypts the diary entry andthen stores the encrypted diary entry at a location reserved for diary entriesthat belong to Alice.

3. Alice sends a request to view her diary entry. Because the encrypted diaryentry is at a location reserved for Alice, the application decrypts the data andreturns it as the response to Alice's request. This is the intended behaviour ofthe application.

4. Mallory copies Alice's diary entry from the location reserved for Aliceto the location reserved for Mallory.

5. Mallory sends a request to view Mallory's copy of Alice's diary entry.Because the copy of Alice's diary entry is at a location reserved for Mallory,the application decrypts the diary entry and returns the plaintext as theresponse to Mallory's request. Mallory can then view Alice's diary entry, whichis not the intended behaviour of the application.

To defend against this type of attack, the application can use a non-emptystring as AAD for encryption and decryption. The AAD provides an extracheck for decryption requests. When Mallory sends the decryption request to viewMallory's copy of Alice's diary entry, Mallory's request will not succeed unlessMallory can also trick the application into using the correct AAD.

Storing or reproducing AAD

Before encrypting with AAD, decide whether you willstore the AAD side-by-sidewith the encrypted data, orreproduce the AAD, for subsequent decryption.

A reason to store AAD is to make it straightforward to use the AAD when you needto decrypt ciphertext. For example, a database row could contain both theciphertext and the AAD used when the plaintext was encrypted. When a decryptrequest is received, the application can retrieve both the AAD and theciphertext from the database. The application can then use the AAD for theciphertext decryption process.

A reason to reproduce AAD is to verify any non-private data while also avoidingstorage of the AAD. For example, if you want to ensure that the filepath andfilename of an encrypted file has not changed, you can include the filepath andfilename as AAD when you encrypt the file. Then, when a decrypt request is sentfor the file, you can reproduce the AAD by examining the filepath and filename.

Storing AAD

Storing AAD means AAD is saved and then readily available by your applicationfor future use. For example, a database table could contain a column forciphertext and a column for the AAD used when the ciphertext was created. Whenit is time to decrypt the ciphertext, the application retrieves the AAD and usesit for the decryption.