[openssl-users] openssl commandline client use
openssl-users at dukhovni.org
Thu Oct 11 03:12:17 UTC 2018
On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote:
> - Data recovery from an encrypted backup is tough. With CBC, one bit goes
> astray and you've lost everything after that.
No, a 1 bit error in CBC ciphertext breaks only the current block,
and introduces a 1 bit error into the plaintext of the next block.
After that, you're back in sync.
But yes, indeed "openssl enc" offers little integrity protection.
One should probably break the data into chunks and encrypt and MAC
each chunk with the MAC covering the chunk sequence number, and
whether it is the last chunk.
More information about the openssl-users