[openssl-users] openssl commandline client use

Uri Blumenthal uri at ll.mit.edu
Thu Oct 11 10:15:24 UTC 2018

On Oct 11, 2018, at 05:03, Matt Caswell <matt at openssl.org> wrote:
> On 11/10/18 09:47, Peter Magnusson wrote:
>> You would be better off with AES-CCM or such for your backup, that
>> gives you the integrity check.
>> i.e. you would be reasonably sure what you decrypt is encrypted with your key.
> I'd just point out that CCM and other AEAD modes are not supported in
> the openssl enc app.

Yes, and many of us are eagerly waiting for this deficiency to be remedied! ;-)

>> Using CBC in anything new design does not make much sense.

This depends on the use case and the threat model.

>> - CBC is weak against oracle attacks (online interactions with a
>> decryption oracle)

Assuming decryption oracle is applicable in the given use case. Not everything is online, and not everything is a web service. ;-)

>> - CBC has no protection against modifications. If decryption succeeds,
>> you don't know if the resulting plaintext originated from

Which is why non-AE modes should be accompanied by MAC’ing the ciphertext. (Moxie Marlinspike’s principle ;) 

On the other hand, AEAD modes tend to fail catastrophically if key+nonce is reused. Unlike, e.g., CBC, which merely reveals that two cipher texts came from the same plaintext (“pick your poison"). 
Again, depends on the use case and the threat model. 

More information about the openssl-users mailing list