[openssl-users] openssl commandline client use

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Oct 11 12:42:31 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Matt Caswell
> Sent: Thursday, October 11, 2018 05:04
> On 11/10/18 09:47, Peter Magnusson wrote:
> > You would be better off with AES-CCM or such for your backup, that
> > gives you the integrity check.
> >  i.e. you would be reasonably sure what you decrypt is encrypted with your
> key.
> I'd just point out that CCM and other AEAD modes are not supported in
> the openssl enc app.

And even if they were, the AEAD modes are fragile (vulnerable to misuse). GCM of course is completely vulnerable to nonce reuse, which is why some people (e.g. Bernstein) disavow it completely. CCM is similarly vulnerable to key+counter reuse, so RFC 4309, for example, requires fresh keys for each encryption.

That was the main point of my original message: roll-your-own cryptosystems are a Bad Idea. I think providing advice like "use an AEAD mode" is bad, because it implies that crypto non-experts can safely create cryptosystems that avoid well-known pitfalls. History suggests otherwise.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list