> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Matt Caswell > Sent: Thursday, October 11, 2018 05:04 > > > On 11/10/18 09:47, Peter Magnusson wrote: > > You would be better off with AES-CCM or such for your backup, that > > gives you the integrity check. > > i.e. you would be reasonably sure what you decrypt is encrypted with your > key. > > I'd just point out that CCM and other AEAD modes are not supported in > the openssl enc app.
And even if they were, the AEAD modes are fragile (vulnerable to misuse). GCM of course is completely vulnerable to nonce reuse, which is why some people (e.g. Bernstein) disavow it completely. CCM is similarly vulnerable to key+counter reuse, so RFC 4309, for example, requires fresh keys for each encryption. That was the main point of my original message: roll-your-own cryptosystems are a Bad Idea. I think providing advice like "use an AEAD mode" is bad, because it implies that crypto non-experts can safely create cryptosystems that avoid well-known pitfalls. History suggests otherwise. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
