Hacker News new | ask | show | jobs
Ask HN: Is openssl enc a good choice for file encryption?
7 points by caivvoacmh 3423 days ago
I recently read a blog post[1] where the author shows how to use openssl to encrypt a file that will be uploaded to an untrusted third-party.

The encryption process is as follows:

# Generate RSA key pair

  openssl genrsa -out backup_key.priv.pem 4096
  openssl rsa -in backup_key.priv.pem -out backup_key.pub.pem -outform PEM -pubout
# Encrypt the private key (need to enter a password)

  openssl enc -aes-256-cbc -in backup_key.priv.pem -out backup_key.priv.pem.enc
  rm backup_key.priv.pem
# Encrypt backup file

  openssl rand 64 | tee >(openssl enc -aes-256-cbc -salt -pass stdin -in backup.tar.gz 
  -out backup.tar.gz.enc) | 
  openssl rsautl -encrypt -pubin -inkey backup_key.pub.pem -out backup.tar.gz-aeskey.enc
I'm not a cryptographer, but knowing that openssl has suffered from numerous vulnerabilities I decided to google `openssl enc` to get a sense of its security. After reading:

"if you use `openssl enc`, make sure your password has high entropy"[2]

"it looks like openssl enc is still using a very weak KDF"[3]

"The commandline utilities in general are fairly minimal wrappers around functionality in libssl and libcrypto, and if you want something complete, polished, convenient, etc. the idea is you should either modify or replace them"[4]

I'm left wondering if using openssl for file encryption is a good choice if security is paramount.

Can crypto experts please comment. Thanks in advance.

[1]: https://summitroute.com/blog/2016/12/25/creating_disaster_recovery_backups/

[2]: https://security.stackexchange.com/a/29139

[3]: https://security.stackexchange.com/questions/29106/openssl-recover-key-and-iv-by-passphrase#comment202222_29139

[4]: https://security.stackexchange.com/a/129067
2 comments
Canada 3423 days ago
One problem is there's no authentication. The malicious server could modify your backup.

Another scary thing about this is the fact that you have to keep track of the AES key for the backup as well as your private RSA key and its password. That's going to get nasty for more than a couple of files.

If you're going to do backups like this you're better off just sticking with GPG.

link
matt_wulfeck 3423 days ago
Yes Canada is right. Asymmetrical encryption is what you want. You can bake the signature into all of your hosts that need it, that way they encrypt a file without needing to know how to decrypt it.

Ask your third-party to supply a gpg public key over a secure channel, then it's very to encrypt files for them (and only them) to read.

link
bwackwat 3423 days ago
He is uploading files to an UNTRUSTED third party.

I'm personally curious about the best solution...

@Canada, if the "malicious"(untrusted?) server modifies the backup how could you decrypt anyway?

link
Canada 3423 days ago
CBC mode is malleable. I can modify a block and the previous blocks won't be corrupted. The blocks I modify will silently decrypt, although I won't know what the output will be. Regardless, the decrypted output may still do something harmful.

The solution is to generate a hash or a MAC after encrypting. A plain hash would have to be kept locally because the malicious server could modify it if stored there. A MAC could be stored on the server, but then it would be necessary to derive another key for that and store it locally. (Or store the input for deriving the encryption key and MAC key... in any case, annoying)

GPG takes care of all this for you. Bottom line: Avoid OpenSSL command line for this kind of thing.

link
caivvoacmh 3423 days ago
Do I follow correctly that the issue with using `openssl enc` is the cipher `aes-256-cbc` not providing integrity of the encrypted file?

Even if you wanted to use a more secure cipher according to [this](https://security.stackexchange.com/questions/128883/basic-qu...) `openssl enc` does not support the more secure ciphers that openssl tls does.

Is this the reason to avoid openssl for file encryption?

link
Canada 3423 days ago
TLS and AES-CBC aren't comparable.

AES-CBC is just a block cipher mode of operation. TLS is a protocol that takes care of negotiating algorithms for key exchange, bulk encryption (which may be a block cipher using some mode), authentication, etc. All of these things combined is the "suite" of ciphers. Implementations provide decent tooling for managing keys and preferences.

Like TLS, GPG uses a suite of ciphers to do its job and provides tools to manage it without getting caught up in extremely low level details. Like TLS, the default suite of algorithms it prefers change with the times, but from a user perspective it stays the same.

link
bwackwat 3423 days ago
I agree that using the command line for this type of problem is going to be problematic.

I also see clearly how hashing the encrypted data before "storing it at this 3rd party" would allow you to verify CBC block modifications.

I guess I don't understand GPG well enough to see how it solves this problem better than AES CBC 256. Could you perchance provide a link? Or explain how GPG would take care of this?

link
caivvoacmh 3423 days ago
The third-party is not taking part in the encryption.
link
caivvoacmh 3423 days ago
When I read "authentication" I think of the process of providing a username/password to authenticate with an online service, e.g. facebook.

Is authentication wrt to encryption not when you provide the password to encrypt/decrypt?

link
Canada 3423 days ago
No, it's not. Authentication means ensuring the data is not tampered with between the time it's encrypted and decrypted.
link
bwackwat 3423 days ago
Use AES 256 bit encryption. It looks like you found some openssl command line tools to do this, which appears fine. (I can't speak on the details of that particular tool.) Depending on your technology stack, there are probably a number of tools which can programmatically encrypt and decrypt files.

For example, I use CryptoPP for AES 256 bit encryption in C++.

link