-
I run |
Beta Was this translation helpful? Give feedback.
Replies: 23 comments 14 replies
-
openssl-enc.pod explains why this is not supported from the commandline.. i.e: If you want a see a test that uses AEAD run
There are 2 tests that use fixed tables from acvp_test.inc. |
Beta Was this translation helpful? Give feedback.
-
As @slontis wrote. To support AEAD ciphers in the enc command, all of the output needs to be buffered before any is emitted. Letting something downstream use the data before it has been authenticated is a critical vulnerability. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
It's a bit insane to allow things that are a lot more dangerous (unauthenticated broken CBC encryption, and all the other modes where you have no idea of the integrity of the data at all) but block this. |
Beta Was this translation helpful? Give feedback.
-
What is the adviced way to do AES-256-GCM encryption with command line tooling like openssl enc? I can vaguely find "openssl cms" but that tells me nothing and examples for that seems to be hidden quite well (can't quite find it). |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
Would you mind repeating that in english? |
Beta Was this translation helpful? Give feedback.
-
Please read the above comments. You need to write code, and you need to understand the restrictions of GCM before using it. |
Beta Was this translation helpful? Give feedback.
-
But why? Having it in a command line tool helps a lot in lowering an already very high bar and makes it scriptable. If I recall correctly, libressl does allow this in the cli tool. But mixing the 2 *ssl projects is super confusing so I'd rather not. Requiring code only ups the threshold of attempting to use it. It still doesn't guarantee proper usage. Heck, I'd even argue that encrypting in code is far more likely to be done wrongly then doing it in cli. See, with a cli you - as the authors of said cli - have a way to guide the user to do the right thing. You lose that with code. |
Beta Was this translation helpful? Give feedback.
-
It is impossible to know if the GCM decryption is correct until the very end. At that point it's not possible to tell the receiver to ignore everything processed thus far. It's possible to get a few cases correct but not all. What happens if the output is a pipe? Or if the output overwrites an existing file? Moreover, it is trivial to flip bits in the plaintext with GCM mode. If this isn't discovered until the very end after the payload has been mostly processed, it is a critical vulnerability. I'll also note that GCM was designed for data in transit not data at rest. Using it for data at rest is a misuse IMO. |
Beta Was this translation helpful? Give feedback.
-
In my case i want to encrypt video data which is the exact situation where AES-GCM shines. It surprises me that the openssl opinion is so... how to put it politely.. intentionally overly constrained. Sure, it's all possible but your current approach makes it a lot more complex then it needs to be. Are you sure a reconsideration of this (with libressl in mind where this is possible) isn't in order? |
Beta Was this translation helpful? Give feedback.
-
Video data is arguably one of the worst cases, the data will almost certainly be used before the validity is checked after everything has been decrypted. This is a massive shortcoming in GCM -- you must decrypt everything before even a single byte can be consumed. Yes, I know it's really fast but it's completely insecure when used like this. I've been asked about using GCM sans integrity check sufficiently often that I came up with Pauli's Mutual Fund.
If you run the same commands, you will end up with different ciphertext. Don't worry, flip the same six bits as I did in the first four bytes of the final row of data. In my example these were originally This example is for CTR mode but GCM is identical in operation. Hence, I doubt that the I just had a look at the LibreSSL 3.5.3 source code, the |
Beta Was this translation helpful? Give feedback.
-
You are essentially saying that Netflix doesn't know what they are doing. What you find most when googling for AES gcm vs ctr is that GCM should be the superior one in every way. That a comparable security to GCM would be CTR+HMAC. The HMAC part is omitted in GCM because it's "build in". Now i'm sure you are correct and with the best intentions! But what i find elsewhere does at the very least seem to contradict you. What makes this security stuff so freaking complex is this very message. You can clearly see the "different thoughts the internet has" here. And all are equally passionate about their opinion. I'm at a loss here as to what is secure now and what's not. |
Beta Was this translation helpful? Give feedback.
-
Security through crypto is an extremely complex topic and when reading the links above you're unfortunately overlooking the details. One of the most important of these details are that all the links above talk about using the AES-GCM as part of data-in-transit protection in well known and well secured protocols as TLS and SSH. I can only repeat that |
Beta Was this translation helpful? Give feedback.
-
@t8m Thank you, that's the first thing that made sense to me. So why is this not echoed anywhere else? You're the first one who clearly says that it's intended purpose is for in-transit data. To me that does sound like video files - and definitely video streaming - are perfect candidates. Which again totally contradicts what @paulidale said. Unless there was a hidden assumption there that i didn't catch? This post for example bashes hard on AES-GCM but still claims it's far better then the rest. Quote:
So something what you folks say, despite probably being with the best intention and that's very well appreciated, just doesn't match with what I find on the web. While the example from @paulidale was well appreciated and helps a lot in understanding things. I question it to be the case with GCM. The case he explained is exactly what HMAC should fix https://www.youtube.com/watch?v=wlSG3pEiQdc and what I see mentioned A LOT on other places is that AES-GCM equals AES-CTR+HMAC. Their reasoning then is that the HMAC part is "integrated" into GCM. Now it can be true that most of those resources have it wrong and the openssl devs have it right. Or there is some nuance there which makes it nuanced. I don't know. Regardless, why not educate the people and blog about this with deep technical blogs on https://www.openssl.org/blog/ Apparently that is desperately needed otherwise we wouldn't be having this discussion now. |
Beta Was this translation helpful? Give feedback.
-
I did write this above:
@t8m is not contradicting what I said, he's reiterating it with some additional clarification. My example works as is for GCM without the integrity tag or GCM where the data is consumed before checking the integrity. This is exactly the case you're looking at. Yes, a HMAC will fix this but only if it is checked before any of the data is consumed. For TLS the packets are smallish and this checking is done as part of the protocol. For large video files in isolation, it won't be. Security is complex and the specifics of each situation matter. Often a lot. |
Beta Was this translation helpful? Give feedback.
-
Ahh, nice @paulidale :) As for "my case". I obviously intent to do AES-GCM with the integrity being done on it too. I was totally oblivious to the fact that libressl apparently doesn't do this even though it (again from a surface view) looked like they did. With all that confusion i can only emphasize this one point more: Please blog about this! Educate the world basically! Not many people are going to find this github issue or follow everything that's written here. But the little snippets of information sprinkled here and there are quite important! Lastly, do you know of an example code that makes proper use of AES-GCM with integrity that i can look at for my encryption purposes? My eventual endgoal here is this. I want to encrypt large video files and have them be playable - as encrypted - via ffmpeg. In ffmpeg you already have the "crypto" protocol that does AES-CBC. I don't know if i can as this stuff is complex, but i want to add AES-GCM read (forget write for the moment) support there too. Small but important note. We somehow got on the AES-CTR examples, but my current case is AES-CBC and I intent the future to be AES-GCM. |
Beta Was this translation helpful? Give feedback.
-
Seek and ye shall find: https://github.com/openssl/openssl/blob/master/demos/cipher/aesgcm.c We've been working on our demo code. It's not there yet but there has been some significant progress over the past year or two & we're always willing to accept more samples from third parties. CBC mode also has a weakness: it permits one subsequent block to be meaningfully corrupted. Not ideal but way better than GCM sans integrity. There are other modes that are more resilient but most have their own nuances. Cryptography has many pitfalls. As for my example: CTR and GCM are essentially identical. Both have an incrementing counter for each block. GCM adds additional integrity computations (which must slow it down). They aren't quite identical but are close enough for that to not matter in my example. An aside: never, ever, ever, ever reusing the nonce. This totally breaks GCM mode. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
@paulidale For your aside note (last phrase of your comment), what if I want to use AES-GCM encryption deterministically (where for any input m, an identical/deterministic output will be generated) with goal to be able to performing searching on encrypted ciphertexts. The reason for using AES-GCM is because of authentication functionality. An attacker that tries to alter ciphertexts would not be given the decrypted plaintext, but would simply fail without giving any further clues/hints. Considering the 4 inputs
How insecure would it be to have a fixed IV per plaintext/message input? Do you have any other alternatives/suggestions on how to achieve that? |
Beta Was this translation helpful? Give feedback.
-
If users want it, why not support it and let them be the judge of whether or not it fits their use case? 🤔 |
Beta Was this translation helpful? Give feedback.
-
GCM has an authentication tag. In protocols like TLS, this tag is at the end of every TLS record. OpenSSL only decrypts whole TLS records, and so the tag is always checked before data is returned. The problem with enc is that there is no standard for how to store meta data, like where is the IV, is it split in blocks of fixed size, and things like that. So the only option is that the tag is at the end of the file. If you want to support a safe mode of operation and only return decrypted data after the authentication tag has been verified, this means that you first need to decrypt everything, store it in memory, verify the authentication tag, and then return all the data. The enc tool currently does not work this way, it will return data once it's decrypted, it does not internally buffer it until it can verify that authentication tag. This means it can return data that has been modified, and you will most likely already process it, which is most likely not what you want. |
Beta Was this translation helpful? Give feedback.
-
Are there any plans to allow AEAD ciphers for non-streaming scenarios? The CLI can also write to a temporary file, then mv/rename the file to its final path only once the tag has been authenticated. Regarding the question about the file format, maybe the tag can be passed as a separate command line argument, e.g. -in/out-auth-tag? |
Beta Was this translation helpful? Give feedback.
GCM has an authentication tag. In protocols like TLS, this tag is at the end of every TLS record. OpenSSL only decrypts whole TLS records, and so the tag is always checked before data is returned.
The problem with enc is that there is no standard for how to store meta data, like where is the IV, is it split in blocks of fixed size, and things like that. So the only option is that the tag is at the end of the file. If you want to support a safe mode of operation and only return decrypted data after the authentication tag has been verified, this means that you first need to decrypt everything, store it in memory, verify the authentication tag, and then return all the data.
The enc tool curr…