-1

An answer about AES encryption starts with a disclaimer:

Please note: You can use this to hide birthday-gift-ideas.txt from your roommate, but don't expect it to be secure against a determined attacker!

What exactly makes it unsafe to use to prevent unauthorized person from reading the file?

I suppose that this comment to the answer is relevant, but I'm not sure I have the required skills to understand it, neither do I know what else should I do to make the encryption secure:

-1 For recommending low-level OpenSSL use. It does not provide any HMAC functionality and as @Lekensteyn points out, it lacks proper KDF.

In other words:

  • If I have a strong password generated by running cat /dev/urandom | tr -dc a-fA-Z0-9 | head -c 45,

  • And one would assume the password is kept secure,

how do I encrypt a file while being sure that a determined attacker won't be able to decrypt it?

Here's a concrete example. I'm doing off-site backups on a cloud server. Before being uploaded, the backup files are encrypted locally using a password generated from /dev/urandom, and the password is never stored on the cloud server. Is openssl aes-256-cbc -in ... -out ... -pass file:1.key inappropriate to prevent someone from the company hosting the cloud server to peek in the contents of the backup?

Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
  • I'm assuming that your question is what the title says, i.e. *"What exactly is unsafe in using openssl AES with a password?"*. There are three items in the answer exactly after the phrase you've cited and these provide the answer to your question - especially the first. – Steffen Ullrich Sep 23 '18 at 19:03

1 Answers1

1

One of the problems with using plain OpenSSL AES-256 CBC is that it doesn't detect if the ciphertext has been altered. So if you encrypt a file and put it on the cloud server, the hosting provider can't read the original file, but it can still alter the ciphertext. This can be done somewhat predictably so that when you retrieve the encrypted file and decrypt it, it contains something else.

The property that you can trust the contents to be the same is called message integrity. Using a HMAC is one way to provide integrity: you hash the encrypted message before sending it to the cloud server. When you retrieve it, you check this hash again and know whether the ciphertext has been altered.

Furthermore, encryption schemes are made to work with keys and not with passwords. These differ in that keys are pretty random-looking 16 character string, while passwords are user-chosen words. A key derivation function (KDF) can convert a password to a key.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102