Subject: Re: Encrypting Backups
To: Stefan Schumacher <stefan@net-tex.de>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 09/30/2003 11:14:42
In message <20030930134815.GC1052@AragornOfArathorn.net-tex.de>, Stefan Schumac
her writes:
>
>
>
>But you should keep in mind that one single twisted bit can blow the whole
>encrypted archive to kingdom come.
That's not quite true; in fact, if you do it in certain ways, there's
no more risk of corruption than in a plaintext archive.
The issue is error propagation, and different cipher modes have
different propagation properties. If you get a single-bit error when
using CBC mode, for example,
the current ciphertext block -- 16 bytes for AES -- and the following
one will be corrupted, but subsequent blocks will be ok. On the other
hand, deletion of a single byte will render things useless. By
contrast, CFB mode will resynchronize after deletions, and has the same
error propagation properties as CBC. (Hmm -- the mcrypt man page is
seriously incompatible with the program.) CFB can be run in 8-bit
mode, in which case the block size is one byte -- but it then requires
a single encryption per byte rather than one per 16 bytes. OFB mode is
completely thrown off by deletions, but it has *no* error propagation
-- any errors are restricted to the bits changed. On the other hand,
an attacker who can change the ciphertext can make predictable changes
to the resulting plaintext, which is why it should always be used with
a strong checksum such as SHA-1. (Actually, any encryption should be
used that way.) Of course, even a single-bit error will throw off such
a checksum... (One further caveat: ECB mode should *never* be used
except in very special circumstances. In my opinion, the author of
mcrypt should have left it out, or at least included a *very* strong
warning.)
There's a lot more that can be said on this topic, but it's covered by
most standard cryptography books.
--Steve Bellovin, http://www.research.att.com/~smb