openssl: Why AEAD is not supported in command enc?

It’s a bit insane to allow things that are a lot more dangerous (unauthenticated broken CBC encryption, and all the other modes where you have no idea of the integrity of the data at all) but block this. The command lines tools in Openssl are in many different ways extremly efficient to shoot yourself in the foot if you don’t know what you’re doing. This could be restricted instead to allow only output to a file, and delete this file if the authentication fails.

I did write this above:

I’ll also note that GCM was designed for data in transit not data at rest

@t8m is not contradicting what I said, he’s reiterating it with some additional clarification.

My example works as is for GCM without the integrity tag or GCM where the data is consumed before checking the integrity. This is exactly the case you’re looking at. Yes, a HMAC will fix this but only if it is checked before any of the data is consumed. For TLS the packets are smallish and this checking is done as part of the protocol. For large video files in isolation, it won’t be.

Security is complex and the specifics of each situation matter. Often a lot.

In my case i want to encrypt video data which is the exact situation where AES-GCM shines. It surprises me that the openssl opinion is so… how to put it politely… intentionally overly constrained. Sure, it’s all possible but your current approach makes it a lot more complex then it needs to be.

Are you sure a reconsideration of this (with libressl in mind where this is possible) isn’t in order?

It is impossible to know if the GCM decryption is correct until the very end. At that point it’s not possible to tell the receiver to ignore everything processed thus far. It’s possible to get a few cases correct but not all. What happens if the output is a pipe? Or if the output overwrites an existing file? Moreover, it is trivial to flip bits in the plaintext with GCM mode. If this isn’t discovered until the very end after the payload has been mostly processed, it is a critical vulnerability.

I’ll also note that GCM was designed for data in transit not data at rest. Using it for data at rest is a misuse IMO.

But why?

Having it in a command line tool helps a lot in lowering an already very high bar and makes it scriptable.

If I recall correctly, libressl does allow this in the cli tool. But mixing the 2 *ssl projects is super confusing so I’d rather not.

Requiring code only ups the threshold of attempting to use it. It still doesn’t guarantee proper usage. Heck, I’d even argue that encrypting in code is far more likely to be done wrongly then doing it in cli. See, with a cli you - as the authors of said cli - have a way to guide the user to do the right thing. You lose that with code.

openssl-enc.pod explains why this is not supported from the commandline…

i.e: ‘This command does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future. This is due to having to begin streaming output (e.g., to standard output when B<-out> is not used) before the authentication tag could be validated. When this command is used in a pipeline, the receiving end will not be able to roll back upon authentication failure. The AEAD modes currently in common use also suffer from catastrophic failure of confidentiality and/or integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the entire burden of key/iv/nonce management upon the user, the risk of exposing AEAD modes is too great to allow. These key/iv/nonce management issues also affect other modes currently exposed in this command, but the failure modes are less extreme in these cases, and the functionality cannot be removed with a stable release branch. For bulk encryption of data, whether using authenticated encryption modes or other modes, L<openssl-cms(1)> is recommended, as it provides a standard data format and performs the needed key/iv/nonce management.’

If you want a see a test that uses AEAD run

./test/acvp_test -test 2
./test/acvp_test -test 3

There are 2 tests that use fixed tables from acvp_test.inc.