#90 Integrity protection for amcrypt*

[Anonymous]

Originally created by: Hawk777

amcrypt-ossl and amcrypt-ossl-asym encrypt their data, but they don’t, as far as I can tell, append any sort of MAC, signature, or other integrity protection. Therefore an attacker could modify the ciphertext without being immediately detected, and potentially induce a related change to the plaintext. In particular, to quote Wikipedia, regarding CBC mode, which both these scripts use:

Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact.

So modifying the ciphertext would not merely destroy the entire plaintext in a way that is necessarily obvious. If the backup were of a filesystem containing large files, an attacker could poke at a bit of ciphertext and have a very good chance of corrupting a restored file without causing any immediately noticeable damage to e.g. the containing tar structure (and tar doesn’t appear to checksum its file data contents). As a general principle, integrity checks over encrypted data are A Good Thing™.