Subject: Re: Encrypting Backups
To: Stefan Schumacher <>
From: Steven M. Bellovin <>
List: tech-security
Date: 09/30/2003 11:14:42
In message <>, Stefan Schumac
her writes:
>But you should keep in mind that one single twisted bit can blow the whole
>encrypted archive to kingdom come.

That's not quite true; in fact, if you do it in certain ways, there's 
no more risk of corruption than in a plaintext archive.

The issue is error propagation, and different cipher modes have 
different propagation properties.  If you get a single-bit error when
using CBC mode, for example, 
the current ciphertext block -- 16 bytes for AES -- and the following 
one will be corrupted, but subsequent blocks will be ok.  On the other 
hand, deletion of a single byte will render things useless.  By 
contrast, CFB mode will resynchronize after deletions, and has the same 
error propagation properties as CBC.  (Hmm -- the mcrypt man page is 
seriously incompatible with the program.)  CFB can be run in 8-bit 
mode, in which case the block size is one byte -- but it then requires 
a single encryption per byte rather than one per 16 bytes.  OFB mode is 
completely thrown off by deletions, but it has *no* error propagation 
-- any errors are restricted to the bits changed.  On the other hand, 
an attacker who can change the ciphertext can make predictable changes 
to the resulting plaintext, which is why it should always be used with 
a strong checksum such as SHA-1.  (Actually, any encryption should be 
used that way.)  Of course, even a single-bit error will throw off such 
a checksum...  (One further caveat:  ECB mode should *never* be used 
except in very special circumstances.  In my opinion, the author of 
mcrypt should have left it out, or at least included a *very* strong 

There's a lot more that can be said on this topic, but it's covered by 
most standard cryptography books.

		--Steve Bellovin,