Commit | Line | Data |
---|---|---|
458416e5 KB |
1 | .\" Copyright (c) 1991, 1993 |
2 | .\" The Regents of the University of California. All rights reserved. | |
c4e28bd8 KB |
3 | .\" |
4 | .\" This code is derived from software contributed to Berkeley by | |
5 | .\" Matt Bishop of Dartmouth College. | |
6 | .\" | |
7 | .\" %sccs.include.redist.roff% | |
8 | .\" | |
458416e5 | 9 | .\" @(#)bdes.1 8.1 (Berkeley) %G% |
c4e28bd8 KB |
10 | .\" |
11 | .TH BDES 1 "" | |
707ca442 | 12 | .UC 6 |
886521eb KB |
13 | .SH NAME |
14 | bdes \- encrypt/decrypt using the Data Encryption Standard | |
15 | .SH SYNOPSIS | |
c4e28bd8 KB |
16 | .nf |
17 | .ft B | |
18 | bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ] | |
19 | .ti +5 | |
20 | [ \-m N ] [ \-o N ] [ \-v vector ] | |
21 | .ft R | |
22 | .fi | |
886521eb KB |
23 | .SH DESCRIPTION |
24 | .I Bdes | |
c4e28bd8 KB |
25 | implements all DES modes of operation described in FIPS PUB 81, |
26 | including alternative cipher feedback mode and both authentication | |
27 | modes. | |
28 | .I Bdes | |
29 | reads from the standard input and writes to the standard output. | |
30 | By default, the input is encrypted using cipher block chaining mode. | |
707ca442 | 31 | Using the same key for encryption and decryption preserves plain text. |
c4e28bd8 KB |
32 | .PP |
33 | All modes but the electronic code book mode require an initialization | |
34 | vector; if none is supplied, the zero vector is used. | |
886521eb KB |
35 | If no |
36 | .I key | |
c4e28bd8 KB |
37 | is specified on the command line, the user is prompted for one (see |
38 | .IR getpass (3) | |
39 | for more details). | |
886521eb | 40 | .PP |
c4e28bd8 | 41 | The options are as follows: |
886521eb | 42 | .TP |
c4e28bd8 KB |
43 | \-a |
44 | The key and initialization vector strings are to be taken as ASCII, | |
45 | suppressing the special interpretation given to leading ``0X'', ``0x'', | |
46 | ``0B'', and ``0b'' characters. | |
47 | This flag applies to | |
886521eb KB |
48 | .I both |
49 | the key and initialization vector. | |
50 | .TP | |
c4e28bd8 | 51 | \-b |
886521eb KB |
52 | Use electronic code book mode. |
53 | .TP | |
c4e28bd8 | 54 | \-d |
8ca535de | 55 | Decrypt the input. |
c4e28bd8 KB |
56 | .TP |
57 | \-F | |
886521eb | 58 | Use |
c4e28bd8 KB |
59 | .IR N -bit |
60 | alternative cipher feedback mode. | |
886521eb | 61 | Currently |
c4e28bd8 KB |
62 | .I N |
63 | must be a multiple of 7 between 7 and 56 inclusive (this does not conform | |
64 | to the alternative CFB mode specification). | |
886521eb | 65 | .TP |
c4e28bd8 | 66 | \-f |
886521eb | 67 | Use |
c4e28bd8 KB |
68 | .IR N -bit |
69 | cipher feedback mode. | |
886521eb | 70 | Currently |
c4e28bd8 KB |
71 | .I N |
72 | must be a multiple of 8 between 8 and 64 inclusive (this does not conform | |
73 | to the standard CFB mode specification). | |
886521eb | 74 | .TP |
c4e28bd8 KB |
75 | \-k |
76 | Use | |
77 | .I key | |
8ca535de | 78 | as the cryptographic key. |
886521eb | 79 | .TP |
c4e28bd8 | 80 | \-m |
886521eb | 81 | Compute a message authentication code (MAC) of |
c4e28bd8 | 82 | .I N |
886521eb | 83 | bits on the input. |
c4e28bd8 KB |
84 | The value of |
85 | .I N | |
86 | must be between 1 and 64 inclusive; if | |
87 | .I N | |
88 | is not a multiple of 8, enough 0 bits will be added to pad the MAC length | |
886521eb KB |
89 | to the nearest multiple of 8. |
90 | Only the MAC is output. | |
c4e28bd8 KB |
91 | MACs are only available in cipher block chaining mode or in cipher feedback |
92 | mode. | |
886521eb | 93 | .TP |
c4e28bd8 | 94 | \-o |
886521eb | 95 | Use |
c4e28bd8 | 96 | .IR N -bit |
886521eb KB |
97 | output feedback mode. |
98 | Currently | |
c4e28bd8 KB |
99 | .I N |
100 | must be a multiple of 8 between 8 and 64 inclusive (this does not conform | |
101 | to the OFB mode specification). | |
886521eb | 102 | .TP |
c4e28bd8 | 103 | \-p |
886521eb | 104 | Disable the resetting of the parity bit. |
c4e28bd8 KB |
105 | This flag forces the parity bit of the key to be used as typed, rather than |
106 | making each character be of odd parity. | |
107 | It is used only if the key is given in ASCII. | |
886521eb | 108 | .TP |
c4e28bd8 | 109 | \-v |
886521eb | 110 | Set the initialization vector to |
c4e28bd8 | 111 | .IR vector ; |
886521eb KB |
112 | the vector is interpreted in the same way as the key. |
113 | The vector is ignored in electronic codebook mode. | |
114 | .PP | |
8ca535de | 115 | The key and initialization vector are taken as sequences of ASCII |
c4e28bd8 KB |
116 | characters which are then mapped into their bit representations. |
117 | If either begins with ``0X'' or ``0x'', | |
118 | that one is taken as a sequence of hexadecimal digits indicating the | |
119 | bit pattern; | |
120 | if either begins with ``0B'' or ``0b'', | |
121 | that one is taken as a sequence of binary digits indicating the bit pattern. | |
122 | In either case, | |
123 | only the leading 64 bits of the key or initialization vector | |
124 | are used, | |
125 | and if fewer than 64 bits are provided, enough 0 bits are appended | |
126 | to pad the key to 64 bits. | |
127 | .PP | |
128 | According to the DES standard, the low-order bit of each character in the | |
129 | key string is deleted. | |
130 | Since most ASCII representations set the high-order bit to 0, simply | |
131 | deleting the low-order bit effectively reduces the size of the key space | |
132 | from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys. | |
133 | To prevent this, the high-order bit must be a function depending in part | |
134 | upon the low-order bit; so, the high-order bit is set to whatever value | |
135 | gives odd parity. | |
136 | This preserves the key space size. | |
137 | Note this resetting of the parity bit is | |
138 | .I not | |
139 | done if the key is given in binary or hex, and can be disabled for ASCII | |
140 | keys as well. | |
141 | .PP | |
142 | The DES is considered a very strong cryptosystem, and other than table lookup | |
143 | attacks, key search attacks, and Hellman's time-memory tradeoff (all of which | |
144 | are very expensive and time-consuming), no cryptanalytic methods for breaking | |
145 | the DES are known in the open literature. | |
146 | No doubt the choice of keys and key security are the most vulnerable aspect | |
147 | of | |
886521eb KB |
148 | .IR bdes . |
149 | .SH IMPLEMENTATION NOTES | |
150 | For implementors wishing to write software compatible with this program, | |
151 | the following notes are provided. | |
c4e28bd8 KB |
152 | This software is believed to be compatible with the implementation of the |
153 | data encryption standard distributed by Sun Microsystems, Inc. | |
886521eb | 154 | .PP |
c4e28bd8 KB |
155 | In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
156 | also called a block). | |
886521eb KB |
157 | To ensure that the plaintext file is encrypted correctly, |
158 | .I bdes | |
c4e28bd8 KB |
159 | will (internally) append from 1 to 8 bytes, the last byte containing an |
160 | integer stating how many bytes of that final block are from the plaintext | |
161 | file, and encrypt the resulting block. | |
162 | Hence, when decrypting, the last block may contain from 0 to 7 characters | |
163 | present in the plaintext file, and the last byte tells how many. | |
164 | Note that if during decryption the last byte of the file does not contain an | |
165 | integer between 0 and 7, either the file has been corrupted or an incorrect | |
166 | key has been given. | |
167 | A similar mechanism is used for the OFB and CFB modes, except that those | |
168 | simply require the length of the input to be a multiple of the mode size, | |
169 | and the final byte contains an integer between 0 and one less than the number | |
170 | of bytes being used as the mode. | |
171 | (This was another reason that the mode size must be a multiple of 8 for those | |
172 | modes.) | |
886521eb | 173 | .PP |
c4e28bd8 KB |
174 | Unlike Sun's implementation, unused bytes of that last block are not filled |
175 | with random data, but instead contain what was in those byte positions in | |
176 | the preceding block. | |
177 | This is quicker and more portable, and does not weaken the encryption | |
8ca535de | 178 | significantly. |
886521eb | 179 | .PP |
c4e28bd8 KB |
180 | If the key is entered in ASCII, the parity bits of the key characters are set |
181 | so that each key character is of odd parity. | |
182 | Unlike Sun's implementation, it is possible to enter binary or hexadecimal | |
183 | keys on the command line, and if this is done, the parity bits are | |
886521eb KB |
184 | .I not |
185 | reset. | |
186 | This allows testing using arbitrary bit patterns as keys. | |
187 | .PP | |
c4e28bd8 KB |
188 | The Sun implementation always uses an initialization vector of 0 |
189 | (that is, all zeroes). | |
886521eb KB |
190 | By default, |
191 | .I bdes | |
c4e28bd8 | 192 | does too, but this may be changed from the command line. |
886521eb | 193 | .SH SEE ALSO |
c4e28bd8 KB |
194 | crypt(1), crypt(3), getpass(3) |
195 | .sp | |
886521eb KB |
196 | .IR "Data Encryption Standard" , |
197 | Federal Information Processing Standard #46, | |
198 | National Bureau of Standards, | |
199 | U.S. Department of Commerce, | |
200 | Washington DC | |
201 | (Jan. 1977) | |
c4e28bd8 | 202 | .sp |
886521eb KB |
203 | .IR "DES Modes of Operation" , |
204 | Federal Information Processing Standard #81, | |
205 | National Bureau of Standards, | |
206 | U.S. Department of Commerce | |
207 | Washington DC | |
208 | (Dec. 1980) | |
c4e28bd8 | 209 | .sp |
886521eb KB |
210 | Dorothy Denning, |
211 | .IR "Cryptography and Data Security" , | |
212 | Addison-Wesley Publishing Co., | |
213 | Reading, MA | |
214 | \(co1982. | |
c4e28bd8 | 215 | .sp |
886521eb | 216 | Matt Bishop, |
707ca442 | 217 | .IR "Implementation Notes on bdes(1)" , |
886521eb KB |
218 | Technical Report PCS-TR-91-158, |
219 | Department of Mathematics and Computer Science, | |
220 | Dartmouth College, | |
221 | Hanover, NH 03755 | |
8ca535de | 222 | (Apr. 1991). |
480cb76e KB |
223 | .SH DISCLAIMER |
224 | .nf | |
225 | THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | |
226 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
227 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
228 | ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
229 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
230 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
231 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
232 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
233 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
234 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
235 | SUCH DAMAGE. | |
236 | .fi | |
886521eb | 237 | .SH BUGS |
886521eb | 238 | There is a controversy raging over whether the DES will still be secure |
c4e28bd8 KB |
239 | in a few years. |
240 | The advent of special-purpose hardware could reduce the cost of any of the | |
241 | methods of attack named above so that they are no longer computationally | |
242 | infeasible. | |
886521eb | 243 | .PP |
c4e28bd8 KB |
244 | As the key or key schedule is stored in memory, the encryption can be |
245 | compromised if memory is readable. | |
8ca535de KB |
246 | Additionally, programs which display programs' arguments may compromise the |
247 | key and initialization vector, if they are specified on the command line. | |
c4e28bd8 KB |
248 | To avoid this |
249 | .I bdes | |
250 | overwrites its arguments, however, the obvious race cannot currently be | |
251 | avoided. | |
8ca535de KB |
252 | .PP |
253 | Certain specific keys should be avoided because they introduce potential | |
254 | weaknesses; these keys, called the | |
255 | .I weak | |
256 | and | |
257 | .I semiweak | |
258 | keys, are (in hex notation, where p is either 0 or 1, and P is either | |
259 | e or f): | |
260 | .sp | |
261 | .nf | |
262 | .in +10n | |
263 | .ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n | |
264 | 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P | |
265 | 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP | |
266 | 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P | |
267 | 0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP | |
268 | 0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P | |
269 | 0xepepepepepepepep 0xepfPepfPfpfPfpfP | |
270 | 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P | |
271 | 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP | |
272 | .fi | |
273 | .in -10n | |
274 | .sp | |
275 | This is inherent in the DES algorithm (see Moore and Simmons, | |
276 | \*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq | |
277 | .I "Advances in Cryptology \- Crypto '86 Proceedings" , | |
278 | Springer-Verlag New York, \(co1987, pp. 9-32.) |