[unix-history] / usr / src / usr.bin / bdes / bdes.1

.\" Copyright (c) 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" Matt Bishop of Dartmouth College.
.\"
.\" %sccs.include.redist.roff%
.\"
.\"	@(#)bdes.1	8.1 (Berkeley) %G%
.\"
.TH BDES 1 ""
.UC 6
.SH NAME
bdes \- encrypt/decrypt using the Data Encryption Standard
.SH SYNOPSIS
.nf
.ft B
bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ]
.ti +5
[ \-m N ] [ \-o N ] [ \-v vector ]
.ft R
.fi
.SH DESCRIPTION
.I Bdes
implements all DES modes of operation described in FIPS PUB 81, 
including alternative cipher feedback mode and both authentication
modes.
.I Bdes
reads from the standard input and writes to the standard output.
By default, the input is encrypted using cipher block chaining mode.
Using the same key for encryption and decryption preserves plain text.
.PP
All modes but the electronic code book mode require an initialization
vector; if none is supplied, the zero vector is used.
If no
.I key
is specified on the command line, the user is prompted for one (see
.IR getpass (3)
for more details).
.PP
The options are as follows:
.TP
\-a
The key and initialization vector strings are to be taken as ASCII,
suppressing the special interpretation given to leading ``0X'', ``0x'',
``0B'', and ``0b'' characters.
This flag applies to
.I both
the key and initialization vector.
.TP
\-b
Use electronic code book mode.
.TP
\-d
Decrypt the input.
.TP
\-F
Use
.IR N -bit
alternative cipher feedback mode.
Currently
.I N
must be a multiple of 7 between 7 and 56 inclusive (this does not conform
to the alternative CFB mode specification).
.TP
\-f
Use
.IR N -bit
cipher feedback mode.
Currently
.I N
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
to the standard CFB mode specification).
.TP
\-k
Use
.I key
as the cryptographic key.
.TP
\-m
Compute a message authentication code (MAC) of
.I N
bits on the input.
The value of
.I N
must be between 1 and 64 inclusive; if
.I N
is not a multiple of 8, enough 0 bits will be added to pad the MAC length
to the nearest multiple of 8.
Only the MAC is output.
MACs are only available in cipher block chaining mode or in cipher feedback
mode.
.TP
\-o
Use
.IR N -bit
output feedback mode.
Currently
.I N
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
to the OFB mode specification).
.TP
\-p
Disable the resetting of the parity bit.
This flag forces the parity bit of the key to be used as typed, rather than
making each character be of odd parity.
It is used only if the key is given in ASCII.
.TP
\-v
Set the initialization vector to
.IR vector ;
the vector is interpreted in the same way as the key.
The vector is ignored in electronic codebook mode.
.PP
The key and initialization vector are taken as sequences of ASCII
characters which are then mapped into their bit representations.
If either begins with ``0X'' or ``0x'',
that one is taken as a sequence of hexadecimal digits indicating the
bit pattern;
if either begins with ``0B'' or ``0b'',
that one is taken as a sequence of binary digits indicating the bit pattern.
In either case,
only the leading 64 bits of the key or initialization vector
are used,
and if fewer than 64 bits are provided, enough 0 bits are appended
to pad the key to 64 bits.
.PP
According to the DES standard, the low-order bit of each character in the
key string is deleted.
Since most ASCII representations set the high-order bit to 0, simply
deleting the low-order bit effectively reduces the size of the key space
from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys.
To prevent this, the high-order bit must be a function depending in part
upon the low-order bit; so, the high-order bit is set to whatever value
gives odd parity.
This preserves the key space size.
Note this resetting of the parity bit is
.I not
done if the key is given in binary or hex, and can be disabled for ASCII
keys as well.
.PP
The DES is considered a very strong cryptosystem, and other than table lookup
attacks, key search attacks, and Hellman's time-memory tradeoff (all of which
are very expensive and time-consuming), no cryptanalytic methods for breaking
the DES are known in the open literature.
No doubt the choice of keys and key security are the most vulnerable aspect
of
.IR bdes .
.SH IMPLEMENTATION NOTES
For implementors wishing to write software compatible with this program,
the following notes are provided.
This software is believed to be compatible with the implementation of the
data encryption standard distributed by Sun Microsystems, Inc.
.PP
In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
also called a block).
To ensure that the plaintext file is encrypted correctly,
.I bdes
will (internally) append from 1 to 8 bytes, the last byte containing an
integer stating how many bytes of that final block are from the plaintext
file, and encrypt the resulting block.
Hence, when decrypting, the last block may contain from 0 to 7 characters
present in the plaintext file, and the last byte tells how many.
Note that if during decryption the last byte of the file does not contain an
integer between 0 and 7, either the file has been corrupted or an incorrect
key has been given.
A similar mechanism is used for the OFB and CFB modes, except that those
simply require the length of the input to be a multiple of the mode size,
and the final byte contains an integer between 0 and one less than the number
of bytes being used as the mode.
(This was another reason that the mode size must be a multiple of 8 for those
modes.)
.PP
Unlike Sun's implementation, unused bytes of that last block are not filled
with random data, but instead contain what was in those byte positions in
the preceding block.
This is quicker and more portable, and does not weaken the encryption
significantly.
.PP
If the key is entered in ASCII, the parity bits of the key characters are set
so that each key character is of odd parity.
Unlike Sun's implementation, it is possible to enter binary or hexadecimal
keys on the command line, and if this is done, the parity bits are
.I not
reset.
This allows testing using arbitrary bit patterns as keys.
.PP
The Sun implementation always uses an initialization vector of 0
(that is, all zeroes).
By default,
.I bdes
does too, but this may be changed from the command line.
.SH SEE ALSO
crypt(1), crypt(3), getpass(3)
.sp
.IR "Data Encryption Standard" ,
Federal Information Processing Standard #46,
National Bureau of Standards,
U.S. Department of Commerce,
Washington DC
(Jan. 1977)
.sp
.IR "DES Modes of Operation" ,
Federal Information Processing Standard #81,
National Bureau of Standards,
U.S. Department of Commerce
Washington DC
(Dec. 1980)
.sp
Dorothy Denning,
.IR "Cryptography and Data Security" ,
Addison-Wesley Publishing Co.,
Reading, MA
\(co1982.
.sp
Matt Bishop,
.IR "Implementation Notes on bdes(1)" ,
Technical Report PCS-TR-91-158,
Department of Mathematics and Computer Science,
Dartmouth College,
Hanover, NH  03755
(Apr. 1991).
.SH DISCLAIMER
.nf
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
.fi
.SH BUGS
There is a controversy raging over whether the DES will still be secure
in a few years.
The advent of special-purpose hardware could reduce the cost of any of the
methods of attack named above so that they are no longer computationally
infeasible.
.PP
As the key or key schedule is stored in memory, the encryption can be
compromised if memory is readable.
Additionally, programs which display programs' arguments may compromise the
key and initialization vector, if they are specified on the command line.
To avoid this
.I bdes
overwrites its arguments, however, the obvious race cannot currently be
avoided.
.PP
Certain specific keys should be avoided because they introduce potential
weaknesses; these keys, called the
.I weak
and
.I semiweak
keys, are (in hex notation, where p is either 0 or 1, and P is either
e or f):
.sp
.nf
.in +10n
.ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n
0x0p0p0p0p0p0p0p0p	0x0p1P0p1P0p0P0p0P
0x0pep0pep0pfp0pfp	0x0pfP0pfP0pfP0pfP
0x1P0p1P0p0P0p0P0p	0x1P1P1P1P0P0P0P0P
0x1Pep1Pep0Pfp0Pfp	0x1PfP1PfP0PfP0PfP
0xep0pep0pfp0pfp0p	0xep1Pep1pfp0Pfp0P
0xepepepepepepepep	0xepfPepfPfpfPfpfP
0xfP0pfP0pfP0pfP0p	0xfP1PfP1PfP0PfP0P
0xfPepfPepfPepfPep	0xfPfPfPfPfPfPfPfP
.fi
.in -10n
.sp
This is inherent in the DES algorithm (see Moore and Simmons,
\*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq
.I "Advances in Cryptology \- Crypto '86 Proceedings" ,
Springer-Verlag New York, \(co1987, pp. 9-32.)
Commit	Line	Data
458416e5 KB	1	.\" Copyright (c) 1991, 1993
458416e5 KB	2	.\" The Regents of the University of California. All rights reserved.
c4e28bd8 KB	3	.\"
	4	.\" This code is derived from software contributed to Berkeley by
	5	.\" Matt Bishop of Dartmouth College.
	6	.\"
	7	.\" %sccs.include.redist.roff%
	8	.\"
458416e5	9	.\" @(#)bdes.1 8.1 (Berkeley) %G%
c4e28bd8 KB	10	.\"
c4e28bd8 KB	11	.TH BDES 1 ""
707ca442	12	.UC 6
886521eb KB	13	.SH NAME
	14	bdes \- encrypt/decrypt using the Data Encryption Standard
	15	.SH SYNOPSIS
c4e28bd8 KB	16	.nf
	17	.ft B
	18	bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ]
	19	.ti +5
	20	[ \-m N ] [ \-o N ] [ \-v vector ]
	21	.ft R
	22	.fi
886521eb KB	23	.SH DESCRIPTION
886521eb KB	24	.I Bdes
c4e28bd8 KB	25	implements all DES modes of operation described in FIPS PUB 81,
	26	including alternative cipher feedback mode and both authentication
	27	modes.
	28	.I Bdes
	29	reads from the standard input and writes to the standard output.
	30	By default, the input is encrypted using cipher block chaining mode.
707ca442	31	Using the same key for encryption and decryption preserves plain text.
c4e28bd8 KB	32	.PP
	33	All modes but the electronic code book mode require an initialization
	34	vector; if none is supplied, the zero vector is used.
886521eb KB	35	If no
886521eb KB	36	.I key
c4e28bd8 KB	37	is specified on the command line, the user is prompted for one (see
	38	.IR getpass (3)
	39	for more details).
886521eb	40	.PP
c4e28bd8	41	The options are as follows:
886521eb	42	.TP
c4e28bd8 KB	43	\-a
	44	The key and initialization vector strings are to be taken as ASCII,
	45	suppressing the special interpretation given to leading ``0X'', ``0x'',
	46	``0B'', and ``0b'' characters.
	47	This flag applies to
886521eb KB	48	.I both
	49	the key and initialization vector.
	50	.TP
c4e28bd8	51	\-b
886521eb KB	52	Use electronic code book mode.
886521eb KB	53	.TP
c4e28bd8	54	\-d
8ca535de	55	Decrypt the input.
c4e28bd8 KB	56	.TP
c4e28bd8 KB	57	\-F
886521eb	58	Use
c4e28bd8 KB	59	.IR N -bit
c4e28bd8 KB	60	alternative cipher feedback mode.
886521eb	61	Currently
c4e28bd8 KB	62	.I N
	63	must be a multiple of 7 between 7 and 56 inclusive (this does not conform
	64	to the alternative CFB mode specification).
886521eb	65	.TP
c4e28bd8	66	\-f
886521eb	67	Use
c4e28bd8 KB	68	.IR N -bit
c4e28bd8 KB	69	cipher feedback mode.
886521eb	70	Currently
c4e28bd8 KB	71	.I N
	72	must be a multiple of 8 between 8 and 64 inclusive (this does not conform
	73	to the standard CFB mode specification).
886521eb	74	.TP
c4e28bd8 KB	75	\-k
	76	Use
	77	.I key
8ca535de	78	as the cryptographic key.
886521eb	79	.TP
c4e28bd8	80	\-m
886521eb	81	Compute a message authentication code (MAC) of
c4e28bd8	82	.I N
886521eb	83	bits on the input.
c4e28bd8 KB	84	The value of
	85	.I N
	86	must be between 1 and 64 inclusive; if
	87	.I N
	88	is not a multiple of 8, enough 0 bits will be added to pad the MAC length
886521eb KB	89	to the nearest multiple of 8.
886521eb KB	90	Only the MAC is output.
c4e28bd8 KB	91	MACs are only available in cipher block chaining mode or in cipher feedback
c4e28bd8 KB	92	mode.
886521eb	93	.TP
c4e28bd8	94	\-o
886521eb	95	Use
c4e28bd8	96	.IR N -bit
886521eb KB	97	output feedback mode.
886521eb KB	98	Currently
c4e28bd8 KB	99	.I N
	100	must be a multiple of 8 between 8 and 64 inclusive (this does not conform
	101	to the OFB mode specification).
886521eb	102	.TP
c4e28bd8	103	\-p
886521eb	104	Disable the resetting of the parity bit.
c4e28bd8 KB	105	This flag forces the parity bit of the key to be used as typed, rather than
	106	making each character be of odd parity.
	107	It is used only if the key is given in ASCII.
886521eb	108	.TP
c4e28bd8	109	\-v
886521eb	110	Set the initialization vector to
c4e28bd8	111	.IR vector ;
886521eb KB	112	the vector is interpreted in the same way as the key.
	113	The vector is ignored in electronic codebook mode.
	114	.PP
8ca535de	115	The key and initialization vector are taken as sequences of ASCII
c4e28bd8 KB	116	characters which are then mapped into their bit representations.
	117	If either begins with ``0X'' or ``0x'',
	118	that one is taken as a sequence of hexadecimal digits indicating the
	119	bit pattern;
	120	if either begins with ``0B'' or ``0b'',
	121	that one is taken as a sequence of binary digits indicating the bit pattern.
	122	In either case,
	123	only the leading 64 bits of the key or initialization vector
	124	are used,
	125	and if fewer than 64 bits are provided, enough 0 bits are appended
	126	to pad the key to 64 bits.
	127	.PP
	128	According to the DES standard, the low-order bit of each character in the
	129	key string is deleted.
	130	Since most ASCII representations set the high-order bit to 0, simply
	131	deleting the low-order bit effectively reduces the size of the key space
	132	from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys.
	133	To prevent this, the high-order bit must be a function depending in part
	134	upon the low-order bit; so, the high-order bit is set to whatever value
	135	gives odd parity.
	136	This preserves the key space size.
	137	Note this resetting of the parity bit is
	138	.I not
	139	done if the key is given in binary or hex, and can be disabled for ASCII
	140	keys as well.
	141	.PP
	142	The DES is considered a very strong cryptosystem, and other than table lookup
	143	attacks, key search attacks, and Hellman's time-memory tradeoff (all of which
	144	are very expensive and time-consuming), no cryptanalytic methods for breaking
	145	the DES are known in the open literature.
	146	No doubt the choice of keys and key security are the most vulnerable aspect
	147	of
886521eb KB	148	.IR bdes .
	149	.SH IMPLEMENTATION NOTES
	150	For implementors wishing to write software compatible with this program,
	151	the following notes are provided.
c4e28bd8 KB	152	This software is believed to be compatible with the implementation of the
c4e28bd8 KB	153	data encryption standard distributed by Sun Microsystems, Inc.
886521eb	154	.PP
c4e28bd8 KB	155	In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
c4e28bd8 KB	156	also called a block).
886521eb KB	157	To ensure that the plaintext file is encrypted correctly,
886521eb KB	158	.I bdes
c4e28bd8 KB	159	will (internally) append from 1 to 8 bytes, the last byte containing an
	160	integer stating how many bytes of that final block are from the plaintext
	161	file, and encrypt the resulting block.
	162	Hence, when decrypting, the last block may contain from 0 to 7 characters
	163	present in the plaintext file, and the last byte tells how many.
	164	Note that if during decryption the last byte of the file does not contain an
	165	integer between 0 and 7, either the file has been corrupted or an incorrect
	166	key has been given.
	167	A similar mechanism is used for the OFB and CFB modes, except that those
	168	simply require the length of the input to be a multiple of the mode size,
	169	and the final byte contains an integer between 0 and one less than the number
	170	of bytes being used as the mode.
	171	(This was another reason that the mode size must be a multiple of 8 for those
	172	modes.)
886521eb	173	.PP
c4e28bd8 KB	174	Unlike Sun's implementation, unused bytes of that last block are not filled
	175	with random data, but instead contain what was in those byte positions in
	176	the preceding block.
	177	This is quicker and more portable, and does not weaken the encryption
8ca535de	178	significantly.
886521eb	179	.PP
c4e28bd8 KB	180	If the key is entered in ASCII, the parity bits of the key characters are set
	181	so that each key character is of odd parity.
	182	Unlike Sun's implementation, it is possible to enter binary or hexadecimal
	183	keys on the command line, and if this is done, the parity bits are
886521eb KB	184	.I not
	185	reset.
	186	This allows testing using arbitrary bit patterns as keys.
	187	.PP
c4e28bd8 KB	188	The Sun implementation always uses an initialization vector of 0
c4e28bd8 KB	189	(that is, all zeroes).
886521eb KB	190	By default,
886521eb KB	191	.I bdes
c4e28bd8	192	does too, but this may be changed from the command line.
886521eb	193	.SH SEE ALSO
c4e28bd8 KB	194	crypt(1), crypt(3), getpass(3)
c4e28bd8 KB	195	.sp
886521eb KB	196	.IR "Data Encryption Standard" ,
	197	Federal Information Processing Standard #46,
	198	National Bureau of Standards,
	199	U.S. Department of Commerce,
	200	Washington DC
	201	(Jan. 1977)
c4e28bd8	202	.sp
886521eb KB	203	.IR "DES Modes of Operation" ,
	204	Federal Information Processing Standard #81,
	205	National Bureau of Standards,
	206	U.S. Department of Commerce
	207	Washington DC
	208	(Dec. 1980)
c4e28bd8	209	.sp
886521eb KB	210	Dorothy Denning,
	211	.IR "Cryptography and Data Security" ,
	212	Addison-Wesley Publishing Co.,
	213	Reading, MA
	214	\(co1982.
c4e28bd8	215	.sp
886521eb	216	Matt Bishop,
707ca442	217	.IR "Implementation Notes on bdes(1)" ,
886521eb KB	218	Technical Report PCS-TR-91-158,
	219	Department of Mathematics and Computer Science,
	220	Dartmouth College,
	221	Hanover, NH 03755
8ca535de	222	(Apr. 1991).
480cb76e KB	223	.SH DISCLAIMER
	224	.nf
	225	THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	226	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	227	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	228	ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	229	FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	230	DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	231	OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	232	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	233	LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	234	OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	235	SUCH DAMAGE.
	236	.fi
886521eb	237	.SH BUGS
886521eb	238	There is a controversy raging over whether the DES will still be secure
c4e28bd8 KB	239	in a few years.
	240	The advent of special-purpose hardware could reduce the cost of any of the
	241	methods of attack named above so that they are no longer computationally
	242	infeasible.
886521eb	243	.PP
c4e28bd8 KB	244	As the key or key schedule is stored in memory, the encryption can be
c4e28bd8 KB	245	compromised if memory is readable.
8ca535de KB	246	Additionally, programs which display programs' arguments may compromise the
8ca535de KB	247	key and initialization vector, if they are specified on the command line.
c4e28bd8 KB	248	To avoid this
	249	.I bdes
	250	overwrites its arguments, however, the obvious race cannot currently be
	251	avoided.
8ca535de KB	252	.PP
	253	Certain specific keys should be avoided because they introduce potential
	254	weaknesses; these keys, called the
	255	.I weak
	256	and
	257	.I semiweak
	258	keys, are (in hex notation, where p is either 0 or 1, and P is either
	259	e or f):
	260	.sp
	261	.nf
	262	.in +10n
	263	.ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n
	264	0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P
	265	0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP
	266	0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P
	267	0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP
	268	0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P
	269	0xepepepepepepepep 0xepfPepfPfpfPfpfP
	270	0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P
	271	0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP
	272	.fi
	273	.in -10n
	274	.sp
	275	This is inherent in the DES algorithm (see Moore and Simmons,
	276	\(LqCycle structure of the DES with weak and semi-weak keys,\(Rq
	277	.I "Advances in Cryptology \- Crypto '86 Proceedings" ,
	278	Springer-Verlag New York, \(co1987, pp. 9-32.)