Commit | Line | Data |
---|---|---|
c4e28bd8 KB |
1 | .\" Copyright (c) 1991 The Regents of the University of California. |
2 | .\" All rights reserved. | |
3 | .\" | |
4 | .\" This code is derived from software contributed to Berkeley by | |
5 | .\" Matt Bishop of Dartmouth College. | |
6 | .\" | |
7 | .\" %sccs.include.redist.roff% | |
8 | .\" | |
480cb76e | 9 | .\" @(#)bdes.1 5.4 (Berkeley) %G% |
c4e28bd8 KB |
10 | .\" |
11 | .TH BDES 1 "" | |
886521eb KB |
12 | .SH NAME |
13 | bdes \- encrypt/decrypt using the Data Encryption Standard | |
14 | .SH SYNOPSIS | |
c4e28bd8 KB |
15 | .nf |
16 | .ft B | |
17 | bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ] | |
18 | .ti +5 | |
19 | [ \-m N ] [ \-o N ] [ \-v vector ] | |
20 | .ft R | |
21 | .fi | |
886521eb KB |
22 | .SH DESCRIPTION |
23 | .I Bdes | |
c4e28bd8 KB |
24 | implements all DES modes of operation described in FIPS PUB 81, |
25 | including alternative cipher feedback mode and both authentication | |
26 | modes. | |
27 | .I Bdes | |
28 | reads from the standard input and writes to the standard output. | |
29 | By default, the input is encrypted using cipher block chaining mode. | |
30 | Using the same key for encryption and decryption preserves plaintext. | |
31 | .PP | |
32 | All modes but the electronic code book mode require an initialization | |
33 | vector; if none is supplied, the zero vector is used. | |
886521eb KB |
34 | If no |
35 | .I key | |
c4e28bd8 KB |
36 | is specified on the command line, the user is prompted for one (see |
37 | .IR getpass (3) | |
38 | for more details). | |
886521eb | 39 | .PP |
c4e28bd8 | 40 | The options are as follows: |
886521eb | 41 | .TP |
c4e28bd8 KB |
42 | \-a |
43 | The key and initialization vector strings are to be taken as ASCII, | |
44 | suppressing the special interpretation given to leading ``0X'', ``0x'', | |
45 | ``0B'', and ``0b'' characters. | |
46 | This flag applies to | |
886521eb KB |
47 | .I both |
48 | the key and initialization vector. | |
49 | .TP | |
c4e28bd8 | 50 | \-b |
886521eb KB |
51 | Use electronic code book mode. |
52 | .TP | |
c4e28bd8 | 53 | \-d |
8ca535de | 54 | Decrypt the input. |
c4e28bd8 KB |
55 | .TP |
56 | \-F | |
886521eb | 57 | Use |
c4e28bd8 KB |
58 | .IR N -bit |
59 | alternative cipher feedback mode. | |
886521eb | 60 | Currently |
c4e28bd8 KB |
61 | .I N |
62 | must be a multiple of 7 between 7 and 56 inclusive (this does not conform | |
63 | to the alternative CFB mode specification). | |
886521eb | 64 | .TP |
c4e28bd8 | 65 | \-f |
886521eb | 66 | Use |
c4e28bd8 KB |
67 | .IR N -bit |
68 | cipher feedback mode. | |
886521eb | 69 | Currently |
c4e28bd8 KB |
70 | .I N |
71 | must be a multiple of 8 between 8 and 64 inclusive (this does not conform | |
72 | to the standard CFB mode specification). | |
886521eb | 73 | .TP |
c4e28bd8 KB |
74 | \-k |
75 | Use | |
76 | .I key | |
8ca535de | 77 | as the cryptographic key. |
886521eb | 78 | .TP |
c4e28bd8 | 79 | \-m |
886521eb | 80 | Compute a message authentication code (MAC) of |
c4e28bd8 | 81 | .I N |
886521eb | 82 | bits on the input. |
c4e28bd8 KB |
83 | The value of |
84 | .I N | |
85 | must be between 1 and 64 inclusive; if | |
86 | .I N | |
87 | is not a multiple of 8, enough 0 bits will be added to pad the MAC length | |
886521eb KB |
88 | to the nearest multiple of 8. |
89 | Only the MAC is output. | |
c4e28bd8 KB |
90 | MACs are only available in cipher block chaining mode or in cipher feedback |
91 | mode. | |
886521eb | 92 | .TP |
c4e28bd8 | 93 | \-o |
886521eb | 94 | Use |
c4e28bd8 | 95 | .IR N -bit |
886521eb KB |
96 | output feedback mode. |
97 | Currently | |
c4e28bd8 KB |
98 | .I N |
99 | must be a multiple of 8 between 8 and 64 inclusive (this does not conform | |
100 | to the OFB mode specification). | |
886521eb | 101 | .TP |
c4e28bd8 | 102 | \-p |
886521eb | 103 | Disable the resetting of the parity bit. |
c4e28bd8 KB |
104 | This flag forces the parity bit of the key to be used as typed, rather than |
105 | making each character be of odd parity. | |
106 | It is used only if the key is given in ASCII. | |
886521eb | 107 | .TP |
c4e28bd8 | 108 | \-v |
886521eb | 109 | Set the initialization vector to |
c4e28bd8 | 110 | .IR vector ; |
886521eb KB |
111 | the vector is interpreted in the same way as the key. |
112 | The vector is ignored in electronic codebook mode. | |
113 | .PP | |
8ca535de | 114 | The key and initialization vector are taken as sequences of ASCII |
c4e28bd8 KB |
115 | characters which are then mapped into their bit representations. |
116 | If either begins with ``0X'' or ``0x'', | |
117 | that one is taken as a sequence of hexadecimal digits indicating the | |
118 | bit pattern; | |
119 | if either begins with ``0B'' or ``0b'', | |
120 | that one is taken as a sequence of binary digits indicating the bit pattern. | |
121 | In either case, | |
122 | only the leading 64 bits of the key or initialization vector | |
123 | are used, | |
124 | and if fewer than 64 bits are provided, enough 0 bits are appended | |
125 | to pad the key to 64 bits. | |
126 | .PP | |
127 | According to the DES standard, the low-order bit of each character in the | |
128 | key string is deleted. | |
129 | Since most ASCII representations set the high-order bit to 0, simply | |
130 | deleting the low-order bit effectively reduces the size of the key space | |
131 | from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys. | |
132 | To prevent this, the high-order bit must be a function depending in part | |
133 | upon the low-order bit; so, the high-order bit is set to whatever value | |
134 | gives odd parity. | |
135 | This preserves the key space size. | |
136 | Note this resetting of the parity bit is | |
137 | .I not | |
138 | done if the key is given in binary or hex, and can be disabled for ASCII | |
139 | keys as well. | |
140 | .PP | |
141 | The DES is considered a very strong cryptosystem, and other than table lookup | |
142 | attacks, key search attacks, and Hellman's time-memory tradeoff (all of which | |
143 | are very expensive and time-consuming), no cryptanalytic methods for breaking | |
144 | the DES are known in the open literature. | |
145 | No doubt the choice of keys and key security are the most vulnerable aspect | |
146 | of | |
886521eb KB |
147 | .IR bdes . |
148 | .SH IMPLEMENTATION NOTES | |
149 | For implementors wishing to write software compatible with this program, | |
150 | the following notes are provided. | |
c4e28bd8 KB |
151 | This software is believed to be compatible with the implementation of the |
152 | data encryption standard distributed by Sun Microsystems, Inc. | |
886521eb | 153 | .PP |
c4e28bd8 KB |
154 | In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
155 | also called a block). | |
886521eb KB |
156 | To ensure that the plaintext file is encrypted correctly, |
157 | .I bdes | |
c4e28bd8 KB |
158 | will (internally) append from 1 to 8 bytes, the last byte containing an |
159 | integer stating how many bytes of that final block are from the plaintext | |
160 | file, and encrypt the resulting block. | |
161 | Hence, when decrypting, the last block may contain from 0 to 7 characters | |
162 | present in the plaintext file, and the last byte tells how many. | |
163 | Note that if during decryption the last byte of the file does not contain an | |
164 | integer between 0 and 7, either the file has been corrupted or an incorrect | |
165 | key has been given. | |
166 | A similar mechanism is used for the OFB and CFB modes, except that those | |
167 | simply require the length of the input to be a multiple of the mode size, | |
168 | and the final byte contains an integer between 0 and one less than the number | |
169 | of bytes being used as the mode. | |
170 | (This was another reason that the mode size must be a multiple of 8 for those | |
171 | modes.) | |
886521eb | 172 | .PP |
c4e28bd8 KB |
173 | Unlike Sun's implementation, unused bytes of that last block are not filled |
174 | with random data, but instead contain what was in those byte positions in | |
175 | the preceding block. | |
176 | This is quicker and more portable, and does not weaken the encryption | |
8ca535de | 177 | significantly. |
886521eb | 178 | .PP |
c4e28bd8 KB |
179 | If the key is entered in ASCII, the parity bits of the key characters are set |
180 | so that each key character is of odd parity. | |
181 | Unlike Sun's implementation, it is possible to enter binary or hexadecimal | |
182 | keys on the command line, and if this is done, the parity bits are | |
886521eb KB |
183 | .I not |
184 | reset. | |
185 | This allows testing using arbitrary bit patterns as keys. | |
186 | .PP | |
c4e28bd8 KB |
187 | The Sun implementation always uses an initialization vector of 0 |
188 | (that is, all zeroes). | |
886521eb KB |
189 | By default, |
190 | .I bdes | |
c4e28bd8 | 191 | does too, but this may be changed from the command line. |
886521eb | 192 | .SH SEE ALSO |
c4e28bd8 KB |
193 | crypt(1), crypt(3), getpass(3) |
194 | .sp | |
886521eb KB |
195 | .IR "Data Encryption Standard" , |
196 | Federal Information Processing Standard #46, | |
197 | National Bureau of Standards, | |
198 | U.S. Department of Commerce, | |
199 | Washington DC | |
200 | (Jan. 1977) | |
c4e28bd8 | 201 | .sp |
886521eb KB |
202 | .IR "DES Modes of Operation" , |
203 | Federal Information Processing Standard #81, | |
204 | National Bureau of Standards, | |
205 | U.S. Department of Commerce | |
206 | Washington DC | |
207 | (Dec. 1980) | |
c4e28bd8 | 208 | .sp |
886521eb KB |
209 | Dorothy Denning, |
210 | .IR "Cryptography and Data Security" , | |
211 | Addison-Wesley Publishing Co., | |
212 | Reading, MA | |
213 | \(co1982. | |
c4e28bd8 | 214 | .sp |
886521eb | 215 | Matt Bishop, |
c4e28bd8 | 216 | .IR "Implementation Notes on bdes(1)" |
886521eb KB |
217 | Technical Report PCS-TR-91-158, |
218 | Department of Mathematics and Computer Science, | |
219 | Dartmouth College, | |
220 | Hanover, NH 03755 | |
8ca535de | 221 | (Apr. 1991). |
480cb76e KB |
222 | .SH DISCLAIMER |
223 | .nf | |
224 | THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | |
225 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
226 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
227 | ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
228 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
229 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
230 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
231 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
232 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
233 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
234 | SUCH DAMAGE. | |
235 | .fi | |
886521eb | 236 | .SH BUGS |
886521eb | 237 | There is a controversy raging over whether the DES will still be secure |
c4e28bd8 KB |
238 | in a few years. |
239 | The advent of special-purpose hardware could reduce the cost of any of the | |
240 | methods of attack named above so that they are no longer computationally | |
241 | infeasible. | |
886521eb | 242 | .PP |
c4e28bd8 KB |
243 | As the key or key schedule is stored in memory, the encryption can be |
244 | compromised if memory is readable. | |
8ca535de KB |
245 | Additionally, programs which display programs' arguments may compromise the |
246 | key and initialization vector, if they are specified on the command line. | |
c4e28bd8 KB |
247 | To avoid this |
248 | .I bdes | |
249 | overwrites its arguments, however, the obvious race cannot currently be | |
250 | avoided. | |
8ca535de KB |
251 | .PP |
252 | Certain specific keys should be avoided because they introduce potential | |
253 | weaknesses; these keys, called the | |
254 | .I weak | |
255 | and | |
256 | .I semiweak | |
257 | keys, are (in hex notation, where p is either 0 or 1, and P is either | |
258 | e or f): | |
259 | .sp | |
260 | .nf | |
261 | .in +10n | |
262 | .ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n | |
263 | 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P | |
264 | 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP | |
265 | 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P | |
266 | 0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP | |
267 | 0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P | |
268 | 0xepepepepepepepep 0xepfPepfPfpfPfpfP | |
269 | 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P | |
270 | 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP | |
271 | .fi | |
272 | .in -10n | |
273 | .sp | |
274 | This is inherent in the DES algorithm (see Moore and Simmons, | |
275 | \*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq | |
276 | .I "Advances in Cryptology \- Crypto '86 Proceedings" , | |
277 | Springer-Verlag New York, \(co1987, pp. 9-32.) |