Commit | Line | Data |
---|---|---|
98473598 C |
1 | |
2 | ||
3 | ||
4 | BDES(1) BSD Reference Manual BDES(1) | |
5 | ||
6 | ||
7 | N\bNA\bAM\bME\bE | |
8 | bdes - encrypt/decrypt using the Data Encryption Standard | |
9 | ||
10 | S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS | |
11 | b\bbd\bde\bes\bs [\b[ -\b-a\bab\bbd\bdp\bp ]\b] [\b[ -\b-F\bF N\bN ]\b] [\b[ -\b-f\bf N\bN ]\b] [\b[ -\b-k\bk k\bke\bey\by ]\b] | |
12 | [\b[ -\b-m\bm N\bN ]\b] [\b[ -\b-o\bo N\bN ]\b] [\b[ -\b-v\bv v\bve\bec\bct\bto\bor\br ]\b] | |
13 | ||
14 | D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN | |
15 | _\bB_\bd_\be_\bs implements all DES modes of operation described in | |
16 | FIPS PUB 81, including alternative cipher feedback mode | |
17 | and both authentication modes. _\bB_\bd_\be_\bs reads from the stan- | |
18 | dard input and writes to the standard output. By default, | |
19 | the input is encrypted using cipher block chaining mode. | |
20 | Using the same key for encryption and decryption preserves | |
21 | plain text. | |
22 | ||
23 | All modes but the electronic code book mode require an | |
24 | initialization vector; if none is supplied, the zero vec- | |
25 | tor is used. If no _\bk_\be_\by is specified on the command line, | |
26 | the user is prompted for one (see _\bg_\be_\bt_\bp_\ba_\bs_\bs(3) for more | |
27 | details). | |
28 | ||
29 | The options are as follows: | |
30 | ||
31 | -a The key and initialization vector strings are to be | |
32 | taken as ASCII, suppressing the special interpreta- | |
33 | tion given to leading ``0X'', ``0x'', ``0B'', and | |
34 | ``0b'' characters. This flag applies to _\bb_\bo_\bt_\bh the | |
35 | key and initialization vector. | |
36 | ||
37 | -b Use electronic code book mode. | |
38 | ||
39 | -d Decrypt the input. | |
40 | ||
41 | -F Use _\bN-bit alternative cipher feedback mode. Cur- | |
42 | rently _\bN must be a multiple of 7 between 7 and 56 | |
43 | inclusive (this does not conform to the alternative | |
44 | CFB mode specification). | |
45 | ||
46 | -f Use _\bN-bit cipher feedback mode. Currently _\bN must | |
47 | be a multiple of 8 between 8 and 64 inclusive (this | |
48 | does not conform to the standard CFB mode specifi- | |
49 | cation). | |
50 | ||
51 | -k Use _\bk_\be_\by as the cryptographic key. | |
52 | ||
53 | -m Compute a message authentication code (MAC) of _\bN | |
54 | bits on the input. The value of _\bN must be between | |
55 | 1 and 64 inclusive; if _\bN is not a multiple of 8, | |
56 | enough 0 bits will be added to pad the MAC length | |
57 | to the nearest multiple of 8. Only the MAC is | |
58 | ||
59 | ||
60 | ||
61 | 4.3 Berkeley Distribution June 29, 1993 1 | |
62 | ||
63 | ||
64 | ||
65 | ||
66 | ||
67 | ||
68 | ||
69 | ||
70 | BDES(1) BSD Reference Manual BDES(1) | |
71 | ||
72 | ||
73 | output. MACs are only available in cipher block | |
74 | chaining mode or in cipher feedback mode. | |
75 | ||
76 | -o Use _\bN-bit output feedback mode. Currently _\bN must | |
77 | be a multiple of 8 between 8 and 64 inclusive (this | |
78 | does not conform to the OFB mode specification). | |
79 | ||
80 | -p Disable the resetting of the parity bit. This flag | |
81 | forces the parity bit of the key to be used as | |
82 | typed, rather than making each character be of odd | |
83 | parity. It is used only if the key is given in | |
84 | ASCII. | |
85 | ||
86 | -v Set the initialization vector to _\bv_\be_\bc_\bt_\bo_\br; the vector | |
87 | is interpreted in the same way as the key. The | |
88 | vector is ignored in electronic codebook mode. | |
89 | ||
90 | The key and initialization vector are taken as sequences | |
91 | of ASCII characters which are then mapped into their bit | |
92 | representations. If either begins with ``0X'' or ``0x'', | |
93 | that one is taken as a sequence of hexadecimal digits | |
94 | indicating the bit pattern; if either begins with ``0B'' | |
95 | or ``0b'', that one is taken as a sequence of binary dig- | |
96 | its indicating the bit pattern. In either case, only the | |
97 | leading 64 bits of the key or initialization vector are | |
98 | used, and if fewer than 64 bits are provided, enough 0 | |
99 | bits are appended to pad the key to 64 bits. | |
100 | ||
101 | According to the DES standard, the low-order bit of each | |
102 | character in the key string is deleted. Since most ASCII | |
103 | representations set the high-order bit to 0, simply delet- | |
104 | ing the low-order bit effectively reduces the size of the | |
105 | key space from 256 to 248 keys. To prevent this, the | |
106 | high-order bit must be a function depending in part upon | |
107 | the low-order bit; so, the high-order bit is set to what- | |
108 | ever value gives odd parity. This preserves the key space | |
109 | size. Note this resetting of the parity bit is _\bn_\bo_\bt done | |
110 | if the key is given in binary or hex, and can be disabled | |
111 | for ASCII keys as well. | |
112 | ||
113 | The DES is considered a very strong cryptosystem, and | |
114 | other than table lookup attacks, key search attacks, and | |
115 | Hellman's time-memory tradeoff (all of which are very | |
116 | expensive and time-consuming), no cryptanalytic methods | |
117 | for breaking the DES are known in the open literature. No | |
118 | doubt the choice of keys and key security are the most | |
119 | vulnerable aspect of _\bb_\bd_\be_\bs. | |
120 | ||
121 | I\bIM\bMP\bPL\bLE\bEM\bME\bEN\bNT\bTA\bAT\bTI\bIO\bON\bN N\bNO\bOT\bTE\bES\bS | |
122 | For implementors wishing to write software compatible with | |
123 | this program, the following notes are provided. This | |
124 | ||
125 | ||
126 | ||
127 | 4.3 Berkeley Distribution June 29, 1993 2 | |
128 | ||
129 | ||
130 | ||
131 | ||
132 | ||
133 | ||
134 | ||
135 | ||
136 | BDES(1) BSD Reference Manual BDES(1) | |
137 | ||
138 | ||
139 | software is believed to be compatible with the implementa- | |
140 | tion of the data encryption standard distributed by Sun | |
141 | Microsystems, Inc. | |
142 | ||
143 | In the ECB and CBC modes, plaintext is encrypted in units | |
144 | of 64 bits (8 bytes, also called a block). To ensure that | |
145 | the plaintext file is encrypted correctly, _\bb_\bd_\be_\bs will | |
146 | (internally) append from 1 to 8 bytes, the last byte con- | |
147 | taining an integer stating how many bytes of that final | |
148 | block are from the plaintext file, and encrypt the result- | |
149 | ing block. Hence, when decrypting, the last block may | |
150 | contain from 0 to 7 characters present in the plaintext | |
151 | file, and the last byte tells how many. Note that if dur- | |
152 | ing decryption the last byte of the file does not contain | |
153 | an integer between 0 and 7, either the file has been cor- | |
154 | rupted or an incorrect key has been given. A similar | |
155 | mechanism is used for the OFB and CFB modes, except that | |
156 | those simply require the length of the input to be a mul- | |
157 | tiple of the mode size, and the final byte contains an | |
158 | integer between 0 and one less than the number of bytes | |
159 | being used as the mode. (This was another reason that the | |
160 | mode size must be a multiple of 8 for those modes.) | |
161 | ||
162 | Unlike Sun's implementation, unused bytes of that last | |
163 | block are not filled with random data, but instead contain | |
164 | what was in those byte positions in the preceding block. | |
165 | This is quicker and more portable, and does not weaken the | |
166 | encryption significantly. | |
167 | ||
168 | If the key is entered in ASCII, the parity bits of the key | |
169 | characters are set so that each key character is of odd | |
170 | parity. Unlike Sun's implementation, it is possible to | |
171 | enter binary or hexadecimal keys on the command line, and | |
172 | if this is done, the parity bits are _\bn_\bo_\bt reset. This | |
173 | allows testing using arbitrary bit patterns as keys. | |
174 | ||
175 | The Sun implementation always uses an initialization vec- | |
176 | tor of 0 (that is, all zeroes). By default, _\bb_\bd_\be_\bs does | |
177 | too, but this may be changed from the command line. | |
178 | ||
179 | S\bSE\bEE\bE A\bAL\bLS\bSO\bO | |
180 | crypt(1), crypt(3), getpass(3) | |
181 | ||
182 | _\bD_\ba_\bt_\ba _\bE_\bn_\bc_\br_\by_\bp_\bt_\bi_\bo_\bn _\bS_\bt_\ba_\bn_\bd_\ba_\br_\bd, Federal Information Processing | |
183 | Standard #46, National Bureau of Standards, U.S. Depart- | |
184 | ment of Commerce, Washington DC (Jan. 1977) | |
185 | ||
186 | _\bD_\bE_\bS _\bM_\bo_\bd_\be_\bs _\bo_\bf _\bO_\bp_\be_\br_\ba_\bt_\bi_\bo_\bn, Federal Information Processing | |
187 | Standard #81, National Bureau of Standards, U.S. Depart- | |
188 | ment of Commerce Washington DC (Dec. 1980) | |
189 | ||
190 | ||
191 | ||
192 | ||
193 | 4.3 Berkeley Distribution June 29, 1993 3 | |
194 | ||
195 | ||
196 | ||
197 | ||
198 | ||
199 | ||
200 | ||
201 | ||
202 | BDES(1) BSD Reference Manual BDES(1) | |
203 | ||
204 | ||
205 | Dorothy Denning, _\bC_\br_\by_\bp_\bt_\bo_\bg_\br_\ba_\bp_\bh_\by _\ba_\bn_\bd _\bD_\ba_\bt_\ba _\bS_\be_\bc_\bu_\br_\bi_\bt_\by, Addison- | |
206 | Wesley Publishing Co., Reading, MA (C)1982. | |
207 | ||
208 | Matt Bishop, _\bI_\bm_\bp_\bl_\be_\bm_\be_\bn_\bt_\ba_\bt_\bi_\bo_\bn _\bN_\bo_\bt_\be_\bs _\bo_\bn _\bb_\bd_\be_\bs_\b(_\b1_\b), Technical | |
209 | Report PCS-TR-91-158, Department of Mathematics and Com- | |
210 | puter Science, Dartmouth College, Hanover, NH 03755 (Apr. | |
211 | 1991). | |
212 | ||
213 | D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR | |
214 | THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | |
215 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
216 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
217 | ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
218 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
219 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
220 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
221 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
222 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
223 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
224 | SUCH DAMAGE. | |
225 | ||
226 | B\bBU\bUG\bGS\bS | |
227 | There is a controversy raging over whether the DES will | |
228 | still be secure in a few years. The advent of special- | |
229 | purpose hardware could reduce the cost of any of the meth- | |
230 | ods of attack named above so that they are no longer com- | |
231 | putationally infeasible. | |
232 | ||
233 | As the key or key schedule is stored in memory, the | |
234 | encryption can be compromised if memory is readable. | |
235 | Additionally, programs which display programs' arguments | |
236 | may compromise the key and initialization vector, if they | |
237 | are specified on the command line. To avoid this _\bb_\bd_\be_\bs | |
238 | overwrites its arguments, however, the obvious race cannot | |
239 | currently be avoided. | |
240 | ||
241 | Certain specific keys should be avoided because they | |
242 | introduce potential weaknesses; these keys, called the | |
243 | _\bw_\be_\ba_\bk and _\bs_\be_\bm_\bi_\bw_\be_\ba_\bk keys, are (in hex notation, where p is | |
244 | either 0 or 1, and P is either e or f): | |
245 | ||
246 | 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P | |
247 | 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP | |
248 | 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P | |
249 | 0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP | |
250 | 0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P | |
251 | 0xepepepepepepepep 0xepfPepfPfpfPfpfP | |
252 | 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P | |
253 | 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP | |
254 | ||
255 | This is inherent in the DES algorithm (see Moore and | |
256 | ||
257 | ||
258 | ||
259 | 4.3 Berkeley Distribution June 29, 1993 4 | |
260 | ||
261 | ||
262 | ||
263 | ||
264 | ||
265 | ||
266 | ||
267 | ||
268 | BDES(1) BSD Reference Manual BDES(1) | |
269 | ||
270 | ||
271 | Simmons, Cycle structure of the DES with weak and semi- | |
272 | weak keys, _\bA_\bd_\bv_\ba_\bn_\bc_\be_\bs _\bi_\bn _\bC_\br_\by_\bp_\bt_\bo_\bl_\bo_\bg_\by _\b- _\bC_\br_\by_\bp_\bt_\bo _\b'_\b8_\b6 _\bP_\br_\bo_\bc_\be_\be_\bd_\bi_\bn_\bg_\bs | |
273 | _\b, Springer-Verlag New York, (C)1987, pp. 9-32.) | |
274 | ||
275 | ||
276 | ||
277 | ||
278 | ||
279 | ||
280 | ||
281 | ||
282 | ||
283 | ||
284 | ||
285 | ||
286 | ||
287 | ||
288 | ||
289 | ||
290 | ||
291 | ||
292 | ||
293 | ||
294 | ||
295 | ||
296 | ||
297 | ||
298 | ||
299 | ||
300 | ||
301 | ||
302 | ||
303 | ||
304 | ||
305 | ||
306 | ||
307 | ||
308 | ||
309 | ||
310 | ||
311 | ||
312 | ||
313 | ||
314 | ||
315 | ||
316 | ||
317 | ||
318 | ||
319 | ||
320 | ||
321 | ||
322 | ||
323 | ||
324 | ||
325 | 4.3 Berkeley Distribution June 29, 1993 5 | |
326 | ||
327 | ||
328 | ||
329 | ||
330 |