| version 1.6, 2003/06/03 02:56:06 |
version 1.7, 2004/05/31 18:42:58 |
|
|
| .\" $OpenBSD$ |
.\" $OpenBSD$ |
| .\" $NetBSD: bdes.1,v 1.1 1995/07/24 04:30:51 cgd Exp $ |
.\" $NetBSD: bdes.1,v 1.11 2003/08/07 11:13:11 agc Exp $ |
| .\" |
.\" |
| .\" Copyright (c) 1991, 1993 |
.\" Copyright (c) 1991, 1993 |
| .\" The Regents of the University of California. All rights reserved. |
.\" The Regents of the University of California. All rights reserved. |
|
|
| .\" |
.\" |
| .\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 |
.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 |
| .\" |
.\" |
| .TH BDES 1 "June 29, 1993" |
.Dd June 29, 1993 |
| .UC 6 |
.Dt BDES 1 |
| .SH NAME |
.Os |
| bdes \- encrypt/decrypt using the Data Encryption Standard |
.Sh NAME |
| .SH SYNOPSIS |
.Nm bdes |
| .nf |
.Nd encrypt/decrypt using the Data Encryption Standard |
| .ft B |
.Sh SYNOPSIS |
| bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ] |
.Nm |
| .ti +5 |
.Op Fl abdp |
| [ \-m N ] [ \-o N ] [ \-v vector ] |
.Op Fl F Ar N |
| .ft R |
.Op Fl f Ar N |
| .fi |
.Op Fl k Ar key |
| .SH DESCRIPTION |
.Op Fl m Ar N |
| .I Bdes |
.Op Fl o Ar N |
| |
.Op Fl v Ar vector |
| |
.Sh DESCRIPTION |
| |
.Nm |
| implements all DES modes of operation described in FIPS PUB 81, |
implements all DES modes of operation described in FIPS PUB 81, |
| including alternative cipher feedback mode and both authentication |
including alternative cipher feedback mode and both authentication |
| modes. |
modes. |
| .I Bdes |
.Nm |
| reads from the standard input and writes to the standard output. |
reads from the standard input and writes to the standard output. |
| By default, the input is encrypted using cipher block chaining mode. |
By default, the input is encrypted using cipher block chaining mode. |
| Using the same key for encryption and decryption preserves plain text. |
Using the same key for encryption and decryption preserves plain text. |
| .PP |
.Pp |
| All modes but the electronic code book mode require an initialization |
All modes but the electronic code book mode require an initialization |
| vector; if none is supplied, the zero vector is used. |
vector; if none is supplied, the zero vector is used. |
| If no |
If no |
| .I key |
.Ar key |
| is specified on the command line, the user is prompted for one (see |
is specified on the command line, the user is prompted for one (see |
| .IR getpass (3) |
.Xr getpass 3 |
| for more details). |
for more details). |
| .PP |
.Pp |
| The options are as follows: |
The options are as follows: |
| .TP |
.Bl -tag -width "-v vector" |
| \-a |
.It Fl a |
| The key and initialization vector strings are to be taken as ASCII, |
The key and initialization vector strings are to be taken as ASCII, |
| suppressing the special interpretation given to leading ``0X'', ``0x'', |
suppressing the special interpretation given to leading |
| ``0B'', and ``0b'' characters. |
.Dq 0X , |
| |
.Dq 0x , |
| |
.Dq 0B |
| |
and |
| |
.Dq 0b |
| |
characters. |
| This flag applies to |
This flag applies to |
| .I both |
.Em both |
| the key and initialization vector. |
the key and initialization vector. |
| .TP |
.It Fl b |
| \-b |
|
| Use electronic code book mode. |
Use electronic code book mode. |
| .TP |
This is not recommended for messages |
| \-d |
longer than 8 bytes, as patterns in the input will show through to the |
| |
output. |
| |
.It Fl d |
| Decrypt the input. |
Decrypt the input. |
| .TP |
.It Fl F Ar N |
| \-F |
|
| Use |
Use |
| .IR N -bit |
.Ar N Ns -bit |
| alternative cipher feedback mode. |
alternative cipher feedback mode. |
| Currently |
Currently |
| .I N |
.Ar N |
| must be a multiple of 7 between 7 and 56 inclusive (this does not conform |
must be a multiple of 7 between 7 and 56 inclusive (this does not conform |
| to the alternative CFB mode specification). |
to the alternative CFB mode specification). |
| .TP |
.It Fl f Ar N |
| \-f |
|
| Use |
Use |
| .IR N -bit |
.Ar N Ns -bit |
| cipher feedback mode. |
cipher feedback mode. |
| Currently |
Currently |
| .I N |
.Ar N |
| must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
| to the standard CFB mode specification). |
to the standard CFB mode specification). |
| .TP |
.It Fl k Ar key |
| \-k |
|
| Use |
Use |
| .I key |
.Ar key |
| as the cryptographic key. |
as the cryptographic key. |
| .TP |
.It Fl m Ar N |
| \-m |
|
| Compute a message authentication code (MAC) of |
Compute a message authentication code (MAC) of |
| .I N |
.Ar N |
| bits on the input. |
bits on the input. |
| The value of |
The value of |
| .I N |
.Ar N |
| must be between 1 and 64 inclusive; if |
must be between 1 and 64 inclusive; if |
| .I N |
.Ar N |
| is not a multiple of 8, enough 0 bits will be added to pad the MAC length |
is not a multiple of 8, enough 0 bits will be added to pad the MAC length |
| to the nearest multiple of 8. |
to the nearest multiple of 8. |
| Only the MAC is output. |
Only the MAC is output. |
| MACs are only available in cipher block chaining mode or in cipher feedback |
MACs are only available in cipher block chaining mode or in cipher feedback |
| mode. |
mode. |
| .TP |
.It Fl o Ar N |
| \-o |
|
| Use |
Use |
| .IR N -bit |
.Ar N Ns -bit |
| output feedback mode. |
output feedback mode. |
| Currently |
Currently |
| .I N |
.Ar N |
| must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
| to the OFB mode specification). |
to the OFB mode specification). |
| .TP |
.It Fl p |
| \-p |
|
| Disable the resetting of the parity bit. |
Disable the resetting of the parity bit. |
| This flag forces the parity bit of the key to be used as typed, rather than |
This flag forces the parity bit of the key to be used as typed, rather than |
| making each character be of odd parity. |
making each character be of odd parity. |
| It is used only if the key is given in ASCII. |
It is used only if the key is given in ASCII. |
| .TP |
.It Fl v Ar vector |
| \-v |
|
| Set the initialization vector to |
Set the initialization vector to |
| .IR vector ; |
.Ar vector ; |
| the vector is interpreted in the same way as the key. |
the vector is interpreted in the same way as the key. |
| The vector is ignored in electronic codebook mode. |
The vector is ignored in electronic codebook mode. |
| .PP |
For best security, a different |
| |
initialization vector should be used for each file. |
| |
.El |
| |
.Pp |
| The key and initialization vector are taken as sequences of ASCII |
The key and initialization vector are taken as sequences of ASCII |
| characters which are then mapped into their bit representations. |
characters which are then mapped into their bit representations. |
| If either begins with ``0X'' or ``0x'', |
If either begins with |
| |
.Dq 0X |
| |
or |
| |
.Dq 0x , |
| that one is taken as a sequence of hexadecimal digits indicating the |
that one is taken as a sequence of hexadecimal digits indicating the |
| bit pattern; |
bit pattern; |
| if either begins with ``0B'' or ``0b'', |
if either begins with |
| |
.Dq 0B |
| |
or |
| |
.Dq 0b , |
| that one is taken as a sequence of binary digits indicating the bit pattern. |
that one is taken as a sequence of binary digits indicating the bit pattern. |
| In either case, |
In either case, |
| only the leading 64 bits of the key or initialization vector |
only the leading 64 bits of the key or initialization vector |
| are used, |
are used, |
| and if fewer than 64 bits are provided, enough 0 bits are appended |
and if fewer than 64 bits are provided, enough 0 bits are appended |
| to pad the key to 64 bits. |
to pad the key to 64 bits. |
| .PP |
.Pp |
| According to the DES standard, the low-order bit of each character in the |
According to the DES standard, the low-order bit of each character in the |
| key string is deleted. |
key string is deleted. |
| Since most ASCII representations set the high-order bit to 0, simply |
Since most ASCII representations set the high-order bit to 0, simply |
| deleting the low-order bit effectively reduces the size of the key space |
deleting the low-order bit effectively reduces the size of the key space |
| from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys. |
from |
| |
.if t 2\u\s-356\s0\d |
| |
.if n 2**56 |
| |
to |
| |
.if t 2\u\s-348\s0\d |
| |
.if n 2**48 |
| |
keys. |
| To prevent this, the high-order bit must be a function depending in part |
To prevent this, the high-order bit must be a function depending in part |
| upon the low-order bit; so, the high-order bit is set to whatever value |
upon the low-order bit; so, the high-order bit is set to whatever value |
| gives odd parity. |
gives odd parity. |
| This preserves the key space size. |
This preserves the key space size. |
| Note this resetting of the parity bit is |
Note this resetting of the parity bit is |
| .I not |
.Em not |
| done if the key is given in binary or hex, and can be disabled for ASCII |
done if the key is given in binary or hex, and can be disabled for ASCII |
| keys as well. |
keys as well. |
| .PP |
.Pp |
| The DES is considered a very strong cryptosystem, and other than table lookup |
The DES is considered a strong cryptosystem hobbled by a short |
| attacks, key search attacks, and Hellman's time-memory tradeoff (all of which |
key, and other than table lookup attacks, key search attacks, and |
| are very expensive and time-consuming), no cryptanalytic methods for breaking |
Hellman's time-memory tradeoff (all of which are expensive and |
| the DES are known in the open literature. |
time-consuming), no practical cryptanalytic methods for breaking the |
| No doubt the choice of keys and key security are the most vulnerable aspect |
DES are known in the open literature. |
| of |
As of this writing, the best |
| .IR bdes . |
known cryptanalytic method is linear cryptanalysis, which requires an |
| .SH IMPLEMENTATION NOTES |
average of |
| |
.if t 2\u\s-343\s0\d |
| |
.if n 2**43 |
| |
known plaintext-ciphertext pairs to succeed. |
| |
Unfortunately for the DES, key search attacks (requiring only |
| |
a single known plaintext-ciphertext pair and trying |
| |
.if t 2\u\s-355\s0\d |
| |
.if n 2**55 |
| |
keys on average) are becoming practical. |
| |
.Pp |
| |
As with all cryptosystems, the choice of keys and |
| |
key security remain the most vulnerable aspect of |
| |
.Nm . |
| |
.Sh IMPLEMENTATION NOTES |
| For implementors wishing to write software compatible with this program, |
For implementors wishing to write software compatible with this program, |
| the following notes are provided. |
the following notes are provided. |
| This software is believed to be compatible with the implementation of the |
This software is believed to be compatible with the implementation of the |
| data encryption standard distributed by Sun Microsystems, Inc. |
data encryption standard distributed by Sun Microsystems, Inc. |
| .PP |
.Pp |
| In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
| also called a block). |
also called a block). |
| To ensure that the plaintext file is encrypted correctly, |
To ensure that the plaintext file is encrypted correctly, |
| .I bdes |
.Nm |
| will (internally) append from 1 to 8 bytes, the last byte containing an |
will (internally) append from 1 to 8 bytes, the last byte containing an |
| integer stating how many bytes of that final block are from the plaintext |
integer stating how many bytes of that final block are from the plaintext |
| file, and encrypt the resulting block. |
file, and encrypt the resulting block. |
|
|
| of bytes being used as the mode. |
of bytes being used as the mode. |
| (This was another reason that the mode size must be a multiple of 8 for those |
(This was another reason that the mode size must be a multiple of 8 for those |
| modes.) |
modes.) |
| .PP |
.Pp |
| Unlike Sun's implementation, unused bytes of that last block are not filled |
Unlike Sun's implementation, unused bytes of that last block are not filled |
| with random data, but instead contain what was in those byte positions in |
with random data, but instead contain what was in those byte positions in |
| the preceding block. |
the preceding block. |
| This is quicker and more portable, and does not weaken the encryption |
This is quicker and more portable, and does not weaken the encryption |
| significantly. |
significantly. |
| .PP |
.Pp |
| If the key is entered in ASCII, the parity bits of the key characters are set |
If the key is entered in ASCII, the parity bits of the key characters are set |
| so that each key character is of odd parity. |
so that each key character is of odd parity. |
| Unlike Sun's implementation, it is possible to enter binary or hexadecimal |
Unlike Sun's implementation, it is possible to enter binary or hexadecimal |
| keys on the command line, and if this is done, the parity bits are |
keys on the command line, and if this is done, the parity bits are |
| .I not |
.Em not |
| reset. |
reset. |
| This allows testing using arbitrary bit patterns as keys. |
This allows testing using arbitrary bit patterns as keys. |
| .PP |
.Pp |
| The Sun implementation always uses an initialization vector of 0 |
The Sun implementation always uses an initialization vector of 0 |
| (that is, all zeroes). |
(that is, all zeroes). |
| By default, |
By default, |
| .I bdes |
.Nm |
| does too, but this may be changed from the command line. |
does too, but this may be changed from the command line. |
| .SH SEE ALSO |
.Sh SEE ALSO |
| crypt(3), getpass(3) |
.Xr crypt 3 , |
| .sp |
.Xr getpass 3 |
| .IR "Data Encryption Standard" , |
.Pp |
| |
.Em "Data Encryption Standard" , |
| Federal Information Processing Standard #46, |
Federal Information Processing Standard #46, |
| National Bureau of Standards, |
National Bureau of Standards, |
| U.S. Department of Commerce, |
U.S. Department of Commerce, |
| Washington DC |
Washington DC |
| (Jan. 1977) |
(Jan. 1977). |
| .sp |
.Pp |
| .IR "DES Modes of Operation" , |
.Em "DES Modes of Operation" , |
| Federal Information Processing Standard #81, |
Federal Information Processing Standard #81, |
| National Bureau of Standards, |
National Bureau of Standards, |
| U.S. Department of Commerce |
U.S. Department of Commerce |
| Washington DC |
Washington DC |
| (Dec. 1980) |
(Dec. 1980). |
| .sp |
.Pp |
| Dorothy Denning, |
Dorothy Denning, |
| .IR "Cryptography and Data Security" , |
.Em "Cryptography and Data Security" , |
| Addison-Wesley Publishing Co., |
Addison-Wesley Publishing Co., |
| Reading, MA |
Reading, MA |
| \(co1982. |
\(co1982. |
| .sp |
.Pp |
| Matt Bishop, |
Matt Bishop, |
| .IR "Implementation Notes on bdes(1)" , |
.Em "Implementation Notes on bdes(1)" , |
| Technical Report PCS-TR-91-158, |
Technical Report PCS-TR-91-158, |
| Department of Mathematics and Computer Science, |
Department of Mathematics and Computer Science, |
| Dartmouth College, |
Dartmouth College, |
| Hanover, NH 03755 |
Hanover, NH 03755 |
| (Apr. 1991). |
(Apr. 1991). |
| .SH DISCLAIMER |
.Pp |
| .nf |
M.J. Wiener, |
| THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
.Em "Efficient DES Key Search" , |
| ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
Technical Report 244, |
| IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
School of Computer Science, |
| ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
Carleton University |
| FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
(May 1994). |
| DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
.Pp |
| OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
Bruce Schneier, |
| HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
.Em "Applied Cryptography (2nd edition)" , |
| LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
John Wiley \*[Am] Sons, Inc., |
| OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
New York, NY |
| SUCH DAMAGE. |
\(co1996. |
| .fi |
.Pp |
| .SH BUGS |
M. Matsui, |
| There is a controversy raging over whether the DES will still be secure |
.Em "Linear Cryptanalysis Method for DES Cipher" , |
| in a few years. |
Advances in Cryptology -- Eurocrypt '93 Proceedings, |
| The advent of special-purpose hardware could reduce the cost of any of the |
Springer-Verlag |
| methods of attack named above so that they are no longer computationally |
\(co1994. |
| infeasible. |
.Pp |
| .PP |
Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson, and Wiener, |
| |
.Em "Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security" , |
| |
Business Software Alliance, |
| |
http://www.bsa.org/policy/encryption/cryptographers.html |
| |
(January 1996). |
| |
.Sh BUGS |
| |
When this document was originally written, there was a controversy |
| |
raging over whether the DES would still be secure in a few years. |
| |
There is now near-universal consensus in the cryptographic community |
| |
that the key length of the DES is far too short. |
| |
The advent of |
| |
special-purpose hardware could reduce the cost of any of the methods |
| |
of attack named above so that they are no longer computationally |
| |
infeasible; in addition, the explosive growth in the number and speed |
| |
of modern microprocessors as well as advances in programmable logic |
| |
devices has brought an attack using only commodity hardware into the |
| |
realm of possibility. |
| |
Schneier and others currently recommend using |
| |
cryptosystems with keys of at least 90 bits when long-term security is |
| |
needed. |
| |
.Pp |
| As the key or key schedule is stored in memory, the encryption can be |
As the key or key schedule is stored in memory, the encryption can be |
| compromised if memory is readable. |
compromised if memory is readable. |
| Additionally, programs which display programs' arguments may compromise the |
Additionally, programs which display programs' arguments may compromise the |
| key and initialization vector, if they are specified on the command line. |
key and initialization vector, if they are specified on the command line. |
| To avoid this |
To avoid this |
| .I bdes |
.Nm |
| overwrites its arguments; however, the obvious race cannot currently be |
overwrites its arguments, however, the obvious race cannot currently be |
| avoided. |
avoided. |
| .PP |
.Pp |
| Certain specific keys should be avoided because they introduce potential |
Certain specific keys should be avoided because they introduce potential |
| weaknesses; these keys, called the |
weaknesses; these keys, called the |
| .I weak |
.Em weak |
| and |
and |
| .I semiweak |
.Em semiweak |
| keys, are (in hex notation, where p is either 0 or 1, and P is either |
keys, are (in hex notation, where p is either 0 or 1, and P is either |
| e or f): |
e or f): |
| .sp |
.Bd -literal -offset indent |
| .nf |
|
| .in +10n |
|
| .ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n |
|
| 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P |
0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P |
| 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP |
0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP |
| 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P |
0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P |
|
|
| 0xepepepepepepepep 0xepfPepfPfpfPfpfP |
0xepepepepepepepep 0xepfPepfPfpfPfpfP |
| 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P |
0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P |
| 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP |
0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP |
| .fi |
.Ed |
| .in -10n |
.Pp |
| .sp |
|
| This is inherent in the DES algorithm (see Moore and Simmons, |
This is inherent in the DES algorithm (see Moore and Simmons, |
| \*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq |
.Do |
| .I "Advances in Cryptology \- Crypto '86 Proceedings" , |
Cycle structure of the DES with weak and semi-weak keys |
| |
.Dc , |
| |
.Em "Advances in Cryptology \- Crypto '86 Proceedings" , |
| Springer-Verlag New York, \(co1987, pp. 9-32.) |
Springer-Verlag New York, \(co1987, pp. 9-32.) |
![[BACK]](/icons/back.gif){kind=icon}
Return to bdes.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / bdes